Re: DDoS attack.

From: Stanislav N. Vardomskiy (stanyat_private)
Date: Sun Jan 27 2002 - 20:53:45 PST

  • Next message: Blake R. Swopes: "Lots of scans by SSH-1.0-SSH_Version_Mapper"

    On Sun, 27 Jan 2002, Bugtraq Mailing Lists wrote:
    
    > you should start implementing ingress filtering on your routers
    > so that this spoofed attack will not happen again by your end users.
    >
    > if you have a cisco based router:
    > conf t
    > int e0/0 <-- do this on all of your interfaces
    > ip verify unicast reverse-path
    
    Of course this only works if you have a single connection to the internet.
    If you have multiple connections with multiple BGP sessions, this will
    most likely break many things.
    
    Instead you want some basic incoming and outgoing access lists thrown on
    the interfaces:
    
    Incoming filter similar to this might work:
    access-list 120 deny   ip your.net.block.goes.here your.inverse.netmask.goes.here any log
    access-list 120 deny   ip 224.0.0.0 31.255.255.255 any log
    access-list 120 deny   ip 192.168.0.0 0.0.255.255 any log
    access-list 120 deny   ip 172.16.0.0 0.15.255.255 any log
    access-list 120 permit ip 128.0.0.0 127.255.255.255 any
    access-list 120 deny   ip 96.0.0.0 31.255.255.255 any log
    access-list 120 deny   ip 23.0.0.0 8.255.255.255 any log
    access-list 120 deny   ip 10.0.0.0 0.255.255.255 any log
    access-list 120 deny   ip 0.0.0.0 1.255.255.255 any log
    access-list 120 permit ip any any
    
    As you should be a good internet denisen and not spew crap onto the
    backbone that might cause problems, you probably should filter egress as
    well.   Simplest egress filter would be:
    access-list 130 permit ip your.net.block.goes.here your.inverse.netmask.goes.here any any
    access-list 130 deny   ip any any
    
    Once you built your access lists, and are satisfied with them, you need to
    do something like the following example on all of your external
    interfaces:
    
    c7204(config)#int e 2/3
    c7204(config-if)#ip access-group 120 in
    c7204(config-if)#ip access-group 130 out
    c7204(config-if)#end
    
    Signed:
    //Stany
    
    P.S. This is not meant to be a replacement for someone with Cisco skill -
    there are many clued in people out there that are jobless at the moment,
    and last time I tried to write a comprehensive instructions for Cisco
    security for our IX, I got in no-nonsense way informed that I really
    should not take the bread and butter from the CCIEs, least I want my
    employer to be packeted/nullrouted off the face of the internet.
    
    
    -- 
    +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
    | "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
    | This message is powered by JOLT!  For all the sugar and twice the caffeine. |
    +-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533 +-+
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 10:22:02 PST