Fellas
I posted this in the Cisco routers forum, but I am repeating it here because of my cranial rectumitis. Also, Billy, being interested in security, may help. Here 'tis...
This acl entry
access-list 114 deny ip host x.x.x.x any
access-list 114 permit ip any any
int fa0/1
ip access-group 114 in
did not work. This user was trying to brute force my ftp server, and after hitting enter after entering this acl, the user session was still active (IIS "active sessions", refreshed a few times). However, this..
ip access-list extended 114
11 deny tcp host x.x.x.x host 192.168.69.108 eq ftp
worked. Why did the "deny ip" not work, but "deny tcp" work? The session disappeared immediately. The other surprising thing is that the built-in signatures usually detect such attacks as a UDP bomb...is there a tcp dictionary attack mechanism? Also, does the fact that "deny ip" did not work indicate that the attacker was using an IP spoofer or proxy? I'm green, sort of, when it comes to security. Thanks.
Tim
I posted this in the Cisco routers forum, but I am repeating it here because of my cranial rectumitis. Also, Billy, being interested in security, may help. Here 'tis...
This acl entry
access-list 114 deny ip host x.x.x.x any
access-list 114 permit ip any any
int fa0/1
ip access-group 114 in
did not work. This user was trying to brute force my ftp server, and after hitting enter after entering this acl, the user session was still active (IIS "active sessions", refreshed a few times). However, this..
ip access-list extended 114
11 deny tcp host x.x.x.x host 192.168.69.108 eq ftp
worked. Why did the "deny ip" not work, but "deny tcp" work? The session disappeared immediately. The other surprising thing is that the built-in signatures usually detect such attacks as a UDP bomb...is there a tcp dictionary attack mechanism? Also, does the fact that "deny ip" did not work indicate that the attacker was using an IP spoofer or proxy? I'm green, sort of, when it comes to security. Thanks.
Tim