Sunday, 20 April 2008

Cisco LAN Hardening

As we all know the are lots of Denial of Service (DoS) Attacks and defending against them to be honest has got quite easy from the point of view that we block almost every thing from the outside world, but surprisingly we still don't spend much time defending our internal networks so your network is still prone to internal attack whether its deliberate or accidental.

So to that end I'm going to name some common attacks and how to create some ACL on your routers and switches to prevent the problem affecting critical systems.

Smurf Attack
The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet. If a router is positioned to forward broadcast requests to other network devices on the protected network, then the router should be configured to prevent this forwarding from occurring.

The example statements below block all IP traffic from any host to the possible broadcast addresses (10.2.6.255 and 10.2.6.0) for the 10.2.6.0/24 subnet.

access-list 111 deny ip any host 10.2.6.255 log
access-list 111 deny ip any host 10.2.6.0 log


Distributed Denial of Service (DDoS) Attacks
Several high-profile DDoS attacks have been observed on the Internet. While cisco router and switches cannot prevent DDoS attacks in general, it is usually sound security practice to discourage the activities of specific DDoS agents (a.k.a. zombies) by adding access list rules that block their particular ports.

[Note that some of these rules may also impose a slight impact on normal users, because they block high-numbered ports that legitimate network clients may randomly select. Therefore, you may choose to apply these rules only when an attack has been detected. Otherwise, these rules would normally be applied to traffic in both directions between an internal or trusted network and an untrusted network. However I run them all the time.]

!the TRINOO DDoS systems
access-list 180 deny tcp any any eq 27665 log
access-list 180 deny udp any any eq 31335 log
access-list 180 deny udp any any eq 27444 log
!the Stacheldraht DDoS system
access-list 180 deny tcp any any eq 16660 log
access-list 180 deny tcp any any eq 65000 log
!the TrinityV3 system
access-list 180 deny tcp any any eq 33270 log
access-list 180 deny tcp any any eq 39168 log
!the Subseven DDoS system and some variants
access-list 180 deny tcp any any range 6711 6712 log
access-list 180 deny tcp any any eq 6776 log
access-list 180 deny tcp any any eq 6669 log
access-list 180 deny tcp any any eq 2222 log
access-list 180 deny tcp any any eq 7000 log

The Tribe Flood Network (TFN)
DDoS system uses ICMP Echo Reply messages, which are problematic to block because they are the heart of the ping program. Follow the directions in the ICMP sub-section, above, to prevent at least one direction of TFN communication.

Configure rate limiting for SYN packets.

access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established

interface eth0/0
rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop

In the above example, replace:
45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values, to work out what the max value is you will need to do a show interface and see what the max value is for that interface.

To give you an idea of how it looks here is a 30Mb connection dropping ICMP packets

interface eth0/1
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop

access-list 2020 permit icmp any any echo-reply

So now you might have some ideas about how to defend your network on the inside, this won't stop the problems 100% but it will give you time to react and logs to look too so you can tighten up your network.

No comments: