Cisco router configuration protects against DDoS attacks

Session 1 DDoS Attack method:

A denial of service (DoS) attack is an attack that is widely used by hackers, which can cause downtime or network paralysis by monopolizing network resources and making other hosts unable to access them normally.
How CIOs resolve interpersonal conflicts in IT teams. Hold and give up: how CIOs decide, how to reshape the role of the Government CIO. 2009 CIO Challenges and coping strategies, three lessons I have experienced the strategic transformation story from the CEO "intuitive decision" CIO how to seize the opportunity.
A denial of service (DoS) attack is an attack that is widely used by hackers, which can cause downtime or network paralysis by monopolizing network resources and making other hosts unable to access them normally.
Dos attacks are mainly divided into three kinds of Smurf, Synflood and Fraggle, in the Smurf attack, the attacker uses ICMP packets to block the server and other network resources, and the Synflood attack uses a large number of TCP half-connections to occupy network resources. The Fraggle attack is similar to the Smurf attack principle, using a Udpecho request instead of a ICMPECHO request to initiate an attack.

While cyber security experts are focused on developing devices that block Dos attacks, they have little effect because Dos attacks exploit the weaknesses of the TCP protocol itself. Properly configured routers can effectively prevent Dos attacks. In Cisco routers, for example, the iOS software in Cisco routers has many features that prevent Dos attacks, securing the router itself and the internal network.

1. Use extended access list

Extended access lists are an effective tool for preventing Dos attacks. It can be used to detect the type of Dos attacks, and also to prevent Dos attacks. The showipaccess-list command can display matching packets for each extended access list, and depending on the type of packet, the user can determine the type of Dos attack. If the network has a large number of TCP connection requests, which indicates that the network is Synflood attack, then users can change the configuration of the access list, to prevent Dos attacks.

2. Using QoS

Using quality of Service (QoS) features, such as weighted fair queuing (WFQ), committed access rate (CAR), General traffic shaping (GTS), and custom queuing (CQ), can effectively block Dos attacks. It should be noted that different QoS strategies have different effects against various Dos attacks. For example, WFQ against Pingflood attacks is more effective than preventing synflood attacks, because Pingflood typically behaves as a separate transmission queue in WFQ, and each packet in a synflood attack behaves as a separate data stream. In addition, you can use car to limit the speed of ICMP packet traffic, to prevent Smurf attacks, or to limit the traffic speed of SYN packets and to prevent synflood attacks. Using QoS to prevent Dos attacks requires users to understand the principles of QoS and Dos attacks so that they can take appropriate precautions against different types of Dos attacks.

3. Reverse forwarding using a single address
Reverse forwarding (RPF) is a function of the router to check every packet received by the router interface. If the router receives a packet with a source IP address of 10.10.10.1, but the CEF (ciscoexpressforwarding) routing table does not provide any routing information for that IP address, the router discards the packet. Therefore, reverse forwarding can prevent Smurf attacks and other IP-address-based spoofing attacks.

Using the RPF feature requires the router to be set to express forwarding mode (cefswitching), and the RPF-enabled interface cannot be configured for CEF switching. RPF has the advantage over access lists in preventing IP address spoofing, and first it can dynamically accept changes in dynamic and static routing tables; The second RPF requires less manipulation and maintenance; The third RPF, as an anti-spoofing tool, has a much smaller performance impact on the router itself than the access list.

4. Using TCP Intercept
Cisco has introduced the TCP interception feature after the IOS11.3 version, which effectively prevents Synflood from attacking the internal host.
TCP interception blocks this attack by interception and authentication before the TCP connection request reaches the destination host. TCP interception can work in both interception and monitoring modes. In interception mode, the router intercepts the incoming TCP synchronization request and establishes a connection to the client on behalf of the server and, if successful, establishes a connection to the server on behalf of the client and transparently merges the two connections. During the entire connection, the router intercepts and sends packets all the time. For illegal connection requests, the router provides stricter timeout limits for Half-open to prevent its resources from being exhausted by SYN attacks. In monitoring mode, the router passively observes the connection request that flows through the router, and if the connection exceeds the configured settling time, the router closes the connection.
Enabling TCP interception on a Cisco router requires two steps: one is to configure the extended access list to identify the IP addresses that need to be protected, and the second is to turn on TCP interception. The access list is configured to define the source and destination addresses that require TCP interception, and to protect the internal target host or network. When configured, users typically need to set the source address to any and specify a specific destination network or host. If the access list is not configured, the router will allow all requests to pass.
Using Content-based access control
Content-based access control (CBAC) is an extension of the Cisco Legacy Access list, which intelligently filters TCP and UDP packets to prevent Dos attacks based on application-level session information.
CBAC determines the duration of a session and when to delete a semi-connection by setting the timeout limit and session threshold values. For TCP, a semi-join refers to a session that does not complete a three-stage handshake process. For UDP, a half-connection is a session where the router does not detect the return traffic.
CBAC is to prevent flooding by monitoring the number of semi-connections and the frequency of their generation. Whenever an abnormal half-connection is established or a large number of semi-connections occur within a short period of time, the user can be judged to have suffered a flood attack. CBAC detects the number of half connections that already exist and the frequency of attempts to establish a connection every minute, when the number of semi-connections already exists exceeds the threshold, the router removes some of the half connections to ensure that the new connection is required, and the router continuously deletes the half-connection until the number of half-connections present is lower than the other threshold value; When the frequency of attempts to establish a connection exceeds the threshold, the router takes the same action to delete a portion of the connection request and continues to the number of requests connected below the other threshold value. With this continuous monitoring and deletion, CBAC can effectively prevent Synflood and fraggle attacks.
The router is the first protection barrier of the enterprise internal network, is also an important target of the hacker attack, if the router is easily breached, then the enterprise internal network security also cannot discuss, therefore takes the appropriate measure on the router, prevents the various Dos attacks is very necessary. Users need to note that the above-mentioned several methods, the ability to deal with different types of Dos attacks is different, the CPU and memory resources of the router is also a significant difference in the actual environment, the user needs to be based on their own situation and the performance of the router to choose to use


