Scenario Solutions

The network administrator can quickly configure an extended access list permitting all ICMP, UDP, or TCP, as shown in Example 7-12, applying the access list to the inbound interface on R2, Serial0/0. (The configuration is truncated to focus on the critical configuration.)

Example 7-12 Access List Configuration on R2

Hostname R2 !

interface Serial0/0 ip address 131.108.255.2 255.255.255.0

ip access-group 100 in

access-list 100 permit icmp any any log-input access-list 100 permit tcp any any log-input access-list 100 permit udp any any log-input !

To determine the traffic type, access list 100 allows ICMP, UDP, and TCP inbound on Serial0/0. Logging is also enabled with the keyword log-input. Assuming that the DoS attack is taking place, by viewing the access list 100 with the command show ip access-list 100, you can get an idea which protocol type is being used. The displays in Example 7-13 are taken from R2 while the DoS attack is taking place. The command show ip access-list 100 is entered a few times on R2 to view the statistics and crucial bits of data that enable you to verify the source of the attack and the method, whether it is ICMP, TCP, or UDP. Logging has been enabled, so the display in Example 7-13 describes what packet matches have been made and incremented each time a packet match is made on access list 100.

NOTE When enabling the keyword log or log-input on an ACL, you must be aware of the impact on the CPU and how to view the entries. For example, an IP packet matching the ACL will be counted in the ACL log as well as the syslog buffer and to a syslog server if present. Typically, this is a troubleshooting scenario impacting your network, so it is safe to assume that once the administrator determines the root cause, the log-input keyword will be removed to ensure that CPU resources on the router are not impacted indefinitely.

Example 7-13 show ip access-list 100 on R2 (Repeated Five Times in Real Time)

r2#show ip access-lists 100

Extended IP access list 100

permit icmp any any log-input (5000 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (23 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (25000 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (24 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (35500 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (25 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (45500 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (26 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (67000 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (26 matches)

Example 7-13 clearly shows that ICMP packets are increasing at an alarming rate. This indicates that an intruder could be attempting a Smurf attack (by sending a large number of ICMP requests). Now that you have identified the protocol type, you can take steps to stop ICMP packets from being sent to R2, by configuring the access list 100 on R1's outbound interface to R2, as displayed in Example 7-14.

Example 7-14 R1's Access List 100 Configuration

Hostname R1 !

interface Serial0/0 ip address 131.108.255.2 255.255.255.0 ip access-group 100 out

access-list 100 deny icmp any any log-input access-list 100 permit tcp any any log-input access-list 100 permit udp any any log-input !

You can also configure R1 from the inbound Internet connection with the same access list denying ICMP inbound requests. The log-input optional command is applied so that you can monitor traffic matching the ICMP, TCP, or UDP frame formats. This will help you to identify the root cause. Note that all Internet routers should have ACLs already configured securely, permitting only traffic to and from the Internet. This scenario is aimed at showing you the power of Cisco IOS ACLs. Adding the log command can severely impact a router's performance, so care should always be taken. Consult the Cisco Technical Support or Cisco documentation for more details.

This scenario is a simple one that clearly demonstrates the power of extended access lists and the simplest use of show commands that can be deployed in any midsize or large IP network to quickly identify and prevent some DoS attacks.

0 0

Post a comment