(RADIATOR) MAx TNT & MSBlast

Hugh Irvine hugh at open.com.au
Mon Aug 25 22:20:35 CDT 2003 

Hello Jim -

Yes you can add a Filter-Id reply attribute for a particular user by 
adding it to the list of reply items for that user.

You can also load per-user ACL's for Cisco's as described here:

	http://www.open.com.au/radiator/faq.html#67

The FAQ item shows how to do it for all users, but you can use the same 
thing on a per-user basis.

regards

Hugh


On Tuesday, Aug 26, 2003, at 13:01 Australia/Melbourne, Jim Brown wrote:

> This is a good question.  There is not much information out there 
> concerning
> the filter-ID attribute.  I need to add this attribute to a specific 
> user,
> allowing only port 80 to a specific IP address.  Is that possible?
>
>
> ----- Original Message -----
> From: "Dave Birkbeck" <dbirkbeck at ikano.com>
> To: "'Tony Bunce'" <tonyb at go-concepts.com>; "'Sean Watkins 
> (northrock)'"
> <sean at northrock.bm>; <radiator at open.com.au>
> Sent: Monday, August 25, 2003 7:27 PM
> Subject: RE: (RADIATOR) MAx TNT & MSBlast
>
>
>> All,
>>
>> In addition to having the ACL's that Cisco recommends. Has anyone come
>> up with a Radius ascend-data-filter that will slow down the spread of
>> these crazy viruses? Or better yet, a filter that will block ICMP.
>>
>> Again, I know this is probably not the list for this discussion, but
>> this topic is definitely for the greater good of the Internet.
>>
>> That being said does anyone know of a list that discusses various NAS
>> topics?
>>
>> Thanks,
>>
>> Dave
>>
>>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] 
>> On
>> Behalf Of Tony Bunce
>> Sent: Friday, August 22, 2003 10:38 AM
>> To: Sean Watkins (northrock); radiator at open.com.au
>> Subject: RE: (RADIATOR) MAx TNT & MSBlast
>>
>> This problem is actually caused by the "good" blaster worm nachi
>>
>> Nachi pings a host before it trys to spread so it doesn't waist its 
>> time
>> on non-existent hosts.  The problem is that each one of those pings
>> generates an arp request and with such a high number of pings MAX TNT
>> boxes can't handle the high number of arp request and lock up or 
>> reboot
>>
>> The ping has a specific signature, 92byes all AA as the content, that
>> you can create a policy map for
>>
>> Cisco has an article on how to block Nachi ICMP traffic on your 
>> inbound
>> router interface
>> http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml
>>
>> Hope that helps
>>
>> Thanks,
>> Tony B, CCNA, Network+
>> Systems Administration
>> GO Concepts, Inc. / www.go-concepts.com
>> Are you on the GO yet?
>> What about those you know, are they on the GO?
>> 513.934.2800
>> 1.888.ON.GO.YET
>>
>> -----Original MFrom owner-radiator at open.com.au Mon Aug 25 22:39:06 2003
Received: (from majordomo at localhost)
	by server1.open.com.au (8.11.6/8.11.0) id h7Q3d6E28131
	for radiatorzz-list; Mon, 25 Aug 2003 22:39:06 -0500
X-Authentication-Warning: server1.open.com.au: majordomo set sender to owner-radiator at open.com.au using -f
Received: from northrock.bm (newmx.northrock.bm [216.249.32.10])
	by server1.open.com.au (8.11.6/8.11.0) with ESMTP id h7Q3d5I28128
	for <radiator at open.com.au>; Mon, 25 Aug 2003 22:39:05 -0500
Received: by northrock.bm (CommuniGate Pro PIPE 4.0.3)
  with PIPE id 25811354; Tue, 26 Aug 2003 00:24:19 -0300
Received: from [216.249.33.20] (HELO northrock.bm)
  by northrock.bm (CommuniGate Pro SMTP 4.0.3)
  with ESMTP id 25811344; Tue, 26 Aug 2003 00:24:05 -0300
Date: Tue, 26 Aug 2003 00:22:32 -0300
Subject: (RADIATOR) MAx TNT Filter -- Actual FILTER 
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
Cc: <radiator at open.com.au>
To: nanog at merit.edu
From: Sean Watkins <sean at northrock.bm>
In-Reply-To: <005701c36b7e$54708f20$5282cd41 at jimblt>
Message-Id: <87E557B4-D774-11D7-AAB2-003065C18D8A at northrock.bm>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.552)
X-Spam-Status: No, hits=-7.2 required=9.5
	tests=IN_REP_TO,QUOTED_EMAIL_TEXT,QUOTE_TWICE_1
	version=2.53
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
Sender: owner-radiator at open.com.au
Precedence: bulk
List-Id: <radiator.list-id.open.com.au>