Session 2 protects against DDoS attacks with TCP interception technology
1, the principle of DDoS attacks: the use of a large number of TCP connections to request the resources of the host, TCP to establish a connection of the three handshake process, the other party sent the first message set the SYN bit, when a device receives a request service initial message, the device responds to this message, Sends back a message with the SYN and ACK bits set and waits for the ACK response from the source side. Then, if the sender does not reply to an ACK, the host ends the connection because of a timeout. When the host waits for this connection to time out, the connection is in the semi-open (Half-open) state, and the half-open connection consumes the host's resources. A SYN attack occurs when the host resource is exhausted while waiting for three handshakes, especially if thousands of SYN is sent to a host, the host will quickly crash.


2. Configuration on the Cisco router:
First, the router is a boundary or sub-border router, and all of the protected application services are placed behind the router.
Once again, block out the general ICMP echo information to prevent scanning.
Finally, configure the TCP interception feature
1), define an ACL that matches the source of traffic and the target of protection:
Access-list 101 Permit TCP any host 172.17.30.30
The original address is any to intercept any traffic that accesses the 172.17.30.30 address.
2), the Global open TCP intercept.
IP TCP Intercept List 101

3), set the mode of TCP interception, TCP interception has two modes, one is active interception mode, and the other is the monitoring mode. 3.1, the active interception mode for all matching traffic interception, the source of traffic sent to intercept, first with (the router) to establish a TCP connection, if the TCP connection can complete three handshake, then the source is considered a legitimate request, The packet is forwarded to the protected target (172.17.30.30) of the Intranet, and eventually the 2 connections are merged, allowing the source and intranet protected applications to establish a TCP connection directly.
In interception mode, the router responds to the SYN request that arrives, and instead sends a SYN, ACK message in response to the initial source IP address, and then waits for the client's ACK. If an ACK is received and the original SYN message is sent to the server, the router completes the three handshake process with the server instead of the original client. This mode increases the additional overhead of the router's memory and CPU, and increases the latency of some initial sessions.
3.2, monitoring mode does not participate in interception, but monitoring TCP connections, once a large number of semi-connected TCP sessions are detected when the set wait time expires after the half-open connection is interrupted.
In monitoring mode, the router allows the SYN request to reach the server directly. If the session is not set up within 30 seconds (the default), the router sends an RST to the server to clear the connection.
Cisco routers are using active mode by default: IP TCP intercept mode intercept
However, it is recommended to use the monitoring mode when considering the overhead of router resource utilization:
IP TCP intercept mode watch
IP TCP intercept watch-timeout 20
4), in addition to the TCP connection you can not be a lifetime to keep him attached. Set a TCP timeout time, default 24 hours, the general network of special services need long-connected application time 30 minutes foot
IP TCP intercept connection-timeout 1800
5), the threshold for the maximum half-open connection (Half-open) can also be changed. The default low 900,high 1100.
IP TCP intercept max-incomplete low 800
IP tcp intercept max-incomplete high 1000
6) The maximum number of half-open connections that exist per minute before the router begins to delete the connection.
IP TCP intercept one-minute high number 1100
7) The minimum number of half-open connections that exist per minute before the router stops deleting the connection
IP TCP intercept one-minute low number 900
When a router confirms that the server is under attack because its defined threshold value is exceeded, the router actively deletes the connection until the Half-open connection value drops below the threshold value. The default is to turn off the oldest connection unless you use the IP TCP intercept drop-mode random command (randomly closing the half-open connection). When the threshold value is set to timeout, the router takes the following action:
1. Each new connection causes one of the earliest (or random) connections to be deleted.
2. The initial retransmission timeout is reduced by half until 0.5 seconds.
3. If in monitoring mode, the time-out is halved until 15 seconds.
Two factors are used to determine whether the router is under attack. If one of the two high gate limits is exceeded, the router is under attack until the threshold has dropped below the two low threshold value. The following shows the parameters and their default values, and describes them briefly p intercept max-incomplete high 1000
8), Status View
Show TCP Intercept Connecitons

Show TCP intercept statistics