General Layer 3 Security Considerations

This section explains a few of the more common ways to avoid Layer 3 attacks.

Smurf Attacks, Directed Broadcasts, and RPF Checks

A smurf attack occurs when a host sends a large number of ICMP Echo Requests with some atypical IP addresses in the packet. The destination address is a subnet broadcast address, also known as a directed broadcast address. Routers forward these packets based on normal matching of the IP routing table, until the packet reaches a router connected to the destination subnet. This final router then forwards the packet onto the LAN as a LAN broadcast, sending a copy to every device. Figure 18-9 shows how the attack develops.

The other feature of a smurf attack is that the source IP address of the packet sent by the attacker is the IP address of the attacked host. For example, in Figure 18-9, many hosts may receive the ICMP Echo Request at Step 2. All those hosts then reply with an Echo Reply, sending it to 10.1.1.2—the address that was the source IP address of the original ICMP Echo at Step 1. Host 10.1.1.2 receives a potentially large number of packets.

Figure 18-9 Smurf Attack

Figure 18-9 Smurf Attack

1. Attacker sends packet destined to subnet broadcast, source 1.1.1.2 (for secondary attack).

2. R1 forwards packet as LAN broadcast.

3. R1 replies with ICMP echo reply packet sent to 1.1.1.2.

1. Attacker sends packet destined to subnet broadcast, source 1.1.1.2 (for secondary attack).

2. R1 forwards packet as LAN broadcast.

3. R1 replies with ICMP echo reply packet sent to 1.1.1.2.

Several solutions to this problem exist. First, as of Cisco IOS Software version 12.0, IOS defaults each interface to use the no ip directed-broadcast command, which prevents the router from forwarding the broadcast onto the LAN (Step 2 in Figure 18-9). Also, a Reverse-Path-Forwarding (RPF) check could be enabled using the ip verify unicast source reachable-via {rx I any} [allow-default] [allow-self-ping] [list] interface subcommand. This command tells Cisco IOS to examine the source IP address of incoming packets on that interface. Two styles of check can be made with this command:

■ Strict RPF—Using the rx keyword, the router checks to see if the matching route uses an outgoing interface that is the same interface on which the packet was received. If not, the packet is discarded. (An example scenario using Figure 18-9 will be explained shortly.)

■ Loose RPF—Using the any keyword, the router checks for any route that can be used to reach the source IP address.

The command can also ignore default routes when it performs the check (default) or use default routes when performing the check by including the allow-default keyword. Also, although not recommended, the command can trigger a ping to the source to verify connectivity. Finally, the addresses for which the RPF check is made can be limited by a referenced ACL.

For example, in Figure 18-9, if R1 used strict RPF on s0/0, it would notice that its route to reach 1.1.1.2 (the source IP address of the packet at Step 1) did not refer to s0/0 as the outgoing interface—thereby discarding the packet. However, with loose RPF, R1 would have found a connected route that matched 1.1.1.2, so it would have allowed the packet through. Finally, given that AS1 should never receive packets with source addresses in network 1.0.0.0, as it owns that entire class A network, R1 could simply use an inbound ACL to discard any packets sourced from 1.0.0.0/8 as they enter s0/0 from the Internet.

Fraggle attacks use similar logic as smurf attacks, but instead of ICMP, fraggle attacks use the UDP Echo application. These attacks can be defeated using the same options as listed for smurf attacks.

Inappropriate IP Addresses

Besides smurf and fraggle attacks, other attacks involve the use of what can be generally termed inappropriate IP addresses, both for the source IP address and destination IP address. By using inappropriate IP addresses, the attacker can remain hidden and elicit cooperation of other hosts to create a distributed denial-of-service (DDoS) attack.

One of the Layer 3 security best practices is to use ACLs to filter packets whose IP addresses are not appropriate—for instance, the smurf attack listed a valid source IP address of 1.1.1.2, but packets with that source address should never enter AS1 from the Internet. The Internet Assigned Numbers Authority (IANA) manages the assignment of IP prefix ranges. It lists the assigned ranges in a document found at http://www.iana.org/assignments/ipv4-address-space. A router can then be configured with ACLs that prevent packets based on known assigned ranges and on known unassigned ranges. For example, in Figure 18-9, an enterprise router should never need to forward a packet onto the Internet if that packet has a source IP address from another company's registered IP prefix. In the smurf attack case, such an ACL used at the attacker's ISP would have prevented the first packet from getting to AS1.

Routers should also filter packets that use IP addresses that should be considered bogus or inappropriate. For example, a packet should never have a broadcast or multicast source IP address in normal use. Also, an enterprise router should never receive a packet from an ISP with that packet's source IP address being a private network per RFC 1918. Additionally, that same router should not receive packets sourced from IP addresses in ranges currently unallocated by IANA. These types of IP addresses are frequently called bogons, which is a derivation of the word bogus.

