Re: DDoS attack.

From: Stanislav N. Vardomskiy (stanyat_private)
Date: Sun Jan 27 2002 - 20:53:45 PST

Next message: Blake R. Swopes: "Lots of scans by SSH-1.0-SSH_Version_Mapper"

Previous message: Ronneil Camara: "is this enumeration?"
In reply to: Bugtraq Mailing Lists: "Re: DDoS attack."
Next in thread: Patrick Oonk: "Re: DDoS attack."
Next in thread: Wichert Akkerman: "Re: DDoS attack."
Reply: Patrick Oonk: "Re: DDoS attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 27 Jan 2002, Bugtraq Mailing Lists wrote:

> you should start implementing ingress filtering on your routers
> so that this spoofed attack will not happen again by your end users.
>
> if you have a cisco based router:
> conf t
> int e0/0 <-- do this on all of your interfaces
> ip verify unicast reverse-path

Of course this only works if you have a single connection to the internet.
If you have multiple connections with multiple BGP sessions, this will
most likely break many things.

Instead you want some basic incoming and outgoing access lists thrown on
the interfaces:

Incoming filter similar to this might work:
access-list 120 deny   ip your.net.block.goes.here your.inverse.netmask.goes.here any log
access-list 120 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 120 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 120 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 120 permit ip 128.0.0.0 127.255.255.255 any
access-list 120 deny   ip 96.0.0.0 31.255.255.255 any log
access-list 120 deny   ip 23.0.0.0 8.255.255.255 any log
access-list 120 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 120 deny   ip 0.0.0.0 1.255.255.255 any log
access-list 120 permit ip any any

As you should be a good internet denisen and not spew crap onto the
backbone that might cause problems, you probably should filter egress as
well.   Simplest egress filter would be:
access-list 130 permit ip your.net.block.goes.here your.inverse.netmask.goes.here any any
access-list 130 deny   ip any any

Once you built your access lists, and are satisfied with them, you need to
do something like the following example on all of your external
interfaces:

c7204(config)#int e 2/3
c7204(config-if)#ip access-group 120 in
c7204(config-if)#ip access-group 130 out
c7204(config-if)#end

Signed:
//Stany

P.S. This is not meant to be a replacement for someone with Cisco skill -
there are many clued in people out there that are jobless at the moment,
and last time I tried to write a comprehensive instructions for Cisco
security for our IX, I got in no-nonsense way informed that I really
should not take the bread and butter from the CCIEs, least I want my
employer to be packeted/nullrouted off the face of the internet.

-- 
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533 +-+

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Blake R. Swopes: "Lots of scans by SSH-1.0-SSH_Version_Mapper"
Previous message: Ronneil Camara: "is this enumeration?"
In reply to: Bugtraq Mailing Lists: "Re: DDoS attack."
Next in thread: Patrick Oonk: "Re: DDoS attack."
Next in thread: Wichert Akkerman: "Re: DDoS attack."
Reply: Patrick Oonk: "Re: DDoS attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 10:22:02 PST