Cable Forum - View Single Post

17-06-2005, 16:43

Here is the info needed to make a Cisco router / Pix block spoofed packets..

NB - these rules can also be applied to a level 3 / Managed switch !

In order to help prevent your network(s) from being used in Spoofed Denial of Service (DoS) Attacks, the following access list should be in place on your routers. The access list needs to be placed outbound on the Interface that connects to the ISP.

Please note that applying an access list on a Cisco may have a performance impact. You should monitor the CPU and Memory usage before and after applying the filters to determine the impact. You can use the "show proc cpu" command to do this.
access-list 1xx permit ip <Network-Base-Address> <Hostmask> any
access-list 1xx deny ip any any log

Please refer to the CIDR Table for help on the Network Base Address and the Hostmask.

This access list will prevent packets being sent from your network with any Source IP Address other than your network.

For customers that have more than one connection to the internet, this would be applied outbound on any interface connected to the Internet.

Placing the ACL on interfaces toward the internet. In the following example the link to the internet is Serial0.1.
external-gw#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 192.168.2.1 YES NVRAM up up
Serial0 unassigned YES unset up up
Serial0.1 192.168.1.1 YES unset up up
Serial1 unassigned YES unset down down
external-gw#

The network is 192.168.1.0 255.255.255.0. We want to create an access list that will permit traffic from any host within the 192.168.1.0/24 network and drop all other traffic.

To see if access list 150 is already defined, enter the following router commands:
external-gw#sh access-list 150
external-gw#

If there was an access list it would have shown up here.

If 150 already exists, simply choose a 1NN number that is not in use: 160, 165, etc. Substitute the number you choose in the configuration examples below.

Now we want to make sure that the serial interface does not have an access-list applied outbound.
external-gw#show ip interface serial0.1
Serial0.1 is up, line protocol is up
.
.
.
Outgoing access list is not set
.
.
.
external-gw#

You should see the line "Outgoing access list is not set". If not, you already have an outbound access list, and you will need to see your firewall administrator for help. The anti-spoofing rules can be applied to an existing outbound access list, but care needs to be taken not to interfere with the existing rules. If you do not have an existing outbound access list, then you can now create access-list 150 and apply it outbound on the interface connected to the ISP (in this example it is serial0.1).
external-gw#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
external-gw(config)#

Once you are at the (config) prompt, you can "cut-and-paste" the access-list into the router. You need to either create an access list to only allow traffic with source addresses belonging to your network as described in Step 1.1, or you can "cut-and-paste" the access-list to deny private and reserved addresses as described in Step 1.2.

Once you have created the access-list you need to apply it to the interface.
external-gw(config)#interface serial0.1
external-gw(config-subif)#ip access-group 150 out
external-gw(config-subif)#^Z
external-gw#write
Building configuration...
[OK]
external-gw#

Example Anti-Spoof Access List
You need to replace the network and hostmask with your network information. Then you can "cut-and-paste" the access list at the (config) prompt as described above.
no access-list 150
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny ip any any log

Access List to Deny Private & Reserved Source Addresses
If you are implementing Step 1.2, you can "cut-and-paste" the following access list at the (config) prompt as described above.
no access-list 150
access-list 150 deny ip 0.0.0.0 0.255.255.255 any
access-list 150 deny ip 10.0.0.0 0.255.255.255 any
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip 169.254.0.0 0.0.255.255 any
access-list 150 deny ip 172.16.0.0 0.15.255.255 any
access-list 150 deny ip 192.0.2.0 0.0.0.255 any
access-list 150 deny ip 192.168.0.0 0.0.255.255 any
access-list 150 deny ip 224.0.0.0 15.255.255.255 any
access-list 150 deny ip 240.0.0.0 7.255.255.255 any
access-list 150 deny ip 248.0.0.0 7.255.255.255 any
access-list 150 deny ip 255.255.255.255 0.0.0.0 any
access-list 150 permit ip any any

The "log" at the end of the deny statement in the access list, will log any packet that is sent with a source address other than the ones permitted by the previous statement.

After the access list is applied to the interface, the command "show ip access-list " will display counters for each access expression. Confirm that the counter for the expression to pass your address block is incrementing.

If it is necessary to remove the access list due to an error, use the interface command "no ip access-group 150 out" to remove it and confirm with "show ip int <interface>".

Never change the access lists on the router interface you are using to configure the router. Either remove the access-group first, or configure the router via the serial console interface. If you do not remove the access-group from the interface first, you will cause a momentary outage while installing the new access list and may disable all traffic through the interface if you make an error, plus inadvertently disconnect your telnet terminal session from which configuration changes are being made!

DONT FORGET to do this via sr1 and not SSH1 or TS as you will cut yourself off when you apply the ACL..

Dont forget copy run start !!!!

NB - I would not bother logging the droped packets unless you are having problems. It would just be better to turn on debug for the interface !

