range (224.0.0.0/4) This ACL is applied
inbound to the external interface (e0/0) of router R2. IP
Address Spoofing Mitigation: Outbound
As a rule, you
should not allow any outbound IP packets with a source address
other than a valid IP address of the internal network. The
example in Figure shows ACL 105 for router R2. This ACL permits
only packets that contain source addresses from the 10.2.1.0/24
network and denies all other packets. This ACL is applied
inbound to the inside interface (e0/1) of router R2.
Note
Cisco routers running Cisco IOS Release 12.0
and later may use IP Unicast Reverse Path Forwarding (RPF)
verification as an alternative IP address spoof mitigation
mechanism. DoS TCP SYN Attack Mitigation: Blocking External
Access
TCP SYN attacks involve sending large numbers of
TCP SYN packets, often from a spoofed source, into the internal
network, which results in the flooding of the TCP connection
queues of the receiving nodes. The ACL in Figure prevents
inbound packets, with the SYN flag set, from entering the
router. However, the ACL does allow TCP responses from the
outside network for TCP connections that originated on the
inside network (keyword established). The
established option is used for the TCP protocol only.
This option indicates return traffic from an established
connection. A match occurs if the TCP datagram has the ACK
control bit set. Please note that this ACL effectively blocks
all ICMP and UDP traffic, which may include dynamic routing
updates. DoS TCP SYN Attack Mitigation: Using TCP
Intercept
TCP Intercept is a very effective tool for
protecting internal network hosts from external TCP SYN
attacks. The example in Figure uses TCP intercept to mitigate
DoS TCP SYN attacks. TCP Intercept protects internal hosts from
SYN flood attacks by intercepting and validating TCP connection
requests before the requests reach the hosts. Valid connections
(those connections established within the configured
thresholds) are passed on to the host. Invalid connection
attempts are dropped. Note
Because TCP Intercept
examines every TCP connection attempt, TCP Intercept can impose
a performance burden on your routers. Always test for any
performance problems before using TCP Intercept in a production
environment. DoS Smurf Attack Mitigation
Smurf
attacks consist of large numbers of ICMP packets sent to a
router subnet broadcast address using a spoofed source IP
address from that same subnet. Some routers may be configured
to forward these broadcasts to other routers in the protected
network, and this process causes performance degradation. The
ACL shown in Figure prevents this forwarding process and halts
the smurf attack. The ACLs in Figure block all IP packets
originating from any host destined for the subnet broadcast
addresses specified (10.2.1.255 and 10.1.1.255).
Note
Cisco IOS Release 12.0 and later now has the
no ip directed-broadcast feature enabled by default,
which prevents this type of ICMP attack. Therefore, you may not
need to build an ACL as shown here. Filtering Inbound ICMP
Messages
There are several ICMP message types that
attackers can be use against your network. Programs use some of
these messages; others are used for network management and so
are automatically generated by the router. ICMP echo packets
can be used to discover subnets and hosts on the protected
network and can also be used to generate DoS floods. ICMP
redirect messages can be used to alter host routing tables. The
router should block both ICMP echo and redirect messages that
are inbound. The ACL statement shown in Figure blocks all ICMP
echo and redirect messages. As an added safety measure, this
ACL also blocks mask-request messages. The ACL permits all
other ICMP messages inbound to the 10.2.1.0/24 network.
Filtering Outbound ICMP Messages
These ICMP messages
are required for proper network operation and should be allowed
outbound: - Echo: Allows users to ping external
hosts
- Parameter problem: Informs host of
packet header problems
- Packet too big:
Required for packet maximum transmission unit (MTU)
discovery
- Source quench: Throttles down
traffic when necessary
As a general rule, you should
block all other ICMP message types that are outbound. The ACL
shown in Figure permits all of the required ICMP messages
inbound to the e0/1 interface while denying all others.
Filtering UDP Traceroute Messages
The traceroute
feature uses some of the ICMP message types to complete several
tasks. Traceroute displays the IP addresses of the routers that
a packet encounters along the packet path (hops) from source to
destination. Attackers can use ICMP responses to the UDP
traceroute packets to discover subnets and hosts on the
protected network. As a rule, you should block all inbound
traceroute UDP messages, as shown in the image in Figure (UDP
ports 33400 to 34400). The example in Figure shows how to
filter traceroute messages.
Content 5.7
Mitigating Threats and Attacks with Access Lists
5.7.5 Mitigating DDoS with ACLs Figure shows how a
DDoS attack occurs: - Behind a Client is a person
who launches the attack.
- A Handler is a
compromised host that is running the attacker program. Each
Handler is capable of controlling multiple
Agents.
- An Agent is a compromised host
that is running the attacker program. Each Agent is
responsible for generating a stream of packets that is directed
toward the intended victim.
Generally, routers
cannot prevent all DDoS attacks, but they can help reduce the
number of occurrences of attacks by building ACLs that filter
known attack ports. Methods that you use to block DDoS by
blocking selected ports aim at stopping TRIN00, Stacheldraht,
Trinity v3, and SubSeven. ACL rules are generally applied to
inbound and outbound traffic between the protected network and
the Internet. A DDoS attack can compromise several hundred to
several thousand hosts. The hosts are usually Linux and SUN
computers. However, the attack tools can be ported to other
platforms as well. The process of compromising a host and
installing the tool is automated. A DDoS attack proceeds as
follows: Step 1 The attacker initiates a scan phase in
which a large number of hosts (perhaps 100,000 or more) are
probed for a known vulnerability. Step 2 The attacker
compromises the vulnerable hosts to gain access. Step
3 The attacker installs the tool on each host. Step
4 The attacker uses the compromised hosts for more
scanning and compromises. Because an automated process is used,
attackers can compromise and install the tool on a single host
in less than five seconds, and several thousand hosts can be
compromised in less than one hour. Mitigate DDoS Using
Martian Filters
RFC 2827 recommends that ISPs police
their customer traffic by dropping traffic that enters their
networks from a source address that the customer network is not
legitimately using. The filtering includes, but is not limited
to, traffic whose source address is a “Martian address”—a
reserved address that includes any address within 0.0.0.0/8,
10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
224.0.0.0/4, or 240.0.0.0/4. RFC 3704 is the update to RFC
2827. Figure shows the concept of using Martian filters. The
reasoning behind this ingress filtering procedure is that DDoS
attacks frequently spoof source addresses of other systems,
placing a random number in the field. In some attacks, this
random number is deterministically within the target network,
simultaneously attacking one or more machines and causing those
machines to attack other machines with ICMP messages or other
traffic. Attacked sites can protect themselves by proper
filtering that occurs by verifying that the site prefixes are
not used in source addresses of packets that the site receives
from the Internet. In other attacks, the source address is