Security Incidents mailing list archives

Re: DDoS attack.

From: "Stanislav N. Vardomskiy" <stany () NotBSD org>
Date: Sun, 27 Jan 2002 23:53:45 -0500 (EST)

On Sun, 27 Jan 2002, Bugtraq Mailing Lists wrote:

you should start implementing ingress filtering on your routers
so that this spoofed attack will not happen again by your end users.

if you have a cisco based router:
conf t
int e0/0 <-- do this on all of your interfaces
ip verify unicast reverse-path


Of course this only works if you have a single connection to the internet.
If you have multiple connections with multiple BGP sessions, this will
most likely break many things.

Instead you want some basic incoming and outgoing access lists thrown on
the interfaces:

Incoming filter similar to this might work:
access-list 120 deny   ip your.net.block.goes.here your.inverse.netmask.goes.here any log
access-list 120 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 120 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 120 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 120 permit ip 128.0.0.0 127.255.255.255 any
access-list 120 deny   ip 96.0.0.0 31.255.255.255 any log
access-list 120 deny   ip 23.0.0.0 8.255.255.255 any log
access-list 120 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 120 deny   ip 0.0.0.0 1.255.255.255 any log
access-list 120 permit ip any any

As you should be a good internet denisen and not spew crap onto the
backbone that might cause problems, you probably should filter egress as
well.   Simplest egress filter would be:
access-list 130 permit ip your.net.block.goes.here your.inverse.netmask.goes.here any any
access-list 130 deny   ip any any

Once you built your access lists, and are satisfied with them, you need to
do something like the following example on all of your external
interfaces:

c7204(config)#int e 2/3
c7204(config-if)#ip access-group 120 in
c7204(config-if)#ip access-group 130 out
c7204(config-if)#end

Signed:
//Stany

P.S. This is not meant to be a replacement for someone with Cisco skill -
there are many clued in people out there that are jobless at the moment,
and last time I tried to write a comprehensive instructions for Cisco
security for our IX, I got in no-nonsense way informed that I really
should not take the bread and butter from the CCIEs, least I want my
employer to be packeted/nullrouted off the face of the internet.


-- 
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+-+ 10570 + My words are my own.  LARTs are provided free of charge + 10533 +-+


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Glenn Forbes Fleming Larratt (Jan 25)
  - Re: DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Bugtraq Mailing Lists (Jan 27)
  - Re: DDoS attack. Stanislav N. Vardomskiy (Jan 28)
    - Re: DDoS attack. Patrick Oonk (Jan 28)
  - Re: DDoS attack. Wichert Akkerman (Jan 28)
- <Possible follow-ups>
- Re: DDoS attack. Neil Dickey (Jan 25)
- RE: DDoS attack. Boyan Krosnov (Jan 25)