ACL Advanced Application

ACL Advanced Applications

1 , using ACLs to detect SYN flood attacks

Each SYN message received by the server needs to establish a connection and allocate core memory for the link information, put this link into a half connection, and then respond to the syn+ack message to the source address. If the source address of the SYN message is forged, the source cannot receive the Syn+ack message sent by the server, and the ACK acknowledgement message will not be returned, and the half-connection on the server will wait until it expires.

If a large number of SYN packets are received within a short period of time, the half-connection queue overflows, allowing the efficient connection to be squeezed out of the queue. The attack in this way is a SYN flood attack. SYN Flood attack is the use of TCP protocol three times handshake principle, send a large number of forged source IP SYN packets, so that the attack host generated a large number of semi-connections.

Since the SYN bit is 1 in the originating message of the SYN flood attack, an extended ACL can be configured to match such a message to see if there is a SYN attack. The configured ACLs are as follows:

Router (config) #access-list permit tcp any SYN

This ACL indicates that a data packet with a SYN bit of 1 in the TCP message will match this ACL. If you only want to detect if a server is being attacked, you can change the destination address to the server address.

Since the ACL finally implies a completely rejected entry, the following configuration is required:

Router (config) #access-list permit IP any any

After the configuration is complete, you need to use the interface to connect to the server, after which you can view the number of SYN messages by using the show ip access-list command:

Router#show IP access-lists

Extended IP Access list 100

Permit TCP any any SYN (1482 matches)

Permit IP any any (465 matches)

This shows that the number of SYN packets received is 1482, that is, the originating TCP connection is 1482 times. Then, according to the server's usual access to determine whether there is an attack.

If you need to clear the above technique, you can use the following command:

Router#clear access-list Counters

According to the above data can only be based on experience or according to the previous situation to determine whether the server is attacked, for example, the average daily TCP connection to the server is generally about 20000, and two days to the server sent a significant increase in TCP connection requests, and access to the server's Web site is slow, This makes it possible to initially determine that the server has been attacked (there are other possibilities, such as a sudden change in traffic, etc.) that need to be analyzed by other means, such as using firewalls, packet-capture analysis, etc.

In practical applications, it is necessary to count the data once every once in a while, using the daily data bit reference to determine that the server is likely to be attacked.

For example, if the data is counted once a day, it is done at work in the afternoon. Fill in the data into the table, and make the curve graph, can be very intuitive to find out whether the server traffic is abnormal. It is also possible to determine whether the server's performance is adequate based on the increase in traffic. The table that records the data is shown in table 6.1.

Table 6.1 Table of recorded data

Date	Number of Matches
2009-10-5	12470
2009-10-6	12563
2009-10-7	13625
2009-10-8	11953
2009-10-9	12635
2009-10-10	13695
2009-10-11	14123
2009-10-12	13562
2009-10-13	11886
2009-10-14	22059
2009-10-15	19230

The record data is shown in Figure 6.1.

650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; margin:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image002 "border=" 0 "alt=" clip_image002 "src=" http://s3.51cto.com/wyfs02/M00/77/8A/ Wkiom1zpeylidvkxaaak--gayvi760.gif "" "height=" 118 "/>

Fig. 6.1 Data record chart and data record table

As can be seen, the server usually received the number of SYN packets around 12500, but October 14 and 15th the number of sudden increase, and the increase in large amounts of abnormal conditions. At this point, you need to do a one-step inspection.

2 , logging ACL logs

After the ACL is applied on the router interface, the data packet forwarding or discarding is controlled according to the rules configured in the ACL, thus enhancing the security of the network. For example, there is a financial server inside the company, and the company expects that only the Finance Department will be able to access the server, and no other department can access the server. You can then configure the ACL to allow the finance department to reach the host's traffic and discard other traffic.

If the rejected packet has a large number of packets from the same source IP address, the host of that IP address may be trying to attack the server, and if a large number of packets in the allowed packets come from the same source IP address, the host of that IP address may be infected with a virus that is sending a virus to the server. Once this occurs, you need to further check that the host is infected with a virus or someone is attacking the server. However, using the show IP access-list command only knows the number of packets that are forwarded or dropped and cannot determine the source of the packet. To solve the above problem, we need to use the ACL log function, through the ACL log can be cleared to know the source IP address of the packet and the destination IP address, and whether the packet was forwarded.

The following is a case to disguise the logging of ACL logs. 6.2 To build the network environment.

650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; margin:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image004 "border=" 0 "alt=" clip_image004 "src=" http://s3.51cto.com/wyfs02/M00/77/89/ Wkiol1zpeypd9bpuaaayl4kramk263.jpg "" 244 "height="/>

Figure 6.2 ACL logging case topology

Network planning is as follows:

1) R1 and R2 's interconnection address is: 192.168.0.0/30,R2 and R3 's interconnection address is: 192.168.0.4/30, R2 and R4 The interconnection address is: 192.168.0.8/30;

2) Configure the Loopback0 address on the R3 as 192.168.3.1/24, and simulate the server;

3) on R1, configure Loopback0 address as 192.168.1.1/24, impersonate the client;

4) on R4, configure Loopback0 address as 192.168.4.1/24, impersonate the client;

5) The address of the Syslog server is 10.0.0.7/24, Gateway: 10.0.0.254/24;

6) Configure ACL implementation on R2:192.168.1.0/24 network segment can access the server 192.168.3.0/24 network segment, deny other Backward server 192.168.3.0/24 network segment traffic; ACL logs are sent to the syslog server;

7) The server receives the syslog using the Kiwi syslog Service Manager software;

Configure devices according to network planning.

1) Configure the IP address and static routing to realize the whole network interoperability;

R1 the configuration:

R1 (config) #interface fastethernet 0/0

R1 (config-if) #ip address 10.0.0.254 255.255.255.0

R1 (config-if) #no shutdown

R1 (config-if) #exit

R1 (config) #interface fastethernet 1/0

R1 (config-if) #ip address 192.168.0.1 255.255.255.252

R1 (config-if) #no shutdown

R1 (config-if) #exit

R1 (config) #interface loopback 0

R1 (config-if) #ip address 192.168.1.1 255.255.255.0

R1 (config-if) #exit

R1 (config) #ip Route 192.168.3.0 255.255.255.0 192.168.0.2

R1 (config) #ip Route 192.168.4.0 255.255.255.0 192.168.0.2

R1 (config) #ip Route 192.168.0.4 255.255.255.252 192.168.0.2

R1 (config) #ip Route 192.168.0.8 255.255.255.252 192.168.0.2

R2 the configuration:

R2 (config) #interface fastethernet 1/0

R2 (config-if) #ip address 192.168.0.2 255.255.255.252

R2 (config-if) #no shutdown

R2 (config-if) #exit

R2 (config) #interface fastethernet 0/0

R2 (config-if) #ip add 192.168.0.5 255.255.255.252

R2 (config-if) #no shutdown

R2 (config-if) #exit

R2 (config) #interface fastethernet 2/0

R2 (config-if) #ip address 192.168.0.9 255.255.255.252

R2 (config-if) #no shutdown

R2 (config-if) #exit

R2 (config) #ip Route 10.0.0.0 255.255.255.0 192.168.0.1

R2 (config) #ip Route 192.168.3.0 255.255.255.0 192.168.0.6

R2 (config) #ip Route 192.168.1.0 255.255.255.0 192.168.0.1

R2 (config) #ip Route 192.168.4.0 255.255.255.0 192.168.0.10

R3 the configuration:

R3 (config) #interface fastethernet 0/0

R3 (config-if) #ip address 192.168.0.6 255.255.255.252

R3 (config-if) #no shutdown

R3 (config-if) #exit

R3 (config) #interface loopback 0

R3 (config-if) #ip address 192.168.3.1 255.255.255.0

R3 (config-if) #exit

R3 (config) #ip Route 0.0.0.0 0.0.0.0 192.168.0.5

R4 the configuration:

R4 (config) #interface fastethernet 0/0

R4 (config-if) #ip address 192.168.0.10 255.255.255.252

R4 (config-if) #no shutdown

R4 (config-if) #exit

R4 (config) #interface loopback 0

R4 (config-if) #ip address 192.168.4.1 255.255.255.0

R4 (config-if) #exit

R4 (config) #ip Route 0.0.0.0 0.0.0.0 192.168.0.9

2) Install Kiwi Syslog Service Manager software on the server;

3) Configuring ACLs and Syslog

Configure ACLs on the R2 router:

R2 (config) #access-list permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 log-input

Configure ACLs and enable logging, where Log-input logs are logged and input ports are logged, if the input port is not logged using the log parameter

R2 (config) #access-list deny IP any any log-input//deny entries also need to be configured with log records

R2 (config) #interface fastethernet 0/0

R2 (config-if) #ip access-group//Application ACL

R2 (config-if) #exit

Configure syslog on the R2 router:

