Use a Cisco router to prevent DDos attacks

1. Use the ip verfy unicast reverse-path network interface command

This function checks each packet passing through the router. In the CEF (Cisco Express Forwarding) Table of the router, the router discards the packet if it does not have a route from the source IP address of the packet. For example, if the router receives a packet whose source IP address is 1.2.3.4 and the CEF route table does not provide any route for IP address 1.2.3.4 (that is, the route required for reverse packet transmission ), the router will discard it.

Unicast Reverse Path Forwarding prevents SMURF attacks and other attacks based on IP address disguise at the ISP (local. This protects networks and customers from intrusions from other places on the Internet. To use Unicast RPF, You need to enable the "CEF swithing" or "CEF distributed switching" option of the router. You do not need to configure the input interface as switching ). Once the CEF function is enabled on the vro, all independent network interfaces can be configured in switching mode. RPF (reverse transmission path forwarding) is an input function activated on a network interface or subinterface to process packets received by the router.

It is very important to enable the CEF function on the vro, because RPF must rely on CEF. Unicast RPF is included in Cisco IOS 12.0 and later versions that support CEF, but does not support Cisco IOS 11.2 or 11.3.

2. Use the access control list (ACL) to filter all addresses listed in RFC 1918

See the following example:

Interface xy
Ip access-group 101 in
Access-list 101 deny ip 10.0.0.0 0.20.255.255 any
Access-list 101 deny ip 192.168.0.0 0.0.255.255 any
Access-list 101 deny ip 172.16.0.0 0.15.255.255 any
Access-list 101 permit ip any

3. Use the access control list (ACL) to filter incoming and outgoing packets according to RFC 2267.

See the following example:

{ISP Center} -- ISP-side Border Router -- client Border Router -- {client network}

The ISP-side VBR should only accept the communication from the source address belonging to the client network, while the client network should only accept the communication from the source address not filtered by the client network. The following is an example of the access control list (ACL) of the ISP-side border router:

Access-list 190 permit ip {client network} {client network mask} any
Access-list 190 deny ip any [log]
Interface {internal network interface} {network interface number}
Ip access-group 190 in

The following is an example of the ACL of the client border router:

Access-list 187 deny ip {client network} {client network mask} any
Access-list 187 permit ip any
Access-list 188 permit ip {client network} {client network mask} any
Access-list 188 deny ip any
Interface {external network interface} {network interface number}
Ip access-group 187 in
Ip address access-group 188 out

If the CEF function is enabled, the length of the access control list (ACL) can be shortened to improve the router performance by using a single address reverse path Forwarding (Unicast RPF. To support Unicast RPF, you only need to enable cef on the vro. The network interface to enable this function does not need to be a CEF exchange interface.

4. Use CAR (Control Access Rate) to limit ICMP packet traffic Rate

See the following example:

Interface xy
Rate-limit output access-group 2020 3000000 512000 786000 conform-action
Transmit exceed-action drop
Access-list 2020 permit icmp any echo-reply

For more information, see IOS Essential Features.

5. Set the SYN packet traffic rate

Interface {int}
Rate-limit output access-group 153 45000000 100000 100000 conform-action
Transmit exceed-action drop
Rate-limit output access-group 152 1000000 100000 100000 conform-action
Transmit exceed-action drop
Access-list 152 permit tcp any host eq www
Access-list 153 permit tcp any host eq www established
　　
Make necessary modifications and replace in the implementation of the application:

45000000 is the maximum connection bandwidth

1000000 is the value between 30% and 50% of SYN flood traffic rate.

The burst normal (normal mutation) and burst max (maximum mutation) rates are correct values.

Note: If the mutation rate is set to exceed 30%, many valid SYN packets may be lost. Use the "show interfaces rate-limit" command to view the normal and excessive rate of the network interface, which can help determine the appropriate mutation rate. The SYN speed limit value is set to be as small as possible to ensure normal communication.

Warning It is generally recommended to measure the traffic rate of SYN packets when the network is working normally, and adjust this reference value. Make sure that the network works properly during measurement to avoid large errors.

In addition, we recommend that you install IP Filter and other IP filtering kits on hosts that may be SYN attacks.

6. collect evidence and contact the cyber security department or institution

If possible, capture attack packets for analysis. We recommend that you use high-speed computers such as SUN workstations or Linux to capture data packets. Common data packet capture tools include TCPDump and snoop. The basic syntax is:

Tcpdump-I interface-s 1500-w capture_file
Snoop-d interface-o capture_file-s 1500

In this example, the MTU size is assumed to be 1500. If MTU is greater than 1500, You need to modify the corresponding parameters. The captured packets and logs are provided as evidence to the relevant network security department or institution.