From reading this it sounds like you have problems with internal calls
going out to your ISP. My understanding is that the Cisco IOS allows a
maximum call length and spoofing for ISDN services, it is not worth
looking into these. You have said that you are not allowing inbound
calls so you have control over the connections.
Hope this helps, with a bit of luck one of the Cisco guys on this list
will come back with details :-).
Mike Baxter
______________________________ Reply Separator _________________________________
Subject: Encouragement of Service
Author: Dave Horsfall <dave @
fgh .
oz .
au> at Internet
Date: 23/07/96 14:46
We've all heard about Denial of Service; well, here's the opposite...
We have a dial-on-demand ISDN service (they aren't exactly cheap). After
some prodding, I got around to putting some basic filtering on the 2503;
no spoofing, no inbound unless established, that sort of thing.
I was horrified to discover that the router hadn't dropped the call for
some days (I shudder at the bill we're going to get)... It turned out
that the rejection of RIP packets from the outside (just being very
conservative, I suppose) was causing outbound ICMP admin unreachable
messages, which were NOT being logged, despite my "log" everywhere, and
which were keeping the line up!
It occurred to me that this could be the basis of another attack - just
flood us with PINGs. We refuse them - the line stays up. We acknowledge
them - the line stays up. We lose either way...
--
Dave Horsfall VK2KFU dave @
fgh .
oz .
au Ph: +61 2 9957-4224 Fx: +61 2 9922-5286
FGH Decision Support Systems P/L, 77 Pacific Hwy, Nth. Sydney, 2060, Australia
|
|
