Scenario 81 Solution

The network administrator can quickly configure an extended access list permitting all ICMP, UDP, or TCP, as shown in Example 8-12, applying the access list to the inbound interface on R2, Serial 0/0. (The configuration is truncated to focus on the critical configuration.)

Example 8-12 Access List Configuration on R2

Hostname R2

interface Serial0/0 ip address 131.108.255.2 255.255.255.252 ip access-group 100 in

access-list 100 permit icmp any any log-input access-list 100 permit tcp any any log-input access-list 100 permit udp any any log-input !

To determine the traffic type, access list 100 allows ICMP, UDP, and TCP inbound on Serial 0/0. Logging is also enabled with the keyword log-input. Assuming the DoS attack is taking place by viewing the access list 100 with the command show ip access-list 100, you can get an idea for which protocol type is being used. The displays in Example 8-13 are taken from R2 while the DoS attack is taking place. The command show ip access-list 100 is entered a few times on Router R2 to view the statistics and crucial bits of data that enable you to verify the source of the attack and the method, whether it is ICMP, TCP, or UDP. Logging has been enabled so the display in Example 8-13 describes what packet matches have been made and incremented each time a packet match is made on access list 100.

Example 8-13 show ip access-list 100 on R2 (Repeated Five Times in Real Time)

r2#show ip access-lists 100

Extended IP access list 100

permit icmp any any log-input (5000 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (23 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (25000 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (24 matches) r2#show ip access-lists 100

Example 8-13 show ip access-list 100 on R2 (Repeated Five Times in Real Time) (Continued)

Extended IP access list 100

permit icmp any any log-input (35500 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (25 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (45500 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (26 matches) r2#show ip access-lists 100 Extended IP access list 100

permit icmp any any log-input (67000 matches) permit tcp any any log-input (100 matches) permit udp any any log-input (26 matches)

Example 8-13 clearly shows that ICMP packets are increasing at an alarming rate. This indicates that an intruder could be attempting a Smurf attack (by sending a large number of ICMP requests). Now that you have identified the protocol type, you can take steps to stop ICMP packets from being sent to R2 by configuring the access list 100 on R1's outbound interface to R2, as displayed in Example 8-14.

Example 8-14 R1's Access List 100 Configuration

Hostname R1

interface Serial0/0 ip address 131.108.255.2 255.255.255.252 ip access-group 100 out

access-list 100 deny icmp any any log-input access-list 100 permit tcp any any log-input access-list 100 permit udp any any log-input !

You can also configure the Router R1 from the inbound Internet connection with the same access list denying ICMP inbound requests.

This scenario is a simple one that clearly demonstrates the power of extended access lists and the simplest use of show commands that can be deployed in any medium or large IP network to quickly and safely identify and prevent some DoS attacks.

0 0

Post a comment