Instead of:
set interface Null0
Use: set ip next-hop 10.255.255.254 _and_ ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE Michel. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Geo. Sent: Friday, August 22, 2003 9:17 AM To: nanog@merit.edu Subject: Cisco filter question Perhaps one of you router experts can answer this question. When using the cisco specified filter access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 & 8) match ip address 199 ! --- match 92 bytes sized packets match length 92 92 ! --- drop the packet set interface Null0 interface <incoming-interface> ! --- it is recommended to disable unreachables no ip unreachables ! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy ! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm why would it not stop this packet 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties FRAME: Time of capture = 8/22/2003 11:54:16.859 FRAME: Time delta from previous physical frame: 0 microseconds FRAME: Frame number: 15 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C0B76625D4 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 0003E3956600 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x848; Proto = ICMP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 92 (0x5C) IP: Identification = 2120 (0x848) IP: Flags Summary = 0 (0x0) IP: .......0 = Last fragment in datagram IP: ......0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 124 (0x7C) IP: Protocol = ICMP - Internet Control Message IP: Checksum = 0x70D8 IP: Source Address = 216.144.20.69 IP: Destination Address = 216.144.0.27 IP: Data: Number of data bytes remaining = 72 (0x0048) ICMP: Echo: From 216.144.20.69 To 216.144.00.27 ICMP: Packet Type = Echo ICMP: Echo Code = 0 (0x0) ICMP: Checksum = 0x82AA ICMP: Identifier = 512 (0x200) ICMP: Sequence Number = 7680 (0x1E00) ICMP: Data: Number of data bytes remaining = 64 (0x0040) 00000: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã*f...E. 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ.EØ 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA ....'ª....ªªªªªª 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª 00060: AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªª
Because your acl matches echo reply and the packet is echo request. Owen --On Friday, August 22, 2003 10:02 AM -0700 Michel Py <michel@arneill-py.sacramento.ca.us> wrote:
Instead of:
set interface Null0
Use: set ip next-hop 10.255.255.254
_and_ ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE
Michel.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Geo. Sent: Friday, August 22, 2003 9:17 AM To: nanog@merit.edu Subject: Cisco filter question
Perhaps one of you router experts can answer this question. When using the cisco specified filter
access-list 199 permit icmp any any echo access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10 ! --- match ICMP echo requests and replies (type 0 & 8) match ip address 199
! --- match 92 bytes sized packets match length 92 92
! --- drop the packet set interface Null0
interface <incoming-interface> ! --- it is recommended to disable unreachables no ip unreachables
! --- if not using CEF, enabling ip route-cache flow is recommended ip route-cache policy
! --- apply Policy Based Routing to the interface ip policy route-map nachi-worm
why would it not stop this packet
15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties FRAME: Time of capture = 8/22/2003 11:54:16.859 FRAME: Time delta from previous physical frame: 0 microseconds FRAME: Frame number: 15 FRAME: Total frame length: 106 bytes FRAME: Capture frame length: 106 bytes FRAME: Frame data: Number of data bytes remaining = 106 (0x006A) ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol ETHERNET: Destination address : 00C0B76625D4 ETHERNET: .......0 = Individual address ETHERNET: ......0. = Universally administered address ETHERNET: Source address : 0003E3956600 ETHERNET: .......0 = No routing information present ETHERNET: ......0. = Universally administered address ETHERNET: Frame Length : 106 (0x006A) ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol) ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C) IP: ID = 0x848; Proto = ICMP; Len: 92 IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP: Precedence = Routine IP: Type of Service = Normal Service IP: Total Length = 92 (0x5C) IP: Identification = 2120 (0x848) IP: Flags Summary = 0 (0x0) IP: .......0 = Last fragment in datagram IP: ......0. = May fragment datagram if necessary IP: Fragment Offset = 0 (0x0) bytes IP: Time to Live = 124 (0x7C) IP: Protocol = ICMP - Internet Control Message IP: Checksum = 0x70D8 IP: Source Address = 216.144.20.69 IP: Destination Address = 216.144.0.27 IP: Data: Number of data bytes remaining = 72 (0x0048) ICMP: Echo: From 216.144.20.69 To 216.144.00.27 ICMP: Packet Type = Echo ICMP: Echo Code = 0 (0x0) ICMP: Checksum = 0x82AA ICMP: Identifier = 512 (0x200) ICMP: Sequence Number = 7680 (0x1E00) ICMP: Data: Number of data bytes remaining = 64 (0x0040) 00000: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã*f...E. 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ?.EØ? 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA ....'ª....ªªªªªª 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª 00060: AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªª
participants (2)
-
Michel Py
-
Owen DeLong