How to Prevent DDoS on a Cisco Router

1. Use the ip verfy unicast reverse-path network interface command

This function checks each packet passing through the router. In the router's CEFCisco Express Forwarding) table, if the route entry of the packet to the network interface does not have the source IP address of the packet, the router discards the packet. For example, if the router receives a packet whose source IP address is 1.2.3.4 and no route is provided for IP address 1.2.3.4 In the CEF route table, that is, the router discards the packet.

The single-address Reverse transmission Path is forwarded to the Unicast Reverse Path Forwarding) on the ISP side) to prevent SMURF attacks and other attacks based on IP address camouflage. This protects networks and customers from intrusions from other places on the Internet. To use Unicast RPF, You need to enable the "CEF swithing" or "CEF distributed switching" option of the router. You do not need to configure the input interface as CEF switch switching ). Once the CEF function is enabled on the vro, all independent network interfaces can be configured in switching mode. RPF reverse transmission path forwarding) is an input function activated on a network interface or sub-interface to process packets received by the router.

It is very important to enable the CEF function on the vro, because RPF must rely on CEF. Unicast RPF is included in Cisco IOS 12.0 and later versions that support CEF, but does not support Cisco IOS 11.2 or 11.3.

2. Use the access control list ACL to filter all addresses listed in RFC 1918.

See the following example:

Interface xy Ip access-group 101 in Access-list 101 deny ip 10.0.0.0 0.20.255.255 any Access-list 101 deny ip 192.168.0.0 0.0.255.255 any Access-list 101 deny ip 172.16.0.0 0.15.255.255 any Access-list 101 permit ip any

3. Refer to RFC 2267 to use the access control list ACL) to filter incoming and outgoing packets.

See the following example:

{ISP Center} -- ISP-side Border Router -- client Border Router -- {client network}

The ISP-side VBR should only accept the communication from the source address belonging to the client network, while the client network should only accept the communication from the source address not filtered by the client network. The following is an example of the access control list ACL of the ISP-side border router:
The following is an example of the ACL of the client border router:

Access-list 190 permit ip {client network} {client network mask} any Access-list 190 deny ip any [log] Interface {internal network interface} {network interface number} Ip access-group 190 in

The following is an example of the ACL of the client border router:

Access-list 187 deny ip {client network} {client network mask} any Access-list 187 permit ip any Access-list 188 permit ip {client network} {client network mask} any Access-list 188 deny ip any Interface {external network interface} {network interface number} Ip access-group 187 in Ip address access-group 188 out

If the CEF function is enabled, the length of the access control list ACL can be fully shortened by forwarding Unicast RPF through a single reverse path. To support Unicast RPF, you only need to enable cef on the vro. The network interface to enable this function does not need to be a CEF exchange interface.

4. Use CARControl Access Rate) to limit ICMP packet traffic Rate

See the following example:

Interface xy Rate-limit output access-group 2020 3000000 512000 786000 conform-action Transmit exceed-action drop Access-list 2020 permit icmp any echo-reply

For more information, see IOS Essential Features.

5. Set the SYN packet traffic rate

Interface {int} Rate-limit output access-group 153 45000000 100000 100000 conform-action Transmit exceed-action drop Rate-limit output access-group 152 1000000 100000 100000 conform-action Transmit exceed-action drop Access-list 152 permit tcp any host eq www Access-list 153 permit tcp any host eq www established

Make necessary modifications and replace in the implementation of the application:

45000000 is the maximum connection bandwidth

1000000 is the value between 30% and 50% of SYN flood traffic rate.

Burst normal mutation) and burst max mutation) are the correct values.

Note: If the mutation rate is set to exceed 30%, many valid SYN packets may be lost. Use the "show interfaces rate-limit" command to view the normal and excessive rate of the network interface, which can help determine the appropriate mutation rate. The SYN speed limit value is set to be as small as possible to ensure normal communication.

Warning It is generally recommended to measure the traffic rate of SYN packets when the network is working normally, and adjust this reference value. Make sure that the network works properly during measurement to avoid large errors.

In addition, we recommend that you install IP Filter and other IP filtering kits on hosts that may be SYN attacks.

6. collect evidence and contact the cyber security department or institution

If possible, capture attack packets for analysis. We recommend that you use high-speed computers such as SUN workstations or Linux to capture data packets. Common data packet capture tools include TCPDump and snoop. The basic syntax is:

Tcpdump-I interface-s 1500-w capture_file Snoop-d interface-o capture_file-s 1500

In this example, the MTU size is assumed to be 1500. If MTU is greater than 1500, You need to modify the corresponding parameters. The captured packets and logs are provided as evidence to the relevant network security department or institution.