R2 (config) #logging 10.0.0.7//Configuring the Syslog server address

R2 (config) #logging buffered//enable cache logging

R2 (config) #logging on//enable log

4) from the different network segments of the Client Access server (IP address 192.168.3.1), the syslog server to view the ACL log;

Ping the server separately on the R1 and R4 routers:

R1#ping 192.168.3.1 Source 192.168.1.1

Specify the source IP address on the R1 router to communicate with the server normally

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is percent (5/5), round-trip Min/avg/max = 56/100/196 ms

R4#ping 192.168.3.1 Source 192.168.4.1

The source IP address is specified on the R4 router and cannot communicate with the server

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.4.1

U.u.u

Success rate is 0 percent (0/5)

A system prompt appears on the R2 router, as follows:

*mar 1 00:26:11.435:%sec-6-ipaccesslogdp:list permitted ICMP 192.168.1.1 (fastethernet1/0 cc00.0938.0010), 192. 168.3.1 (0/0), 1 packet

*mar 1 00:26:36.575:%sec-6-ipaccesslogdp:list denied ICMP 192.168.4.1 (fastethernet2/0 cc00.07b8.0000), 192.168 .3.1 (0/0), 1 packet

You can view the log using the show Logging command on the R2 router (you cannot view it if you do not have the logging buffered command configured):

R2#show Logging

Syslog logging:enabled (messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, XML disabled, filtering disabled)

Console logging:level debugging, messages logged, XML disabled,

Filtering disabled

Monitor logging:level Debugging, 0 messages logged, XML disabled,

Filtering disabled

Buffer logging:level Debugging, 8 messages logged, XML disabled,

Filtering disabled

Logging Exception Size (4096 bytes)

Count and timestamp logging messages:disabled

No Active filter modules.

Trap logging:level Informational, message lines logged

Logging to 10.0.0.7 (UDP port 514, audit disabled, link up), 8 message lines logged, XML disabled,

Filtering disabled

Log Buffer (4096 bytes):

*mar 1 00:25:18.139:%sys-5-config_i:configured from the console by console

*mar 1 00:25:19.139:%sys-6-logginghost_startstop:logging to host 10.0.0.7 STARTED-CLI initiated

*mar 1 00:25:25.931:%sec-6-ipaccesslogdp:list denied ICMP 192.168.0.1 (fastethernet1/0 cc00.0938.0010), 192.168 .3.1 (0/0), 1 packet

*mar 1 00:26:11.435:%sec-6-ipaccesslogdp:list permitted ICMP 192.168.1.1 (fastethernet1/0 cc00.0938.0010), 192. 168.3.1 (0/0), 1 packet

*mar 1 00:26:36.575:%sec-6-ipaccesslogdp:list denied ICMP 192.168.4.1 (fastethernet2/0 cc00.07b8.0000), 192.168 .3.1 (0/0), 1 packet

*mar 1 00:31:01.443:%sec-6-ipaccesslogdp:list denied ICMP 192.168.0.1 (fastethernet1/0 cc00.0938.0010), 192.168 .3.1 (0/0), 4 packets

*mar 1 00:32:01.443:%sec-6-ipaccesslogdp:list permitted ICMP 192.168.1.1 (fastethernet1/0 cc00.0938.0010), 192. 168.3.1 (0/0), 9 packets

*mar 1 00:32:01.447:%sec-6-ipaccesslogdp:list denied ICMP 192.168.4.1 (fastethernet2/0 cc00.07b8.0000), 192.168 .3.1 (0/0), 9 packets

In addition, R2 sends syslog information to the server 10.0.0.7, Kiwi the Syslog Service Manager software received log,6.3 on the server. As you can see from Figure 6.3, the syslog for the software record is the same as recorded on the router.

650) this.width=650; "Style=" background-image:none; border-bottom:0px; border-left:0px; padding-left:0px; padding-right:0px; border-top:0px; border-right:0px; padding-top:0px "title=" clip_image006 "border=" 0 "alt=" clip_image006 "src=" http://s3.51cto.com/wyfs02/M01/77/8A/ Wkiom1zpeyxhph3taaa-9othfhg595.jpg "" 244 "height=" 121 "/>

Figure 6.3 Information received by the Kiwi Syslog Service Manager software

In general, the log is also viewed over a period of time, depending on the Kiwi Syslog Service Manager software log file content to view a day (or half a day, etc.), thus determining whether there is a suspicious host attack server, so as to take further action.

ACL Advanced Application