literally a random 32-bit number, resulting in the source of the attack being difficult to trace. If traffic that leaves an edge network and enters an ISP can be limited to traffic that is being legitimately sent, attacks can be somewhat mitigated. Traffic with random or improper source addresses can be suppressed before the traffic does significant damage, and attacks can be readily traced back to at least the source networks. DDoS Attack Mitigation: TRIN00
TRIN00 is a distributed SYN DoS attack. The attack method is a UDP flood. The TRIN00 attack sets up communications between clients, handlers, and agents using these ports:

• 1524 tcp
• 27665 tcp
• 27444 udp
• 31335 udp

The mitigation tactic for the TRIN00 attack, as well as for the other DoS attacks considered in this topic, is to block both interfaces in the in direction. The goal is to prevent infected outside systems from sending messages to an internal network and to prevent any infected internal systems from sending messages out of an internal network to the vulnerable ports. For example, in Figure , the command access-list 190 deny tcp any any eq 1524 log translates to “ACL number 190 will deny any TCP traffic going from any network to any network which has the TCP port equivalent of 1524 and this denial of traffic will be logged.” If you want to be specific about the exact incoming and outgoing network, you must specify those ports. For example, if the IP address of the inside network is 10.0.1.0 and you want to block all traffic going from this inside network to the Internet, the command would be access-list 190 deny tcp 10.0.1.0 0.0.0.255 any eq 1524 log. However, blocking these ports may have an impact on regular network users because the command may block some high port numbers that may be used by legitimate network clients. You may want to wait to block these port numbers until a particular threat presents itself. Note
For simplicity, the permit ACL entry that allows desired traffic is not shown in this example. DDoS Attack Mitigation: Stacheldraht
Stacheldraht is a DDoS tool that appeared in 1999 and combines features of TRIN00 and Tribe Flood Network (TFN). Stacheldraht also contains some advanced features such as encrypted attacker-master communication and automated agent updates. Possible Stacheldraht attacks are similar to the attacks of TFN; namely, ICMP flood, SYN flood, UDP flood, and smurf attacks. A Stacheldraht attack sets up communication between clients, handlers, and agents using these ports:

• 16660 tcp
• 65000 tcp

Figure shows an example that mitigates a Stacheldraht DDoS attack by blocking traffic on these ports. Note
The ports listed above are the default ports for the Stachedraht tool. Use these ports for orientation and example only because the port numbers can easily be changed. Note
For simplicity, the permit ACL entry that allows the desired traffic is not shown in this example. DDoS Attack Mitigation: Trinity v3
Trinity is capable of launching several types of flooding attacks on a victim site including UDP, fragment, SYN, restore (RST), acknowledgement (ACK), and other floods. Communication from the handler or intruder to the agent is accomplished via Internet Relay Chat (IRC) or ICQ from AOL. Trinity appears to use primarily TCP port 6667 and also has a backdoor program that listens on TCP port 33270. Figure shows an example ACL that mitigates a Trinity v3 DDoS attack by blocking traffic on TCP port 33270. Note
For simplicity, the permit ACL entry that allows the desired traffic is not shown in this example. DDoS Attack Mitigation: SubSeven
SubSeven is a backdoor Trojan that targets Windows machines. Once a machine is infected, the attacker can take complete control over the system and has full access as if they were a local user. The attacker can then use the victim’s machine to launch DDoS attacks. Depending on the version, an attacker will try to exploit TCP ports 1243, 2773, 6711, 6712, 6713, 6776, 7000, 7215, 16959, 27374, 27573, and 54283. Figure shows an example ACL that mitigates a SubSeven DDoS attack by blocking traffic on these ports:

• TCP—Range 6711 to 6712
• TCP—6776
• TCP—6669
• TCP—2222
• TCP—7000

Note
The permit ACL entry that allows the desired traffic is not shown in this example, for simplicity.

---

Content 5.7 Mitigating Threats and Attacks with Access Lists 5.7.6 Combining Access Functions Figure shows an example of a possible configuration for Router R2 in the reference network. This partial configuration file contains several ACLs that contain most of the ACL features that we explain in this lesson. View this partial configuration as an example of how to integrate multiple ACL policies into a few main router ACLs. Figures to displays an ACL configuration file that combines many ACL functions into one large ACL.

• Figure shows:
  • ACL 126 is applied to traffic that flows from external networks to the internal network or to the router itself.
  • ACL 128 is applied to traffic that flows from the internal network to external networks or to the router itself.
  • You must delete ACL 126 to make sure that you create a new ACL and do not append the configuration to an existing ACL.
• Figure shows:
  • Prevent any IP packets that contain the source address of any internal hosts or networks inbound to the private network.
  • Prevent any IP packets that contain the invalid source address, such as the local loopback, addresses starting with the first octet set to 0, RFC1918 private ranges (with the exception of 10.0.0.0/8, which is used in this network), or multicast addresses.
  • Deny packets that are destined to the network and broadcast addresses of the remote access LAN.
  • Permit TCP return traffic to the remote access LAN.
• Figure shows:
  • Deny ICMP echo requests, ICMP redirects, and mask requests and permit all other ICMP traffic to the remote access LAN.
  • Permit Routing Information Protocol (RIP) updates.
  • Block TRIN00, Stacheldraht, and Trinity.
  • Permit initial packets from the FTP data sessions so that FTP clients in the remote access LAN can use FTP.
• Figure shows:
  • Block the TRIN00 UDP ports.
  • Deny tracing of the remote access LAN.
  • Allow return DNS traffic.
  • Deny all remaining traffic and provide detailed logging information of denied traffic.
• Figure shows:
  • You must delete ACL 128 to make sure that you create a new ACL and do not append the configuration to an existing ACL.
  • Permit needed ICMP messages.
  • Block access to certain outside TCP services.
• Figure shows:
  • Permit access to all remaining outside TCP services and to DNS (UDP/53) and allow tracing outside destinations.
  • Deny all remaining access and provide detailed logging of denied access.

---

Content 5.7 Mitigating Threats and Attacks with Access Lists 5.7.7 Caveats There are several caveats to consider when working with ACLs as listed in Figures and :

• Implicit deny all: All Cisco ACLs end with an implicit deny all statement. Although you may not actually see this statement in your ACLs, the statement does exist.
• Standard ACL limitation: Because standard ACLs are limited to packet filtering on source addresses only, you may need to create extended ACLs to implement your security policies.
• Statement evaluation order: ACL statements are evaluated in a sequential, top-down order, starting with the first entry in the list. This means that it is very important to consider the order of statements in your ACLs.
• Order of ACL statements: Certain ACL statements are more specific than other statements and therefore should be placed higher in the