On Sat, 21 Jul 2001, Jon O . wrote:
I understand your need to do something like this, but you are essentially causing the worm to fulfill it's goal and censoring your customers. I worried that many people would do this.
Why not just use outbound Cisco ACLs on your CPE, Core, and Border routers to permit and log the traffic to the one IP address being attacked and them contact the people who have hacked machines? Or, if you must use the ACLs to deny the packets with the goal of identifing machines and getting them fixed.
Outbound ACL's are an option but then you would have to be sure that they are sending the packets to port 80.
access-list 199 permit tcp any host 198.137.240.91 eq 80 log access-list 199 permit tcp any host 198.137.240.92 eq 80 log
You should already be logging packets to a syslog server.
We already log every packet coming by on a machine which counts the traffic so any infected box will be identified soon.
To make deny rules just change the permit to deny. However, this is kind of drastic and almost amounts to censorship.
Censorship is a way to see it, I prefer to call it operational prevention of a DoS attack. The risk of "censoring" two IP's over DoS'ing an entire network is one I can explain to angry customers (if there are any). -- /* Sabri Berisha CCNA,BOFH,+iO O.O speaking for just myself * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * "We deliver quality services, we just can't get it on the internet" * Anonymous sysadmin - on IRC */