Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Packet filter for port 9 attack
On Tue, 17 Mar 1998, Matt Holdrege wrote:
> Check out http://www.ascend.com/2694.html for details.
>
> More to come.
As usual, you left the TNT out.. and..
Yes, a TNT reboots when hit with the exploit as well.. Even 2.0.0 code..
I tried to translated your Max 4XXX series filter into TNTspeak, and I
believe that this is correct.
-------------------------------- CUT HERE --------------------------------
new filter
set filter-name = killstop
set input-filter 12 forward = yes
set input-filter 12 valid-entry = yes
set input-filter 1 Type = ip-filter
set input-filter 1 ip-filter protocol = 17
set input-filter 1 ip-filter dest-port = 9
set input-filter 1 ip-filter Dst-Port-Cmp = Eql
set input-filter 1 valid-entry = yes
set output-filter 12 forward = yes
set output-filter 12 valid-entry = yes
write
-------------------------------- CUT HERE --------------------------------
I think that the filter needs to go on ALL interfaces, including dial-up
modems.. However, it doesn't seem to work when installed on an ethernet
interface (I have modem users on other terminal servers that could very
easily [assuming they wanted to] run the exploit and crash my TNT).
I have a filter on my main WAN connection that blocks all TCP and UDP to
the TNT's addresses from the outside, and this DOES block the udp port 9
attack.
Mike Jackson
TSCNet
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: