There are other ports and settings that can be used, but this should give you the general idea. The attack fools the system into thinking it is talking to itself. This will produce a race condition, which will cause the system to eventually hang or lock up.
You may be thinking, “No problem, I plan to block all inbound connection requests, so this packet would never get through because the SYN flag is set high.” Not true, Grasshopper: look at the source address. When the router evaluates this packet, it may very well think that the packet was received from the internal network.
While Cisco routers do not have this problem (they maintain the association of the packet with the interface it was received on), many routers do. If your access rules state, “Port 135 from the internal network is OK to let
through,” the router will approve the packet of data, pass the information along to the routing process, which would then pass the traffic along to the Ethernet segment.
So how do you solve this problem? Since you will never see legitimate traffic originating from the Internet, which uses your internal subnet address, there will be no loss in connectivity if you filter out such traffic. This is called a spoofing filter, because you are insuring that no traffic that is trying to spoof your internal address will be allowed to pass.
It is also a good idea to place an inbound filter on your Ethernet port that states, “Only accept traffic from the 206.121.73.0 subnet." This helps to insure that none of your internal users attempts a spoofing attack on some other network. As administrator, it is your job to not only protect your own environment, but also to make sure you do not inadvertently make someone else’s life miserable.
You can create spoofing filters using standard access lists. The syntax for a standard access list entry is access-list {list # or name} permit/deny {source} {mask}
So you could create the following access list entries in global configuration mode on the router in Figure 6.3: access-list 1 deny 206.121.73.0 0.0.0.255
access-list 2 permit 206.121.73.0 0.0.0.255
Access list 1 would be applied by entering configuration mode for the WAN interface and entering the command ip access-group 1 in
Likewise, access list 2 would be applied by entering configuration mode for the Ethernet interface and entering the command
ip access-group 2 in
You may notice that the mask value looks a little strange. This is because this value is a pattern match, not a subnet mask. A pattern match uses the following criteria when evaluating a test condition:
0 The corresponding byte in the defined address must match the test condition exactly.
1 This is a wildcard character: any value in this byte is considered a match.
So in this example our pattern match says, “Any IP address which contains the byte values 206.121.73." As long as the first three bytes match the source IP address, the access list test condition considers it a match.
To match all network traffic, use the following address and mask: 0.0.0.0 255.255.255.255
This tells the Cisco router that all traffic is to be considered a match. When you write your access rules, this address and mask can simply be replaced by the word “any.” This is not very useful for standard access lists (if you do not want to accept any traffic, it’s easier to just pull the plug), but it will come in handy when we get into extended access lists in the next section.
For example, let’s say that instead of a full class C network, you are only using a portion of this class C address space. Let’s assume that the network address is 206.121.73.64 and the subnet mask is 255.255.255.224. In this case, what would you use for a pattern match to insure that you are only filtering on your network space?
All TCP/IP address space is actually created using a binary number system. We use decimals simply because these are easier for human consumption. In order to determine the pattern match you will use, you first have to convert the last byte of the subnet mask to binary:
224 = 128 + 64 + 32 = 11100000
In the last byte you are using three bits for networking and five bits to identify each unique host. In order to ignore any host on your network, you would use a pattern match that has all the host bits set high, like this:
00011111 = 16 + 8 + 4 + 2 + 1 = 31
So in order to accommodate your new network address and subnet mask, you would need to change your access to the following:
access-list 1 deny 206.121.73.64 0.0.0.31 access-list 2 permit 206.121.73.64 0.0.0.31
In effect, you have told your access list, “Filter the packet when you see an address space value 206.121.73.64 – 206.121.73.95 (64 + 31).” This will let you screen for your small chunk of this class C address space—without having to filter or allow more than you need to.
Besides spoofing rules, why else might you use standard access lists? Standard access lists are extremely effective at blocking access from any undesirable remote site. This could be known attackers, mail spammers, or even competitors.
Remember that this connection is yours to manage as you see fit. There is no requirement that once you are connected to the Internet you must accept traffic from all sources. While accepting all traffic is considered the polite thing to do, it may not always make the most business sense.
For example, there are mailing lists and organizations that have dedicated resources to identifying spam sites. Spam, or unsolicited advertising e-mail, can be a waste of organizational resources at best, or it can cause a denial of service at worst. Many administrators now filter traffic from sites known to support (or at the very least fail to prevent) spammers and their activities. All traffic is filtered, because a site that does not control outbound spam mail typically makes no effort to prevent other types of attacks from being launched against your network.
Tip A Cisco interface can only accept one access list per port, per direction. This means that you should only apply a standard access list when you won’t need an extended access list. If you require the increased flexibility of an extended access list, simply incorporate your filters into a single list.
Static Extended Access Lists
Extended access lists take the concept of standard access lists one step further. Instead of simply filtering on source IP address, extended access lists can also filter on
Destination IP address
Transport (IP, TCP, UDP, ICMP, GRE, IGRP) Destination port number
Packet type or code in the case of ICMP
Established connects (verifies that either the ACK or RST bits have been set)
Clearly, this can give you a much more granular level of control over your perimeter traffic. Extended access lists are created in global configuration mode using the following syntax:
access-list {list # or name} permit/deny {protocol} {source} {mask} {destination} {mask} {operator} {port} est (short for establish if applicable)
Valid operators are
lt Less than
gt Greater than
eq Equal to
neq Not equal to
As an example, let’s say you wish to create a set of extended access rules allowing open access to HTTP on the host 206.121.73.10 and allowing telnet access, as well—but only from hosts on the subnet 199.52.24.0. These rules would look similar to the following:
access-list 101 permit any 206.121.73.10 0.0.0.0 eq 80
access-list 101 permit 199.52.24.0 0.0.0.255 206.121.73.10 0.0.0.0 eq 23
You would then install these rules on the serial port by entering configuration mode for that interface and entering the command
ip access-group 101 in