You want to filter based on the flag bits in the TCP header.
The following ACL blocks contain several illegal combinations of TCP header flags:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg Router1(config)#access-list 161 deny tcp any any rst syn Router1(config)#access-list 161 deny tcp any any rst syn fin Router1(config)#access-list 161 deny tcp any any rst syn fin ack Router1(config)#access-list 161 deny tcp any any syn fin Router1(config)#access-list 161 deny tcp any any syn fin ack Router1(config)#end Router1#
There are six flag bits in the TCP header that the devices use to control the session:
Acknowledgement.
Synchronize sequence numbers.
Terminate the session.
Reset the session.
Push this data to the application immediately. This usually means that all of the data has been sent.
Look at the Urgent pointer later in the packet.
TCP uses a so-called three-way handshake to set up sessions. To start a session, the client device sends a packet with the SYN bit, which is an instruction to synchronize sequence numbers. The server device responds with a packet that has both SYN and ACK bits set, which the first device then acknowledges with an ACK to complete the handshake process.
The session teardown procedure is similar, but it actually uses four packets instead of three. One device sends the other a packet with the FIN bit set. The second device then responds to this with an ACK. Then, in a separate packet, the second device sends its own FIN, which the first device responds to with an ACK to terminate the session.
Devices use the RST flag for a few different reasons, but one of the most common is the so-called abortive close. This happens when one device can't wait around for the other device to acknowledge the end of the session using the normal FIN and ACK pattern. So, it simply sends a packet that has both the RST and ACK bits set to end the session. There is no need for the other device to respond to this packet.
Obviously, some combinations of these bits are not valid, however. For example, it makes no sense to have a single packet with both the SYN and FIN bits set. And, in defining test cases for TCP implementations, RFC 1025 defines a packet with all 6 bits set as a nastygram (or a kamikaze packet, Christmas tree packet, or lamp test segment). The first line in the example ACL blocks nastygrams:
Router1(config)#access-list 161 deny tcp any any ack fin psh rst syn urg
The remaining lines block other illegal combinations of flags.
RFC 1025
|
|
|
| Top |