Creating an ACL to match these bogon IP addresses is not particularly difficult, but it does require a lot of administrative effort, particularly to update it based on changes to IANA's assigned prefixes. You can use freeware called the Router Audit Tool (RAT) that makes recommendations for router security, including bogon ACLs. You can also use the Cisco IOS AutoSecure feature, which automatically configures ACLs to prevent the use of such bogus IP addresses.

TCP SYN Flood, the Established Bit, and TCP Intercept

A TCP SYN flood is an attack directed at servers by initiating large numbers of TCP connections, but not completing the connections. Essentially, the attacker initiates many TCP connections, each with only the TCP SYN flag set, as usual. The server then sends a reply (with TCP SYN and ACK flags set)—but then the attacker simply does not reply with the expected third message in the three-way TCP connection setup flow. The server consumes memory and resources while waiting on its timeouts to occur before clearing up the partially initialized connections. The server might also reject additional TCP connections, and load balancers in front of a server farm might unbalance the load of actual working connections as well.

Stateful firewalls can prevent TCP SYN attacks. Both the Cisco PIX Firewall and the Cisco IOS Firewall feature set can be used to do this. The methods used are not part of the CCIE Routing and Switching written exam, but instead are covered in the CCIE Security exam; the impact of TCP SYN attacks can be reduced or eliminated by using a few other tools in Cisco IOS.

One way to prevent SYN attacks is to simply filter packets whose TCP header shows only the SYN flag set—in other words, filter all packets that are the first packet in a new TCP connection. In many cases, a router should not allow TCP connections to be established by a client on one side to a server on the other, as shown in Figure 18-10. In these cases, filtering the initial TCP segment prevents the SYN attack.

Figure 18-10 Example Network: TCP Clients in the Internet

Figure 18-10 Example Network: TCP Clients in the Internet

Cisco IOS ACLs cannot directly match the TCP SYN flag. However, an ACE can use the established keyword, which matches TCP segments that have the ACK flag set. The established keyword essentially matches all TCP segments except the very first TCP segment in a new connection. Example 18-12 shows the configuration that would be used on R1 to deny new connection requests from the Internet into the network on the left.

Example 18-12 Using an ACL with the established Keyword

! The first ACE matches TCP segments that are not the first segment, and permits ! them. The second ACE matches all TCP segment between the same set of IP ! addresses, but because all non-initial segments have already been matched, the ! second ACE only matches the initial segments, ip access-list extended prevent-syn permit tcp any 1.0.0.0 0.255.255.255 established deny tcp any 1.0.0.0 0.255.255.255 permit (whatever)

interface s0/0 ip access-group prevent-syn in

The ACL works well when clients outside a network are not allowed to make TCP connections into the network. However, in cases where some inbound TCP connections are allowed, this ACL cannot be used. Another Cisco IOS feature, called TCP intercept, provides an alternative that allows TCP connections into the network, but monitors those TCP connections for TCP SYN attacks.

TCP intercept operates in one of two different modes. In watch mode, it keeps state information about TCP connections that match a defined ACL. If a TCP connection does not complete the three-way handshake within a particular time period, TCP intercept sends a TCP reset to the server, cleaning up the connection. It also counts the number of new connections attempted over time, and if a large number occurs in 1 second ("large" defaulting to 1100), the router temporarily filters new TCP requests to prevent a perceived SYN attack.

In intercept mode, the router replies to TCP connection requests instead of forwarding them to the actual server. Then, if the three-way handshake completes, the router creates a TCP connection between itself and the server. At that point, the router knits the two connections together. This takes more processing and effort, but it provides better protection for the servers.

Example 18-13 shows an example using TCP intercept configuration, in watch mode, plus a few changes to its default settings. The example allows connections from the Internet into AS1 in Figure 18-10.

Example 18-13 Configuring TCP Intercept

! The following command enables TCP intercept for packets matching ACL ! match-tcp-from-internet. Also, the mode is set to watch, rather than the ! default of intercept. Finally, the watch timeout has been reset from the ! default of 30 seconds; if the TCP connection remains incomplete as of the ! 20-second mark, TCP intercept resets the connection, ip tcp intercept-list match-tcp-from-internet ip tcp intercept mode watch ip tcp intercept watch-timeout 20

! The ACL matches packets sent into 1.0.0.0/8 that are TCP. It is referenced by ! the ip tcp intercept-list command listed above, ip access-list extended match-tcp-from-internet permit tcp any 1.0.0.0 0.255.255.255

! Note below that the ACL is not enabled on any interfaces. interface s0/0

! Note: there is no ACL enabled on the interface!

+1 0

Responses

  • maxima whitfoot
    How to prevent layer 3 from the attack?
    20 days ago

Post a comment