Some recommendations for preventing distributed denial of service (DDoS) attacks on Cisco routers
1, the use of IP verfy unicast reverse-path network interface command
This feature examines each router's packet. In all routing items that the packet reaches the network interface of the router's CEF (Cisco Express forwarding) table, the router discards the packet if there is no route for the packet source IP address. For example, a router receives a packet with a source IP address of 1.2.3.4, and if the CEF routing table does not provide any routes for IP address 1.2.3.4 (that is, the route required to reverse packet transmission), the router discards it.
Single address reverse transmission path Forwarding (Unicast Reverse path forwarding) implements a blocking Smurf attack and other attacks based on IP address camouflage on the ISP (local side). This protects the network and its customers from intrusions from other parts of the Internet. Using unicast RPF you need to open the router's CEF swithing or CEF distributed switching option. You do not need to configure the input interface as a CEF Exchange (switching). All stand-alone network interfaces can be configured for other Exchange (switching) modes as long as the router is CEF enabled. RPF (Reverse transmission path forwarding) is an input function activated on a network interface or sub-interface that handles packets received by the router.
It is important to turn on the CEF feature on the router because RPF must rely on CEF. Unicast RPF is included in the Cisco IOS 12.0 and above support CEF, but not Cisco IOS 11.2 or 11.3 versions.
2. Use Access control List (ACL) to filter all addresses listed in RFC 1918
Refer to the following examples:
Interface XY
IP access-group
Access-list deny IP 10.0.0.0 0.255.255.255 any
Access-list deny IP 192.168.0.0 0.0.255.255 any
Access-list deny IP 172.16.0.0 0.15.255.255 any
Access-list Permit IP any any
3, refer to RFC 2267, use Access control List (ACL) to filter incoming and outgoing messages
Refer to the following examples:
{ISP Center}--ISP end border router--Client boundary router--{client Network}
The ISP-side border router should only accept traffic that the source address belongs to the client network, and the client network should only accept traffic that is not filtered by the client network. The following is an example of an Access control list (ACL) for an ISP end border router:
Access-list 190 Permit IP {Client network} {Client Network mask} any
Access-list 190 deny IP any any [log]
interface {Internal network interface} {network interface number}
IP access-group 190 in
The following is an example of an ACL for a client border router:
Access-list 187 deny IP {client network} {Client Network mask} any
Access-list 187 Permit IP any
Access-list 188 Permit IP {Client network} {Client Network mask} any
Access-list 188 deny IP any
interface {External network interface} {network interface number}
IP Access-group 187 in
IP Access-group 188 Out
If the CEF feature is turned on, the length of the Access Control List (ACL) can be fully shortened to improve router performance by using a single address reverse path forwarding (Unicast RPF). To support unicast RPF, simply open the CEF on the router, and the network interface that opens this feature does not need to be a CEF exchange interface.
4. Limit ICMP packet traffic rate using car (Control Access Rate)
Refer to the following examples:
Interface XY
Rate-limit output access-group 2020 3000000 512000 786000
Transmit Exceed-action Drop
Access-list 2020 permit ICMP any any echo-reply
Please refer to the iOS essential Features for more detailed information.