Use a Cisco router to defend against DDOS attacks

Some Suggestions on preventing distributed denial of service (DDoS) attacks on Cisco Routers

1. Use the ip verfy unicast reverse-path network interface command

This function checks each packet passing through the router. In the CEF (Cisco Express Forwarding) Table of the router, the router discards the packet if it does not have a route from the source IP address of the packet. For example, the router receives a source IP address of 1. 2.3.4. If the CEF route table does not provide any route for IP address 1.2.3.4 (that is, the route required for reverse packet transmission), the router will discard it.

Unicast Reverse Path Forwarding prevents SMURF attacks and other attacks based on IP address disguise at the ISP (local. This protects networks and customers from intrusions from other places on the Internet. To use Unicast RPF, You need to enable the \ "CEF swithing \" or \ "CEF distributed switching \" option of the router. You do not need to configure the input interface as switching ). Once the CEF function is enabled on the vro, all independent network interfaces can be configured in switching mode. RPF (reverse transmission path forwarding) is an input function activated on a network interface or subinterface to process packets received by the router.

It is very important to enable the CEF function on the vro, because RPF must rely on CEF. unicast RPF is included in Cisco IOS 12.0 and later versions that support CEF, but does not support Cisco IOS 11.2 or 11.3.

2. Use the access control list (ACL) to filter all addresses listed in RFC 1918

See the following example:

interface xyip access-group 101 inaccess-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any

3. Use the access control list (ACL) to filter incoming and outgoing packets according to RFC 2267.

Refer to the following example: {ISP Center}-ISP-end border router-client border router-{client network} the ISP-end border router should only accept communications with the source address belonging to the client network, the client network should only accept communications with the source address that are not filtered by the client network. The following is an example of the access control list (ACL) of the ISP-side border router: access-list 190 permit ip {client network} {client network mask} any access-list 190 deny ip any [log] interface {internal network interface} {network interface number} ip access -group 190 in: access-list 187 deny ip {client network} {client network mask} any access-list 187 permit ip any access-list 188 permit ip {client network mask} any access-list 188 deny ip any interface {external network interface} {network interface number} ip access-group 187 in ip access-group 188 out

If the CEF function is enabled, the length of the access control list (ACL) can be shortened to improve the router performance by using a single address reverse path Forwarding (Unicast RPF. To support Unicast RPF, you only need to enable cef on the vro. The network interface to enable this function does not need to be a CEF exchange interface.

4. Use CAR (Control Access Rate) to limit ICMP packet traffic Rate

See the following example:

interface xyrate-limit output access-group 2020 3000000 512000 786000 conform-actiontransmit exceed-action dropaccess-list 2020 permit icmp any any echo-reply

For more information, see IOS Essential Features.

5. Set the SYN packet traffic rate

interface {int}rate-limit output access-group 153 45000000 100000 100000 conform-actiontransmit exceed-action droprate-limit output access-group 152 1000000 100000 100000 conform-actiontransmit exceed-action dropaccess-list 152 permit tcp any host eq wwwaccess-list 153 permit tcp any host eq www established

 

Make necessary changes in the implementation of the application. Replace: 45000000 is the maximum connection bandwidth. 1000000 is the value between 30% and 50% of the SYN flood traffic rate.

The burst normal (normal mutation) and burst max (maximum mutation) rates are correct values.

Note: If the mutation rate is set to exceed 30%, many valid SYN packets may be lost. Run the \ "show interfaces rate-limit \" command to check the normal and excessive rate of the network interface, which can help determine the appropriate mutation rate. The SYN speed limit value is set to be as small as possible to ensure normal communication.

Warning It is generally recommended to measure the traffic rate of SYN packets when the network is working normally, and adjust this reference value. Make sure that the network works properly during measurement to avoid large errors.

In addition, we recommend that you install IP Filter and other IP filtering kits on hosts that may be SYN attacks.

6. collect evidence and contact the cyber security department or institution

If possible, capture attack packets for analysis. We recommend that you use high-speed computers such as SUN workstations or Linux to capture data packets. Common data packet capture tools include TCPDump and snoop. The basic syntax is:

Tcpdump-I interface-s 1500-w capture_file
Snoop-d interface-o capture_file-s 1500

In this example, the MTU size is 1500. If the MTU is greater than 1500, You need to modify the corresponding parameters. The captured packets and logs are provided as evidence to the relevant network security department or institution.