Use CAR to prevent Smurff attacks

At the beginning of the design, TCP/IP protocol did not consider security too much. Therefore, many protocols have vulnerabilities exploited by hackers. With the rapid expansion of the Internet, these vulnerabilities will pose an increasingly severe threat to our enterprise networks. A good example is the TCP protocol, which requires a "three-way handshake" process before data transmission to establish a connection. As shown in. source destination syn = x ------------> ack = x + 1 <------------ syn = y ack = y + 1 ------------> syn = x + 1 source end initially sends a syn = x packet, request to establish a TCP connection. The destination end uses an ack and syn-tagged packet in the packet header as a response. The ack mark is the response to the source request, and the syn mark indicates the connection to establish a request. The source end sends an ack packet to the destination end to confirm the connection of the destination end to establish a request. After the above three handshakes are completed, the source end can start to formally send data to the destination end. One of the weaknesses in the TCP protocol is that the source end sends a final ack to the target end in the target stage to establish the connection. Hackers can exploit this vulnerability to send a large number of tcp syn request packets to a target server by forging a false sourceIP address. Because the source is false, destination cannot receive the ack returned by source. This Connection type is called Half-Open Connection ). In this way, resources on the destination end will be greatly occupied, and the target end will reject connection for new services. This is the famous Denial of Service Attack (Denial of Service Attack ). Classification of Network Attacks: 1. strictly speaking, attack detection cannot be a real attack, it mainly refers to the use of various means by hackers to detect specific information in the network (network topology, hosts in the network, services enabled on hosts, however, attack detection is often a prelude to real attacks. 2. in this attack, hackers attempt to obtain unauthorized or illegal access to network and network resources, especially resources such as file, email, and web server. 3. DOS attacks use DOS attacks. Hackers attempt to reject legal traffic and user access to a specific resource, or at least reduce the service quality of the resource. In addition to TCP half-open connection, DOS attacks include flood attacks based on TCP syn, UDP echo, and ICMP echo. There are many ways to mitigate DOS attacks, such as using ACL, URPF, and other technologies. However, this topic only focuses on using traffic-police technology. Traffic-police can perform two basic functions: 1. Speed Limit 2. traffic classification the command structure of traffic-police is as follows (in MQC configuration mode): police Conform-action exceed-action [violate-action]   : CIR. (Defines the average rate of token injection into token buckets) : BC. (Defines the size of BC token buckets) : BE. (Defines the size of BE token buckets) : Defines the behavior. An optional part of the behavior is as follows:? Drop-Drops the packet .? Set-prec-transmit -Sets the IP precedence and sends the packet. ? Set-dscp-transmit -Sets the DSCP value and transmits the packet. ? Transmit-Sends the packet. when implementing a traffic policy, there will be a very complex internal mechanism in the CISCO router to evaluate the actual rate of traffic transmission, which is called the toke-bucket) CISCO devices support multiple types of token buckets, such as single-bucket and dual-bucket. The characteristics of a single bucket are as follows: the bucket size is BC, and the bucket is filled with the BC byte token at the initial time. At the top of the token bucket, the CISCO router injects a token into the bucket at a constant rate of CIR. At the bottom of the token bucket, the CISCO router determines the number of bytes of tokens to flow from the token bucket based on the number of packets actually required by the underlying layer. Therefore, it is not difficult to find that the following situations may occur: 1) the current number of tokens in the BC bucket> = the number of packets actually needed to be transmitted at the underlying layer of the router, this will trigger the conform-action, usually transmit. Indicates that the number of tokens in the bucket is sufficient. 2) the current number of tokens in the BC bucket <The number of packets actually transmitted at the bottom layer of the router. This will trigger the exceed-action, usually drop. Indicates that the number of tokens in the bucket is insufficient. The two-bucket feature is as follows: the size of the first bucket is BC, and the bucket is filled with the BC byte token at the initial time. The size of the second bucket is BE, And the bucket is filled with the BE byte token at the initial time. The association between these two buckets is: if the newly injected token fills up the BC bucket, then the rich token will BE injected from the BC bucket into the BE bucket. At the top of the Bc bucket, the CISCO router injects a token into the bc bucket at a constant rate of CIR. At the bottom of each bucket, the CISCO router determines the number of bytes of tokens to flow from the token bucket based on the number of packets actually required by the underlying layer. Therefore, it is not difficult to find that the following situations may occur: 1) the current number of tokens in the BC bucket> = the number of packets actually needed to be transmitted at the underlying layer of the router, the conform-action is triggered, indicating that the number of tokens in the BC bucket is sufficient. 2) current number of tokens in the BC bucket <number of packets actually needed to be transferred at the bottom layer of the router In this case, the exceed-action is triggered, indicating that the number of tokens in the BC bucket is insufficient, but the number of tokens in the BE bucket is sufficient. 3) Number of pre-tokens in the BE bucket <The number of packets actually needed to BE transmitted at the bottom layer of the router triggers the violate-action, indicating that BC and BE are insufficient for each bucket. Next, we will use two specific instances to describe how the CAR works. Instance 1: In this example, traffic indexing is configured as CIR 8000bit/s, BC is configured as 1000 bytes, initially reaching a 450-byte packet, after 0.25 seconds, A 900-byte data packet. Police is associated with the output direction of fa0/0. Router (config) # class-map access-matchRouter (config-cmap) # match access-group 1 Router (config-cmap) # exitRouter (config) # policy-map police-settingRouter (config-pmap) # class access-matchRouter (config-pmap-c) # police 8000 1000 conform-action transmit exceed-action dropRouter (config-pmap-c) # exitRouter (config-pmap) # exitRouter (config) # interface fastethernet 0/0 Router (config-if) # service-policy output Police-setting in this example, the initial token buckets is filled with 450 bytes of tokens. If 450 bytes of data packets are reached in the initial phase, bytes of tokens need to be exported from the token bucket, in this case, the remaining (1000-450) byte = 550 bytes of tokens in token buckets will trigger the comform-action, 450 bytes of data packets will be transmit. After 0.25 seconds, a 800-byte data packet will arrive. Within the interval of 0.25 seconds, token buckets will inject (8000bps/8) * 0.25 s = 250 bytes of tokens. At this time, token buckets total remaining bytes (550 + 250) bytes = 800 bytes of tokens. because the size of the incoming data packet is 900 bytes, the number of tokens in the corresponding bytes needs to flow from the token buckets, at this time, if the number of tokens in the token buckets is insufficient, the exceed-action will be triggered, and the 900-byte data packet will be dropped. Important conclusion: Through the above analysis, it is not difficult to find that the data packet is transmitted or discarded. In fact, it depends not only on the data packet size, but also on the interval between two consecutive data packets. Example 2: In this example, traffic indexing is configured as CIR 8000bit/s, BC is configured as 1000 bytes, and BE is configured as 1000 bytes. Initially arrives at a 450-byte data packet. After 0.25 seconds, it reaches a 900-byte data packet. After 0.4 seconds, a 1000-byte packet is reached. After 0.2 seconds, a 400-byte packet is reached. Police is associated with the output direction of fa0/0. Router (config) # class-map access-matchRouter (config-cmap) # match access-group 1 Router (config-cmap) # exitRouter (config) # policy-map police-settingRouter (config-pmap) # class access-matchRouter (config-pmap-c) # police 8000 1000 1000 conform-action transmit exceed-action set-prec-transmit 1 violate-action dropRouter (config-pmap-c) # exitRouter (config-pmap) # exitRouter (config) # interface fastethernet 0/0 Router (config-if) # service-policy output police-setting in this example, the initial token buckets is filled with 450 bytes of tokens, therefore, 450 bytes of tokens need to be exported from the token bucket. In this case, the remaining (1000-450) bytes in the token buckets are 550 bytes of tokens, and the number of tokens in the token bucket is rich, this will trigger the comform-action, and the 450-byte data packet will be transmit. After 0.25 seconds, a 800-byte data packet will arrive. Within the interval of 0.25 seconds, the token buckets will inject (8000bps/8) * 0.25 s = 250 bytes of token. At this time, token buckets total remaining bytes (550 + 250) bytes = 800 bytes of token. because the size of the incoming data packet is 900 bytes, the number of tokens in the corresponding bytes needs to flow from the token buckets, at this time, the token in the BC bucket is only 800 bytes, and the number is not enough. However, the BE bucket contains 1000 bytes, And the vro will directly borrow 900 bytes of token from the BE bucket, the number of tokens in the BC bucket is insufficient, but the number of tokens in the BE bucket is sufficient, which triggers the exceed-action. The 900-byte data packet will BE set-prec-transmit 1. After 900 bytes of data packets are processed, the remaining 800 bytes of tokens in the BC bucket and the remaining 100 bytes of tokens in the BE bucket. 0.4 seconds later, a 1000-byte data packet will be injected (8000bps/8*0.4) = 400bytes token in the BC bucket within these 0.4 seconds, the BC bucket has a 800-byte token, and the BC bucket can only accommodate 1000-byte token at most. Therefore, the router first fills the BC bucket with an increase of bytes of tokens, the BC bucket contains 1000 bytes of tokens at this time. The extra 200 bytes of tokens will BE injected into the BE bucket (adding 300 bytes of tokens and bytes of tokens in the BE bucket ). After a 1000-byte packet is transmitted, the remaining tokens in the BC bucket are exactly 0, and the number of tokens in the BE bucket remains unchanged (300 bytes). This will trigger the conform-action, this packet will be transmit. After 0.2 seconds, a 400-byte data packet is sent again. Within these 0.2 seconds, the BC bucket will inject (8000bps/8*0.2) = tokens of bytes, in this case, the total number of tokens in the BC bucket is 400 bytes, and the number of tokens in the BE bucket is bytes. The number of tokens in the BC bucket and the BE bucket is not enough, in this case, the violate-action is triggered and the packet is dropped. After a thorough understanding of the working principles of Traffic-Police, we will introduce an instance that uses this technology to mitigate smurf attacks. How smurf attacks work: There are two real PCs in the Internet. One H11 IP address is 1.1.1.1, And the other H33 IP address is 3.3.3.3, there is an ethernet segment 192.168.20.0/24 in the ethernet network after R1. Assume that the host H11 is an attacker and it initiates an ICMP echo broadcast packet to the subnet 192.168.20.0, the source IP address of the packet is forged into the IP address 3.3.3.3 of the PC H33 to be attacked, and the destination IP address is 192.168.255.255 (subnet broadcast address ), when each host in the subnet of R1 receives the broadcast packet, the same response will be made: return a single broadcast packet, and the destination address of the packet is 3.3.3.3 (at this time, attackers can exploit the ethernet network behind R1 ). In this way, the real host H33 will receive the flood of ICMP echo-reply from all hosts in the 192.168.20.0/24 network segment, and the system resources of the host H33 will be exhausted. After understanding how smurf attacks work, we can use traffic-police to mitigate smurf attacks. The following example shows the configuration on router R1: Router1 (config) # access-list 101 permit icmp any echoRouter1 (config) # class-map DOSRouter1 (config-cmap) # match access-group 101Router1 (config-cmap) # exitRouter1 (config) # policy-map DENY_DOSRouter1 (config-pmap) # class DOSRouter1 (config-pmap-c) # police 25600 8000 conform-action transmit exceed-action dropRouter1 (config-pmap-c) # exitRouter1 (config-pmap) # exitRouter1 (config) # interface serial 0/0Router1 (config-if) # service-policy input DENY_DOS