• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1705
  • Last Modified:

Attack on Cisco Router - DDOS?

Using a Cisco 1841 router.  Then our internet went down and I couldn't log into the router from my desk so I plugged up to the console where I saw these messages:

000660: Jan 12 19:30:07.766: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 70.131.155.65(58362) ->yy.yy.yy.yy(40520), 1 packet
000661: Jan 12 19:30:08.822: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed udp 10.10.3.172(5300) -> yy.yy.yy.yy(54877), 1 packet
000662: Jan 12 19:30:09.866: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed udp 187.69.25.0(58891) ->yy.yy.yy.yy(45202), 1 packet
000663: Jan 12 19:30:11.110: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 75.34.199.51(59487) -> xx.xx.xx.xx(45202), 1 packet
000664: Jan 12 19:30:12.130: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed udp 99.229.63.75(55764) ->  xx.xx.xx.xx(45202), 1 packet
000665: Jan 12 19:30:13.158: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 70.30.1.94(1568) ->  xx.xx.xx.xx(40520), 1 packet
000666: Jan 12 19:30:14.410: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 212.45.14.153(2705) -> xx.xx.xx.xx(45202), 1 packet
000667: Jan 12 19:30:15.434: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 69.224.164.237(53920) ->yy.yy.yy.yy(45202), 1 packet
000668: Jan 12 19:30:16.441: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 70.100.233.25(61830) -> yy.yy.yy.yy(40520), 1 packet
000669: Jan 12 19:30:17.561: %SEC-6-IPACCESSLOGDP: list autosec_firewall_acl den
ied icmp 77.42.145.71 ->  xx.xx.xx.xx(3/1), 1 packet
000670: Jan 12 19:30:18.565: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 99.141.154.239(62366) -> yy.yy.yy.yy(40520), 1 packet
000671: Jan 12 19:30:19.641: %SEC-6-IPACCESSLOGP: list autosec_firewall_acl deni
ed tcp 173.77.11.38(2040) ->  xx.xx.xx.xx(40520), 1 packet

Rebooted and left the incoming cable unplugged for a little while and it had slowed down enough to where I can get online but they are still coming through.  Also the ips that I changed to xx.xx.xx.xx represent ips that are valid on our network, but the ones that I changed to yy.yy.yy.yy do not belong to anything on our network. (they are in our assigned block but are not being used)

It looks like some kind of ddos attack to me but I am not experienced in this.  All the attacks come from different ip addresses and are hitting different ports.  What can I do to stop them???

Please HELP!!
0
red24698
Asked:
red24698
  • 6
  • 6
  • 2
  • +1
1 Solution
 
memo_tntCommented:
hi

use an ACL to deny all network subnet that comes from
almost you need to block the B subnet

access-list 101 deny ip x.x.y.z    0.0.255.255 any

access-list 101 permit ip any any

interface WAN
ip access-group 101 in
ip access-group 101 out
0
 
red24698Author Commented:
I'm sorry I am having problems understanding your answer.  Can you explain it a little more please?  Thanks.
0
 
memo_tntCommented:
mostly the attack comes from IPs of class B(most probably) ??
and assume the IPs x.x.z.y
so
add the ACL as:

access-list 101 deny ip x.x.0.0    0.0.255.255 any

access-list 101 permit ip any any

interface g0/0   >> assuming this is the WAN interface
ip access-group 101 in
ip access-group 101 out
                                   

0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
red24698Author Commented:
Would this not also block legitimate traffic to web servers and such?
0
 
memo_tntCommented:
no
0
 
red24698Author Commented:
Then what does it do exactly?  Sorry if I am being aggravating, I just want to understand what it going on.
0
 
memo_tntCommented:
it will deny any traffic comes from that network
and allow anything else

i faced such issue before ,, i worked for an ISP ,, dont worry
0
 
red24698Author Commented:
well that is what I figured...that is why I do not understand why it would not block legitimate traffic to our websites.
0
 
memo_tntCommented:
be sure that your website IP hosting address is not one of that network we want to block ..

0
 
GuruChiuCommented:
I am not 100% convince your are under DDoS attack. From your log, you have about 1 log entries per second. Typical DDoS I worked on there are at least hundreds of hits per second. May be you should look at other places as well, e.g.:

Pls post the output of show traffic

Any boardcast storm in your local LAN?

