literally a random 32-bit number, resulting in the
source of the attack being difficult to trace. If traffic that
leaves an edge network and enters an ISP can be limited to
traffic that is being legitimately sent, attacks can be
somewhat mitigated. Traffic with random or improper source
addresses can be suppressed before the traffic does significant
damage, and attacks can be readily traced back to at least the
source networks. DDoS Attack Mitigation: TRIN00
TRIN00 is a distributed SYN DoS attack. The attack method is a
UDP flood. The TRIN00 attack sets up communications between
clients, handlers, and agents using these ports: - 1524
tcp
- 27665 tcp
- 27444 udp
- 31335
udp
The mitigation tactic for the TRIN00 attack, as
well as for the other DoS attacks considered in this topic, is
to block both interfaces in the in direction. The goal is to
prevent infected outside systems from sending messages to an
internal network and to prevent any infected internal systems
from sending messages out of an internal network to the
vulnerable ports. For example, in Figure , the command
access-list 190 deny tcp any any eq 1524 log translates
to “ACL number 190 will deny any TCP traffic going from any
network to any network which has the TCP port equivalent of
1524 and this denial of traffic will be logged.” If you want to
be specific about the exact incoming and outgoing network, you
must specify those ports. For example, if the IP address of the
inside network is 10.0.1.0 and you want to block all traffic
going from this inside network to the Internet, the command
would be access-list 190 deny tcp 10.0.1.0 0.0.0.255 any eq
1524 log. However, blocking these ports may have an impact
on regular network users because the command may block some
high port numbers that may be used by legitimate network
clients. You may want to wait to block these port numbers until
a particular threat presents itself. Note
For
simplicity, the permit ACL entry that allows desired traffic is
not shown in this example. DDoS Attack Mitigation:
Stacheldraht
Stacheldraht is a DDoS tool that appeared
in 1999 and combines features of TRIN00 and Tribe Flood Network
(TFN). Stacheldraht also contains some advanced features such
as encrypted attacker-master communication and automated agent
updates. Possible Stacheldraht attacks are similar to the
attacks of TFN; namely, ICMP flood, SYN flood, UDP flood, and
smurf attacks. A Stacheldraht attack sets up communication
between clients, handlers, and agents using these ports: Figure shows an
example that mitigates a Stacheldraht DDoS attack by blocking
traffic on these ports. Note
The ports listed above
are the default ports for the Stachedraht tool. Use these ports
for orientation and example only because the port numbers can
easily be changed. Note
For simplicity, the permit
ACL entry that allows the desired traffic is not shown in this
example. DDoS Attack Mitigation: Trinity v3
Trinity
is capable of launching several types of flooding attacks on a
victim site including UDP, fragment, SYN, restore (RST),
acknowledgement (ACK), and other floods. Communication from the
handler or intruder to the agent is accomplished via Internet
Relay Chat (IRC) or ICQ from AOL. Trinity appears to use
primarily TCP port 6667 and also has a backdoor program that
listens on TCP port 33270. Figure shows an example ACL that
mitigates a Trinity v3 DDoS attack by blocking traffic on TCP
port 33270. Note
For simplicity, the permit ACL
entry that allows the desired traffic is not shown in this
example. DDoS Attack Mitigation: SubSeven
SubSeven
is a backdoor Trojan that targets Windows machines. Once a
machine is infected, the attacker can take complete control
over the system and has full access as if they were a local
user. The attacker can then use the victim’s machine to launch
DDoS attacks. Depending on the version, an attacker will try to
exploit TCP ports 1243, 2773, 6711, 6712, 6713, 6776, 7000,
7215, 16959, 27374, 27573, and 54283. Figure shows an example
ACL that mitigates a SubSeven DDoS attack by blocking traffic
on these ports: - TCP—Range 6711 to 6712
- TCP—6776
- TCP—6669
- TCP—2222
- TCP—7000
Note
The permit ACL entry
that allows the desired traffic is not shown in this example,
for simplicity.
Content 5.7 Mitigating Threats
and Attacks with Access Lists 5.7.6 Combining
Access Functions Figure shows an example of a possible
configuration for Router R2 in the reference network. This
partial configuration file contains several ACLs that contain
most of the ACL features that we explain in this lesson. View
this partial configuration as an example of how to integrate
multiple ACL policies into a few main router ACLs. Figures to
displays an ACL configuration file that combines many ACL
functions into one large ACL. - Figure shows:
-
ACL 126 is applied to traffic that flows from external networks
to the internal network or to the router itself.
- ACL
128 is applied to traffic that flows from the internal network
to external networks or to the router itself.
- You
must delete ACL 126 to make sure that you create a new ACL and
do not append the configuration to an existing ACL.
- Figure shows:
- Prevent any IP packets that
contain the source address of any internal hosts or networks
inbound to the private network.
- Prevent any IP
packets that contain the invalid source address, such as the
local loopback, addresses starting with the first octet set to
0, RFC1918 private ranges (with the exception of 10.0.0.0/8,
which is used in this network), or multicast addresses.
- Deny packets that are destined to the network and
broadcast addresses of the remote access LAN.
- Permit
TCP return traffic to the remote access LAN.
- Figure shows:
- Deny ICMP echo requests, ICMP
redirects, and mask requests and permit all other ICMP traffic
to the remote access LAN.
- Permit Routing Information
Protocol (RIP) updates.
- Block TRIN00, Stacheldraht,
and Trinity.
- Permit initial packets from the FTP data
sessions so that FTP clients in the remote access LAN can use
FTP.
- Figure shows:
- Block the
TRIN00 UDP ports.
- Deny tracing of the remote access
LAN.
- Allow return DNS traffic.
- Deny all
remaining traffic and provide detailed logging information of
denied traffic.
- Figure shows:
-
You must delete ACL 128 to make sure that you create a new ACL
and do not append the configuration to an existing ACL.
- Permit needed ICMP messages.
- Block access to
certain outside TCP services.
- Figure
shows:
- Permit access to all remaining outside TCP
services and to DNS (UDP/53) and allow tracing outside
destinations.
- Deny all remaining access and provide
detailed logging of denied access.
Content 5.7 Mitigating Threats and Attacks with
Access Lists 5.7.7 Caveats There are
several caveats to consider when working with ACLs as listed in
Figures and : - Implicit deny all: All Cisco ACLs
end with an implicit deny all statement. Although you may not
actually see this statement in your ACLs, the statement does
exist.
- Standard ACL limitation: Because
standard ACLs are limited to packet filtering on source
addresses only, you may need to create extended ACLs to
implement your security policies.
- Statement
evaluation order: ACL statements are evaluated in a
sequential, top-down order, starting with the first entry in
the list. This means that it is very important to consider the
order of statements in your ACLs.
- Order of ACL
statements: Certain ACL statements are more specific than
other statements and therefore should be placed higher in the