UDP Flood caused by firewall Not Configured

Lu Yao, Chongqing University

Figure 1 result of packet capture by Ethereal

Figure 2 topology of the attack and defense Experiment

Figure 3 parameter settings of the attack and defense Experiment

IP address planning table of the attack and defense Experiment

Computer Networks are very important to the development of enterprises, but enterprise networks often have serious defects. Attackers often exploit these defects to attack and intrude into the enterprise's network. When I worked as a network security consultant for a Chongqing Enterprise, I encountered an attack and defense case of a classic denial of service attack.

Symptom: Unable to browse the webpage

This is a landscape design company. Shortly after the founding of the company, from the boss to ordinary employees are not very familiar with the computer network, the boss itself is not paying enough attention to network security. The company's website provides some successful cases and related information for customers to browse. This information is very important for the company to strengthen publicity. The company has a full-time network administrator who has less than one year of college graduation and has limited practical experience. I am often invited to help.

On one occasion, many customers complained that the company's website could not be opened and that they could not view the company's information. They could not see the company's success stories. This seriously affects the communication between the customer and the company, as well as the customer's trust in the company.

Diagnosed: UDP Flood

After eliminating the hardware fault, the author and the network administrator began to doubt whether a hacker had attacked the company's network. I checked the CPU usage of the Web server and found that the CPU usage is very high. At the same time, I used the Ethereal packet capture software to analyze the attack type, A large number of UDP data packets and ICMP data packets (1) are found in the network ).

There are indications that the company's network is under UDP Flood attack, and the attacked object is the Web server. UDP Flood is a type of Denial of Service (DoS. Denial of Service (DoS) Floods website servers with a large amount of information that requires responses, consuming network bandwidth or system resources (such as CPU processing time and memory ), as a result, the network or system is overwhelmed to stop providing normal network services. The high CPU usage, a large number of UDP and ICMP data packets, the company's network symptoms are similar to the characteristics of UDP Flood attacks.

How can we find and completely solve the system vulnerabilities that cause UDP Flood attacks?

Design Attack and Defense experiments to find the cause

In order to find out how hackers attack and find the root cause, I used an experiment to reproduce the attack and defense process (2 ).

In this experiment, I use one router, one two-layer switch, one firewall, and two hosts. The experiment simulates an actual network environment. The two-layer switch E07 is equivalent to the Internet. An attacker is located somewhere on the Internet, and the firewall and the vro and internal servers are equivalent to the company network. The firewall adopts the transparent mode. The specific IP address planning is shown in the table.

It was preliminarily concluded that the UDP Flood attack tool used by hackers was UDP Flooder V2.0. Enter the required parameters in the dialog box (3 ). The author points the attacked object to the server IP address to view the UDP Flood stress test and Attack and Defense effect. There is a website on this server. The attack time is set to 60 seconds, and the packet speed is adjusted to the highest. Before the attack starts, enter http: // 140.115.82.192 on the attacker's host to view the Web page on the server. Then, on the attack host, click the GO button on the attack software to launch an attack on the server host. When you open the webpage on the server again, the response speed of the webpage is obviously slow. The UDP Flood attack works, and is similar to the network problems encountered.

So how can we effectively prevent such attacks? I found that the company uses the H3C SecPath100F model for the firewall for small and medium-sized enterprises. This firewall can be used to prevent UDP Flood, but it was not configured when the company set up the network. The Network Administrator has insufficient experience and has not found this security risk. After reading the relevant documents of the firewall, I decided to configure the firewall as appropriate to prevent it. In this experiment, the author configures the firewall as follows (due to limited space, only key configurations are listed ):

Firewall mode transparent: modifies the firewall's working mode to transparent mode;
Firewall statistic system enable: enable message statistics;
Firewall defend log-time 5: defines the output log time as once every 5 seconds;
Firewall defend syn-flood enable: detects syn-flood attacks;
Firewall defend icmp-flood enable: detects icmp-flood attacks;
Firewall defend syn-flood zone trust max-rate 80 tcp-proxy: parameter;
Firewall defend icmp-flood zone trust max-rate 50: parameter;
Firewall defend udp-flood enable: detects UDP-flood attacks.

After configuring the firewall, enter % Mar 19 2008 Quidway SEC/5/ATCKDF. Then, we found that the firewall detected UDP Flood attacks:

AttackType: UDP Flood
Processing interface: Ethernet1/0
From: 140.115.220.228
To: 140.115.82.192
Begin time: 2008/3/19 :59:9
End time: 2008/3/19 18:59:14
Attacking times: 1004
Max speed: 207 (packet/s)
When you start the display firewall statistic system command, you can see:
RcvIcmpPkts, 282, Received ICMP pkts
RcvIcmpOcts, 15792, Received ICMP bytes
PassIcmpPkts, 0, Passed ICMP pkts
PassIcmpOcts, 0, Passed ICMP bytes
RcvTcpPkts, 0, Received TCP pkts
RcvTcpOcts, 0, Received TCP bytes
PassTcpPkts, 0, Passed TCP pkts
PassTcpOcts, 0, Passed TCP bytes
RcvUdpPkts, 14548, Received UDP pkts
RcvUdpOcts, 1003812, Received UDP bytes
PassUdpPkts, 282, Passed UDP pkts
PassUdpOcts, 19458, Passed UDP bytes

From the code above, we can find a large number of UDP and ICMP data packets. Use the display firewall statistic system defend command to view the following information:

Ip-spoofing, 0 packets
Land, 0 packets
Smurf, 0 packets
Fraggle, 0 packets
Winnuke, 0 packets
Syn-flood, 0 times
Udp-flood, 14266 times
The results show that UDP Flood is prevented. Then, we constantly use the preceding two display commands to find that the number of data packets and the number of preventive measures keep increasing, and the output is constantly changing. Enter the website IP address again to test whether the webpage can be opened.

According to the above information, the configured firewall blocks UDP Flood attacks. This attack and defense case gives you an understanding of the principles and Preventive Measures of DoS and UDP Flood attacks. It can be seen that when the company first sets up a network, it must be considerate and complete the relevant configurations to prevent problems in the future.