0
 
memo_tntCommented:
and use sh ip cache flow
to disply networks that cause this ..

or
sh ip accounting

but you need t1st o enable ip accounting in your wan interface

interface g0/0   >> assuming this is the WAN interface
ip accounting output-packets
0
 
red24698Author Commented:
meme tnt - What I mean is on our network we have several web servers hosting sites...if I block using the commands you specified and block 98.19.0.0 0.0.255.255 for instance...would that not block anyone whos ip began with 98.19.. from visiting the sites?

GuruChiu - output of show traffic:

IP statistics:
  Rcvd:  22243526 total, 15403 local destination
         0 format errors, 0 checksum errors, 18 bad hop count
         0 unknown protocol, 0 not a gateway
         0 security failures, 0 bad options, 0 with options
  Opts:  0 end, 0 nop, 0 basic security, 0 loose source route
         0 timestamp, 0 extended security, 0 record route
         0 stream ID, 0 strict source route, 0 alert, 0 cipso, 0 ump
         0 other
  Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
         0 fragmented, 0 couldn't fragment
  Bcast: 6660 received, 19 sent
  Mcast: 0 received, 0 sent
  Sent:  36168 generated, 11137361 forwarded
  Drop:  3002 encapsulation failed, 14 unresolved, 0 no adjacency
         11960 no route, 0 unicast RPF, 0 forced drop
         0 options denied
  Drop:  0 packets with source IP address zero
  Drop:  0 packets with internal loop back IP address

ICMP statistics:
  Rcvd: 0 format errors, 2 checksum errors, 0 redirects, 7839 unreachable
        7 echo, 1 echo reply, 0 mask requests, 0 mask replies, 0 quench
        0 parameter, 0 timestamp, 0 info request, 0 other
        0 irdp solicitations, 0 irdp advertisements
  Sent: 0 redirects, 14233 unreachable, 28 echo, 7 echo reply
        0 mask requests, 0 mask replies, 0 quench, 0 timestamp
        0 info reply, 18 time exceeded, 0 parameter problem
        0 irdp solicitations, 0 irdp advertisements

BGP statistics:
  Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
        0 keepalives, 0 route-refresh, 0 unrecognized
  Sent: 0 total, 0 opens, 0 notifications, 0 updates
        0 keepalives, 0 route-refresh

TCP statistics:
  Rcvd: 621 total, 0 checksum errors, 89 no port
  Sent: 21720 total

IP-EIGRP statistics:
  Rcvd: 0 total
  Sent: 0 total

PIMv2 statistics: Sent/Received
  Total: 0/0, 0 checksum errors, 0 format errors
  Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0,  Hellos: 0/0
  Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
  Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
  Queue drops: 0
  State-Refresh: 0/0

IGMP statistics: Sent/Received
  Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
  Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
  DVMRP: 0/0, PIM: 0/0
  Queue drops: 0

UDP statistics:
  Rcvd: 6935 total, 53 checksum errors, 6644 no port
  Sent: 202 total, 0 forwarded broadcasts

OSPF statistics:
  Rcvd: 0 total, 0 checksum errors
        0 hello, 0 database desc, 0 link state req
        0 link state updates, 0 link state acks

  Sent: 0 total
        0 hello, 0 database desc, 0 link state req
        0 link state updates, 0 link state acks

ARP statistics:
  Rcvd: 8979 requests, 23 replies, 14 reverse, 0 other
  Sent: 298 requests, 1598 replies (14 proxy), 0 reverse
0
 
GuruChiuCommented:
You may be right. I can see that you have many more TCP sent than TCP rcvd.
Please post the output of
sh proc cp h

Per suggestion of memo_tnt, you should enable of ip accounting on all interfaces.
After that, issue the comman
clear ip accounting
wait 3 sec. then issue the command:
show ip accounting

This will show you the highest address pair which are sending/receiving packets.

Finally I found this very useful
On your interfaces:
Router(config-if)# ip route-cache flow

Then after a few seconds, type the command:
sh ip cac f

This will show you currently which IP addresses are communicating on which protocol & port.
0
 
rsivanandanCommented:
http://www.cisco.com/web/about/security/intelligence/acl-logging.html

You may wanna check the above link on explanation of what is happening.

Essentially your router is blocking all the incoming requests from random ports to random ports. Now at the first moment, it looks like a DDoS. The 1800 is doing its job but is going helpless with enormous amounts of traffic and there is nothing that can be done on that device.

So it is time to talk to your ISP and mention the same to them. They'd be able to help you.

Cheers,
rsivanandan
0
 
red24698Author Commented:
Well it seems to have stopped...looks like someone was just trying an attack and like you say it was just to much traffic for it to handle
0
 
rsivanandanCommented:
Glad you got it resolved.

Cheers,
rsivanandan
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 6
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now