TNT Users:

Apologize: I know I am  posting to multiple lists, but multiple lists 
with Ascend users.. none so far have posted and numerous are asking for 
it...  Including myself! Hopefully recommendations will follow

After several hours of trial and error - after  I setup the recommended 
Cisco filters upstream from TNT equipment.

I have been constantly watching log entries, to find people blasting 
away with ICMP/UDP Port 135/ TCP Port 137 the most.

I have come up a filter, for the TNT:

new FILTER
set filter-name = pre-nachi2
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 6
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 135
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 17
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 137
set input-filters 3 valid-entry = yes
set input-filters 3 forward = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 1
set input-filters 3 ip-filter dest-address-mask = 255.255.255.255
set input-filters 3 ip-filter dest-address = X.X.X.X
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 1
set input-filters 5 valid-entry = yes
set input-filters 5 forward = yes
set input-filters 5 Type = ip-filter
write -f
;

This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X, 
drops all other ICMP, and then allows any other traffic out.

Basically, X.X.X.X is a machine here we can use to have customers ping 
us/ we ping them. This filter seems to work for 90% of people, but for 
unknown reasons, ICMP still seems to leak in. Any ideas?

I'm applying this filter to data under answer-defaults, session-info.

I've set iproute-cache-enable = no,

Disabled proxy arp... Everything. Still we are dropping packets at peak 
times left right and center for unknown reasons. show ip cache flow on 
upstream Cisco gear shows basically regular traffic.

Ideas/comments etc?


Sean

>
>
> ----- Original Message -----
> From: "Dave Birkbeck" <dbirkbeck at ikano.com>
> To: "'Tony Bunce'" <tonyb at go-concepts.com>; "'Sean Watkins 
> (northrock)'"
> <sean at northrock.bm>; <radiator at open.com.au>
> Sent: Monday, August 25, 2003 7:27 PM
> Subject: RE: (RADIATOR) MAx TNT & MSBlast
>
>
>> All,
>>
>> In addition to having the ACL's that Cisco recommends. Has anyone come
>> up with a Radius ascend-data-filter that will slow essage-----
>> From: Sean Watkins (northrock) [mailto:sean at northrock.bm]
>> Sent: Friday, August 22, 2003 11:41 AM
>> To: radiator at open.com.au
>> Subject: (RADIATOR) MAx TNT & MSBlast
>>
>> Hi,
>>
>> I know this isn't the place, but any MAX TNT users out there seeing
>> weird card failures begining with the onslaught of MSBlast? I saw a
>> news.com article about it... however I can't find any more info. 
>> Anyone
>> know of any active ascend / lucent tnt mailing lists?
>>
>> Sean
>>
>> Article Text:
>>
>> In addition, network administrators reported on a newsgroup that
>> telecommunications equipment maker Lucent Technologies' TNT MAX 
>> network
>> gateway crashed due to some interaction with traffic created by the
>> MSBlast worms. A representative for the company confirmed that Lucent
>> was investigating the issue, but couldn't supply details.
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
down the spread of
>> these crazy viruses? Or better yet, a filter that will block ICMP.
>>
>> Again, I know this is probably not the list for this discussion, but
>> this topic is definitely for the greater good of the Internet.
>>
>> That being said does anyone know of a list that discusses various NAS
>> topics?

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list