Translation / finishing: backend
1. Use the IP VERFY UNICAST REVERSE-PATH Network Interface Command
This feature checks each router's packet. In all routings of the CEF (Cisco Express Forwarding) table of the router, the router will discard the packet if the router is not routed by the data package source IP address. For example, the router receives a packet of 1.2.3.4, if the CEF routing table is not available for IP address 1.2.3.4 (ie the route required to reverse packet transfer), the router will discard it. Unicast Reverse Path Forwarding In ISP (Local) implementation to block SMURF attacks and other IP address camouflage attacks. This protects the network and customers from intrusion from other places from the Internet. Use Unicast RPF to open the "CEF SWITHING" or "Cef Distributed Switch" option of the router. No need to configure the input interface as a CEF switch. As long as the router opens the CEF function, all independent network interfaces can be configured as other swaps. RPF (reverse transmission path forwarding) belongs to the input function activated on a network interface or sub-interface to process the data packets received by the router. It is very important to open the CEF function on the router because the RPF must rely on CEF. UNICAST RPF is included in CISCO IOS 12.0 and above, but does not support Cisco IOS 11.2 or 11.3.
2. Use the Access Control List (ACL) to filter all the addresses listed in RFC 1918
Referring to the following example: Interface XY IP Access-Group 101 in Access-List 101 deny IP 10.0.0.0 0.255.255.255 Any Access-list 101 deny ip 192.168.0.0 0.0.25.255 Any Access-list 101 deny ip 172.16.0.0 0.15.255.255 Any Access-List 101 permit ip any Any
3. Refer to RFC 2267, use access control list (ACL) filtering and export packets
Refer to the following example: {ISP Center} - ISP End Boundary Router - Client Boundary Router - {Client Network} ISP End Boundary Router Should only accept the source address belonging to the client network, and the client network should only Acceptive source address is not filed by the client network. The following is an access control list (ACL) example of the ISP end border router: Access-List 190 Permit IP {Client Network} {Client Network Mask} Any Access-List 190 Deny IP Any Any [LOG] Interface {Internal Network Interface } {Network Pigment Number} IP Access-Group 190 IN below is an ACL example of a client border router: Access-list 187 deny ip {client network} {client network mask} Any Access-list 187 permit ip any Any Access -list 188 permit {client network} {client network mask} any access-list 188 deny ip any Any interface {external network interface} {network interface number} IP access-group 187 in ip access-group 188 OUT If The CEF function is opened, and the length of the access control list (ACL) can be sufficiently shortened by using a single address reverse path forwarding (UNICAST RPF) to improve the router performance. In order to support Unicast RPF, simply open the CEF completely on the router; open this function network interface does not need to be a CEF exchange interface. 4, use car (control access rate to limit ICMP packet traffic rate)
Refer to the following example: Interface xy rate-limited output access-group 2020 3000000 512000 786000 Conform-action Transmit Exceed-action Drop Access-list 2020 permit icmp any Any echo-reply See iOS Essential Features Get more detailed information.
5, set the SYN packet flow rate
interface {int} rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop access-list 152 permit tcp any host EQ WWW Access-List 153 Permit TCP Any Host EQ WWW ESTABLISHED needs to make the necessary modifications in an application, replace: 45000000 is a value between 30% and 50% of the maximum connection bandwidth 1000000 is SYN FLOOD. Burst Normal (Normal Mutation) and Burst Max (Maximum Mutation) Two rates are the correct value. Note that if the mutation rate is set more than 30%, many legal SYN packets may be lost. Use the "Show Interfaces Rate-Limit" command to view the normal and over - rate of the network interface, help determine the appropriate mutation rate. This SYN rate limiting value setting criterion is to ensure that normal communication is made as small as possible. WARNING: Generally recommended to measure the SYN packet flow rate when the network is working properly, and adjust it by this reference value. The normal operation of the network must be ensured when measurement is performed to avoid larger errors. In addition, it is recommended to consider installing IP Filter and other IP filtering kits on the host that may become SYN attacks. 6. Collect evidence and contact network security departments or institutions
If possible, capture the attack packet is used to analyze. It is recommended to capture packets using high-speed computers such as Sun Workstation or Linux. Commonly used packet capture tools include TCPDUMP and SNOOP. The basic syntax is: tcpdump -i interface -s 1500 -w capture_file snoop -d interface -o capture_file -s 1500 assumes that the MTU size is 1500. If the MTU is greater than 1500, you need to modify the corresponding parameters. These captured packets and logs are provided to the relevant network security departments or organizations. Finished>
For more technical information, please refer to the following documentation: Characterizing and Tracing Packet Floods Using Cisco Routers Improving Security On Cisco Routers