HTH

17-06-2005, 16:43	#7
Stuartbe Guest Location: Luton Services: NTL Nafband Posts: n/a	Re: Solution to current spam issues. Here is the info needed to make a Cisco router / Pix block spoofed packets.. NB - these rules can also be applied to a level 3 / Managed switch ! In order to help prevent your network(s) from being used in Spoofed Denial of Service (DoS) Attacks, the following access list should be in place on your routers. The access list needs to be placed outbound on the Interface that connects to the ISP. Please note that applying an access list on a Cisco may have a performance impact. You should monitor the CPU and Memory usage before and after applying the filters to determine the impact. You can use the "show proc cpu" command to do this. access-list 1xx permit ip <Network-Base-Address> <Hostmask> any access-list 1xx deny ip any any log Please refer to the CIDR Table for help on the Network Base Address and the Hostmask. This access list will prevent packets being sent from your network with any Source IP Address other than your network. For customers that have more than one connection to the internet, this would be applied outbound on any interface connected to the Internet. Placing the ACL on interfaces toward the internet. In the following example the link to the internet is Serial0.1. external-gw#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0 192.168.2.1 YES NVRAM up up Serial0 unassigned YES unset up up Serial0.1 192.168.1.1 YES unset up up Serial1 unassigned YES unset down down external-gw# The network is 192.168.1.0 255.255.255.0. We want to create an access list that will permit traffic from any host within the 192.168.1.0/24 network and drop all other traffic. To see if access list 150 is already defined, enter the following router commands: external-gw#sh access-list 150 external-gw# If there was an access list it would have shown up here. If 150 already exists, simply choose a 1NN number that is not in use: 160, 165, etc. Substitute the number you choose in the configuration examples below. Now we want to make sure that the serial interface does not have an access-list applied outbound. external-gw#show ip interface serial0.1 Serial0.1 is up, line protocol is up . . . Outgoing access list is not set . . . external-gw# You should see the line "Outgoing access list is not set". If not, you already have an outbound access list, and you will need to see your firewall administrator for help. The anti-spoofing rules can be applied to an existing outbound access list, but care needs to be taken not to interfere with the existing rules. If you do not have an existing outbound access list, then you can now create access-list 150 and apply it outbound on the interface connected to the ISP (in this example it is serial0.1). external-gw#configure terminal Enter configuration commands, one per line. End with CNTL/Z. external-gw(config)# Once you are at the (config) prompt, you can "cut-and-paste" the access-list into the router. You need to either create an access list to only allow traffic with source addresses belonging to your network as described in Step 1.1, or you can "cut-and-paste" the access-list to deny private and reserved addresses as described in Step 1.2. Once you have created the access-list you need to apply it to the interface. external-gw(config)#interface serial0.1 external-gw(config-subif)#ip access-group 150 out external-gw(config-subif)#^Z external-gw#write Building configuration... [OK] external-gw# Example Anti-Spoof Access List You need to replace the network and hostmask with your network information. Then you can "cut-and-paste" the access list at the (config) prompt as described above. no access-list 150 access-list 150 permit ip 192.168.1.0 0.0.0.255 any access-list 150 deny ip any any log Access List to Deny Private & Reserved Source Addresses If you are implementing Step 1.2, you can "cut-and-paste" the following access list at the (config) prompt as described above. no access-list 150 access-list 150 deny ip 0.0.0.0 0.255.255.255 any access-list 150 deny ip 10.0.0.0 0.255.255.255 any access-list 150 deny ip 127.0.0.0 0.255.255.255 any access-list 150 deny ip 169.254.0.0 0.0.255.255 any access-list 150 deny ip 172.16.0.0 0.15.255.255 any access-list 150 deny ip 192.0.2.0 0.0.0.255 any access-list 150 deny ip 192.168.0.0 0.0.255.255 any access-list 150 deny ip 224.0.0.0 15.255.255.255 any access-list 150 deny ip 240.0.0.0 7.255.255.255 any access-list 150 deny ip 248.0.0.0 7.255.255.255 any access-list 150 deny ip 255.255.255.255 0.0.0.0 any access-list 150 permit ip any any The "log" at the end of the deny statement in the access list, will log any packet that is sent with a source address other than the ones permitted by the previous statement. After the access list is applied to the interface, the command "show ip access-list " will display counters for each access expression. Confirm that the counter for the expression to pass your address block is incrementing. If it is necessary to remove the access list due to an error, use the interface command "no ip access-group 150 out" to remove it and confirm with "show ip int <interface>". Never change the access lists on the router interface you are using to configure the router. Either remove the access-group first, or configure the router via the serial console interface. If you do not remove the access-group from the interface first, you will cause a momentary outage while installing the new access list and may disable all traffic through the interface if you make an error, plus inadvertently disconnect your telnet terminal session from which configuration changes are being made! DONT FORGET to do this via sr1 and not SSH1 or TS as you will cut yourself off when you apply the ACL.. Dont forget copy run start !!!! NB - I would not bother logging the droped packets unless you are having problems. It would just be better to turn on debug for the interface ! HTH Last edited by Stuartbe; 17-06-2005 at 16:50.