In this blog I will briefly outline how we made an entry in the ACL (access control list) on our router to block the RBN host 221.192.8.90 from sending anything onto our network. I discussed the attack in my last blog on Russian Business Network – Detecting Cybercrime with NetFlow.

Update access-list 1 with the new RBN Host
Below is a partial list of our denies. Keep in mind that an ACL is processed in order of first to last with an implicit ‘deny any’ at the end (i.e. not necessary to list). By adding the access-list 1 ‘permit any’ to the end, it allows all traffic through the interface if it wasn’t already processed by the deny statements.

Below is a partial list of the deny entries in the access list of our router:
access-list 1 deny   68.190.10.209
access-list 1 deny   123.14.10.64
access-list 1 deny   221.192.8.90
access-list 1 deny   83.12.153.146
access-list 1 deny   69.217.30.214
access-list 1 permit any
Because an ACL is processed in order, the order is critical. If the ‘permit any’ were at the top of the ACL, all traffic would be allowed and the deny statements would never be used.

After you have your ACL created, you need to apply it to an interface. In this case, we are applying it to the outside interface on our router (serial 0/0/0)

Run the following commands:

IR#configure terminal
IR(config)#interface serial 0/0/0
IR(config-if)#ip access-group 1 in

In configuration mode, configure the interface you’re applying the ACL to. Next run ip access-group 1 in, which applies ACL 1 to the inbound traffic on interface serial 0/0/0.

Automate the Process
If you have a tool like Logalot, Scrutinizer can send a syslog which will allow Logalot to make changes in the ACL on the router based on specific information in the messages (i.e. syslogs) it receives.  In other words,  you can automate the process up updating the ACL.  Cool or what!

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply