?
Solved

Attack on Cisco Router - DDOS?

Posted on 2010-01-12
16
Medium Priority
?
1,644 Views
Last Modified: 2012-05-08
Using a Cisco 1841 router.  Then our internet went down and I couldn't log into the router from my desk so I plugged up to the console where I saw these messages:

000660: Jan 12 19:30:07.766: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 70.131.155.65(58362) ->yy.yy.yy.yy(40520), 1 packet
000661: Jan 12 19:30:08.822: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed udp 10.10.3.172(5300) -> yy.yy.yy.yy(54877), 1 packet
000662: Jan 12 19:30:09.866: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed udp 187.69.25.0(58891) ->yy.yy.yy.yy(45202), 1 packet
000663: Jan 12 19:30:11.110: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 75.34.199.51(59487) -> xx.xx.xx.xx(45202), 1 packet
000664: Jan 12 19:30:12.130: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed udp 99.229.63.75(55764) ->  xx.xx.xx.xx(45202), 1 packet
000665: Jan 12 19:30:13.158: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 70.30.1.94(1568) ->  xx.xx.xx.xx(40520), 1 packet
000666: Jan 12 19:30:14.410: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 212.45.14.153(2705) -> xx.xx.xx.xx(45202), 1 packet
000667: Jan 12 19:30:15.434: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 69.224.164.237(53920) ->yy.yy.yy.yy(45202), 1 packet
000668: Jan 12 19:30:16.441: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 70.100.233.25(61830) -> yy.yy.yy.yy(40520), 1 packet
000669: Jan 12 19:30:17.561: %SEC-6-IPACCESSLOGDP: list autosec_firewall_acl den
ied icmp 77.42.145.71 ->  xx.xx.xx.xx(3/1), 1 packet
000670: Jan 12 19:30:18.565: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 99.141.154.239(62366) -> yy.yy.yy.yy(40520), 1 packet
000671: Jan 12 19:30:19.641: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 173.77.11.38(2040) ->  xx.xx.xx.xx(40520), 1 packet

Rebooted and left the incoming cable unplugged for a little while and it had slowed down enough to where I can get online but they are still coming through.  Also the ips that I changed to xx.xx.xx.xx represent ips that are valid on our network, but the ones that I changed to yy.yy.yy.yy do not belong to anything on our network. (they are in our assigned block but are not being used)

It looks like some kind of ddos attack to me but I am not experienced in this.  All the attacks come from different ip addresses and are hitting different ports.  What can I do to stop them???

Please HELP!!
0
Comment
Question by:red24698
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +1
16 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26297046
hi

use an ACL to deny all network subnet that comes from
almost you need to block the B subnet

access-list 101 deny ip x.x.y.z    0.0.255.255 any

access-list 101 permit ip any any

interface WAN
ip access-group 101 in
ip access-group 101 out
0
 

Author Comment

by:red24698
ID: 26297239
I'm sorry I am having problems understanding your answer.  Can you explain it a little more please?  Thanks.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26297344
mostly the attack comes from IPs of class B(most probably) ??
and assume the IPs x.x.z.y
so
add the ACL as:

access-list 101 deny ip x.x.0.0    0.0.255.255 any

access-list 101 permit ip any any

interface g0/0   >> assuming this is the WAN interface
ip access-group 101 in
ip access-group 101 out
                                   

0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:red24698
ID: 26297395
Would this not also block legitimate traffic to web servers and such?
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26297408
no
0
 

Author Comment

by:red24698
ID: 26297447
Then what does it do exactly?  Sorry if I am being aggravating, I just want to understand what it going on.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26297482
it will deny any traffic comes from that network
and allow anything else

i faced such issue before ,, i worked for an ISP ,, dont worry
0
 

Author Comment

by:red24698
ID: 26297522
well that is what I figured...that is why I do not understand why it would not block legitimate traffic to our websites.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26297572
be sure that your website IP hosting address is not one of that network we want to block ..

0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26297577
I am not 100% convince your are under DDoS attack. From your log, you have about 1 log entries per second. Typical DDoS I worked on there are at least hundreds of hits per second. May be you should look at other places as well, e.g.:

Pls post the output of show traffic

Any boardcast storm in your local LAN?

0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26297655
and use sh ip cache flow
to disply networks that cause this ..

or
sh ip accounting

but you need t1st o enable ip accounting in your wan interface

interface g0/0   >> assuming this is the WAN interface
ip accounting output-packets
0
 

Author Comment

by:red24698
ID: 26298150
meme tnt - What I mean is on our network we have several web servers hosting sites...if I block using the commands you specified and block 98.19.0.0 0.0.255.255 for instance...would that not block anyone whos ip began with 98.19.. from visiting the sites?

GuruChiu - output of show traffic:

IP statistics:
  Rcvd:  22243526 total, 15403 local destination
         0 format errors, 0 checksum errors, 18 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 couldn't fragment
  Bcast: 6660 received, 19 sent
  Mcast: 0 received, 0 sent
  Sent:  36168 generated, 11137361 forwarded
  Drop:  3002 encapsulation failed, 14 unresolved, 0 no adjacency
         11960 no route, 0 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address

ICMP statistics:
  Rcvd: 0 format errors, 2 checksum errors, 0 redirects, 7839 unreachable
        7 echo, 1 echo reply, 0 mask requests, 0 mask replies, 0 quench
        0 parameter, 0 timestamp, 0 info request, 0 other
        0 irdp solicitations, 0 irdp advertisements
  Sent: 0 redirects, 14233 unreachable, 28 echo, 7 echo reply
        0 mask requests, 0 mask replies, 0 quench, 0 timestamp
        0 info reply, 18 time exceeded, 0 parameter problem
        0 irdp solicitations, 0 irdp advertisements

BGP statistics:
  Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
        0 keepalives, 0 route-refresh, 0 unrecognized
  Sent: 0 total, 0 opens, 0 notifications, 0 updates
        0 keepalives, 0 route-refresh

TCP statistics:
  Rcvd: 621 total, 0 checksum errors, 89 no port
  Sent: 21720 total

IP-EIGRP statistics:
  Rcvd: 0 total
  Sent: 0 total

PIMv2 statistics: Sent/Received
  Total: 0/0, 0 checksum errors, 0 format errors
  Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0,  Hellos: 0/0
  Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
  Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
  Queue drops: 0
  State-Refresh: 0/0

IGMP statistics: Sent/Received
  Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
  Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
  DVMRP: 0/0, PIM: 0/0
  Queue drops: 0

UDP statistics:
  Rcvd: 6935 total, 53 checksum errors, 6644 no port
  Sent: 202 total, 0 forwarded broadcasts

OSPF statistics:
  Rcvd: 0 total, 0 checksum errors
        0 hello, 0 database desc, 0 link state req
        0 link state updates, 0 link state acks

  Sent: 0 total
        0 hello, 0 database desc, 0 link state req
        0 link state updates, 0 link state acks

ARP statistics:
  Rcvd: 8979 requests, 23 replies, 14 reverse, 0 other
  Sent: 298 requests, 1598 replies (14 proxy), 0 reverse
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26300098
You may be right. I can see that you have many more TCP sent than TCP rcvd.
Please post the output of
sh proc cp h

Per suggestion of memo_tnt, you should enable of ip accounting on all interfaces.
After that, issue the comman
clear ip accounting
wait 3 sec. then issue the command:
show ip accounting

This will show you the highest address pair which are sending/receiving packets.

Finally I found this very useful
On your interfaces:
Router(config-if)# ip route-cache flow

Then after a few seconds, type the command:
sh ip cac f

This will show you currently which IP addresses are communicating on which protocol & port.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 26301540
http://www.cisco.com/web/about/security/intelligence/acl-logging.html

You may wanna check the above link on explanation of what is happening.

Essentially your router is blocking all the incoming requests from random ports to random ports. Now at the first moment, it looks like a DDoS. The 1800 is doing its job but is going helpless with enormous amounts of traffic and there is nothing that can be done on that device.

So it is time to talk to your ISP and mention the same to them. They'd be able to help you.

Cheers,
rsivanandan
0
 

Author Closing Comment

by:red24698
ID: 31676321
Well it seems to have stopped...looks like someone was just trying an attack and like you say it was just to much traffic for it to handle
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26443141
Glad you got it resolved.

Cheers,
rsivanandan
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question