Some Suggestions on preventing distributed denial-of-service (DDoS) attacks on Cisco routers are provided. We provide detailed instructions on using network interface commands and filtering all the address methods listed in RFC 1918.
1. Use the ip verfy unicast reverse-path network interface command
This function checks each packet passing through the router. In the router's CEFCisco Express Forwarding) table, if the route entry of the packet to the network interface does not have the source IP address of the packet, the router discards the packet. For example, the router receives a source IP address of 1. 2.3.4. If the CEF route table does not provide any route for IP address 1.2.3.4, that is, the route required for reverse packet transmission, the router will discard it.
The single-address Reverse transmission Path is forwarded to the Unicast Reverse Path Forwarding) on the ISP side) to prevent SMURF attacks and other attacks based on IP address camouflage. This protects networks and customers from intrusions from other places on the Internet. To use Unicast RPF, You need to enable the \ "CEF swithing \" or \ "CEF distributed switching \" option of the router. You do not need to configure the input interface as CEF switch switching ). Once the CEF function is enabled on the vro, all independent network interfaces can be configured in switching mode. RPF reverse transmission path forwarding) is an input function activated on a network interface or sub-interface to process packets received by the router.
It is very important to enable the CEF function on the vro, because RPF must rely on CEF. Unicast RPF is included in Cisco IOS 12.0 and later versions that support CEF, but does not support Cisco IOS 11.2 or 11.3.
2. Use the access control list ACL to filter all addresses listed in RFC 1918.
See the following example:
Interface xy
Ip access-group 101 in
Access-list 101 deny ip 10.0.0.0 0.20.255.255 any
Access-list 101 deny ip 192.168.0.0 0.0.255.255 any
Access-list 101 deny ip 172.16.0.0 0.15.255.255 any
Access-list 101 permit ip any
3. Refer to RFC 2267 to use the access control list ACL) to filter incoming and outgoing packets.
See the following example:
{ISP Center} -- ISP-side Border Router -- client Border Router -- {client network}
The ISP-side VBR should only accept the communication from the source address belonging to the client network, while the client network should only accept the communication from the source address not filtered by the client network. The following is an example of the access control list ACL of the ISP-side border router:
Access-list 190 permit ip {client network} {client network mask} any
Access-list 190 deny ip any [log]
Interface {internal network interface} {network interface number}
Ip access-group 190 in
The following is an example of the ACL of the client border router:
Access-list 187 deny ip {client network} {client network mask} any
Access-list 187 permit ip any
Access-list 188 permit ip {client network} {client network mask} any
Access-list 188 deny ip any
Interface {external network interface} {network interface number}
Ip access-group 187 in
Ip address access-group 188 out
If the CEF function is enabled, the length of the access control list ACL can be fully shortened by forwarding Unicast RPF through a single reverse path. To support Unicast RPF, you only need to enable cef on the vro. The network interface to enable this function does not need to be a CEF exchange interface.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
