CISCO防御冲击波方法
! --- block TFTP access-list 115 deny udp any any eq 69 ! --- block W32.Blaster related protocols access-list 115 deny tcp any any eq 135 access-list 115 deny udp any any eq 135 ! --- block other vulnerable MS protocols access-list 115 deny
! --- block TFTPaccess-list 115 deny udp any any eq 69
! --- block W32.Blaster related protocols
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
! --- block other vulnerable MS protocols
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
! --- block remote access due to W32.Blaster
access-list 115 deny tcp any any eq 4444
! --- Allow all other traffic -- insert
! --- other existing access-list entries here
access-list 115 permit ip any any
interface ip access-group 115 in ip access-group 115 out 另外,阻止非法地址的命令是: Router(config)# interface Router(if-config)# no ip unreachables 如果此命令不能禁止,可参考下面这个命令: Elab(config)# ip icmp rate-limit unreachable VACL on the CatOS ! --- block TFTP set security acl ip BLASTER deny udp any any eq 69 ! --- block vulnerable MS protocols ! --- Blaster related set security acl ip BLASTER deny tcp any any eq 135 set security acl ip BLASTER deny udp any any eq 135 ! --- Non-blaster related set security acl ip BLASTER deny tcp any any eq 137 set security acl ip BLASTER deny udp any any eq 137 set security acl ip BLASTER deny tcp any any eq 138 set security acl ip BLASTER deny udp any any eq 138 set security acl ip BLASTER deny tcp any any eq 139 set security acl ip BLASTER deny udp any any eq 139 set security acl ip BLASTER deny tcp any any eq 593 ! --- block remote access due to W32.Blaster set security acl ip BLASTER deny tcp any any eq 4444 ! --- Allow all other traffic ! --- insert other existing access-list entries here set security acl ip BLASTER permit any any ! -- applies both inbound and outbound commit security acl BLASTER set security acl map BLASTER PIX access-list acl_inside deny udp any any eq 69 access-list acl_inside deny tcp any any eq 135 access-list acl_inside deny udp any any eq 135 access-list acl_inside deny tcp any any eq 137 access-list acl_inside deny udp any any eq 137 access-list acl_inside deny tcp any any eq 138 access-list acl_inside deny udp any any eq 138 access-list acl_inside deny tcp any any eq 139 access-list acl_inside deny udp any any eq 139 access-list acl_inside deny tcp any any eq 445 access-list acl_inside deny tcp any any eq 593 access-list acl_inside deny tcp any any eq 4444 ! --- insert previously configured acl statements here, ! --- or permit all other traffic out access-list acl_inside permit ip any any access-group acl_inside in interface inside