 |
|
| Computers Forum Index » Computer - DCOM - Cisco » ACLs... |
|
Page 1 of 1 |
|
| Author |
Message |
| The Doctor... |
 Posted: Thu Sep 24, 2009 9:36 pm |
|
|
|
Guest
|
Right how do I prevent DDos
on a certain server this is getting sloshed on a certain port.
I am trying
access-list no deny <IP> port <SQL port> any .
--
Member - Liberal International This is doctor at (no spam) nl2k.ab.ca
Ici doctor at (no spam) nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
For the latest World News go to http://www.cuttingedge.org/ |
|
|
| Back to top |
|
|
|
| ... |
| Posted: Fri Sep 25, 2009 4:55 am |
|
|
|
Guest
|
On Thu, 24 Sep 2009 21:36:20 +0000 (UTC), doctor at (no spam) doctor.nl2k.ab.ca
(The Doctor) wrote:
Quote: Right how do I prevent DDos
on a certain server this is getting sloshed on a certain port.
I am trying
access-list no deny <IP> port <SQL port> any .
Since you did not list the entire access list, it makes it rather
difficult to see what you are trying to accomplish. Remember, there
is an implicit DENY ALL at the end of the ACL. If you don't specify
any thing after the line you posted, NOTHING's gonna work.
Standard ACLs: 1-99 & 1300-1999
....test conditions of all IP packets fort source addresses
Extended ACLs: 100-199 & 2000-2699
....test conditions of source and destination addresses, PLUS specific
TCP/IP protocols, PLUS destination ports.
ACLs are read top to bottom. As soon as a condition is met, the
packet dealt with according to the ACL.
(but you probably already know that) |
|
|
| Back to top |
|
|
|
| Lukas Schratz... |
| Posted: Fri Sep 25, 2009 5:40 pm |
|
|
|
Guest
|
* The Doctor hackte in den Rechenknecht:
Quote: Right how do I prevent DDos
Normally not with simple ACLs, because a DDoS is not easy to prevent or
work against.
Quote:
on a certain server this is getting sloshed on a certain port.
I am trying
access-list no deny <IP> port <SQL port> any .
What are you trying to do with the "no"? Are you trying to name it, then
you should have used the "extended" statement. With that, it would be
viable- depending on the rest of the ACL- to deny any traffic to that
server, which ist not preventing DDoS, assuming you also have legtimate
users contacting your server.
luke
--
Seit ich bei nem Bekannten mal sah was das sogenannte Wunderding NIS
aus dem Hause Symantec so im Betrieb alles anrichtet, ist mir klar,
warum das Erste im Handbuch bei Softwareprodukten für Windows die
Epilepsiewarnung ist. --T.Koller in d.c.s.m |
|
|
| Back to top |
|
|
|
| Andy Davidson... |
| Posted: Wed Sep 30, 2009 2:03 am |
|
|
|
Guest
|
The Doctor wrote:
Quote: Right how do I prevent DDos
on a certain server this is getting sloshed on a certain port.
I am trying
access-list no deny <IP> port <SQL port> any .
You need to be careful here - gratuitous and unplanned deployment of
access-lists might cause your device to need to process switch all of
the traffic, which would be much more effective at taking your service
off air than anything else. :-)
Do you mean DDOS, i.e. you are being flooded with work that is intended
to knock a service off air, or do you mean you want to protect/restrict
an individual service by writing an acl/firewall style rule. The
approach for the two is very different.
The second of these two scenarios is much easier. The former probably
needs co-operation from any of your upstreams in order to filter the
traffic, to prevent it from reaching you.
Feel free to contact me off-group if we can help with a specific plan
for your organisation.
--
Regards, Andy Davidson CTO, NetSumo Ltd
24/7/365 White labeled Network Operations team. - Network Consultancy
www.netsumo.com +44 20 7993 1700 |
|
|
| Back to top |
|
|
|
|
|
All times are GMT
The time now is Sat Mar 20, 2010 1:00 pm
|
|