Avatar of cpatte7372
cpatte7372Flag for United Kingdom of Great Britain and Northern Ireland asked on

DoS Attack on Cisco Routers

Hello Expert,

I have just resubscribed to EE because the company I work for appears to be subject to DDoS attack.

The attack is coming from 79.173.X.X and it using port 1029 to attack port 4500 on our router. The application is identified as 'Solid Mux'. When I did some research I found the following statement:

“The port 1029 is a Registered port. It is one of the first of this kind after the Well Known ports. A user must have privileged access, such as administrator access, to open Well Known ports from 0 to 1023. The Registered ports can be opened by other programs and users. It is used by the Solid Mux Server. The port 1029 is vulnerable to worms, Trojans and other malicious software.”

Can someone please help with a access-list to block the ip the address?

Cheers

Carlton
Chat / IMRouters

Avatar of undefined
Last Comment
cpatte7372

8/22/2022 - Mon
Don Johnston

You could put an ACL on the outside interface.

access-list 101 deny ip host 79.173.x.x host <ip address of router>

Since it's an attack, I wouldn't worry about legitimate traffic from that address.

But if you're worried about the attacks coming from other addresses:

access-list 101 deny tcp any eq 1029 <ip address of router> eq 4500

I wasn't sure which port was the source and which was the destination.
ASKER
cpatte7372

Hey donjohnston,

It's been a long time. Happy New Year.

The source of the attack is from 79.173.x.x and the destination is our router with public ip addresss 194.21.x.x

Cheers
ASKER
cpatte7372

Don,

By applying the acls will it take immediate effect, or will I have to re-apply the acl to interface?

Cheers
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Don Johnston

If you simply add the line to an existing ACL that's already applied, then it will immediately take effect.

Otherwise, you will need to apply the ACL to an interface with the "ip access-group 101 in" statement.

And I left off the "permit any any" line that comes after the deny statement. So don't forget that or nothing will get in.
ASKER
cpatte7372

Don,

So glad you're around.

We currently have the following access-list:

ip access-list extended incoming_from_internet
 deny   tcp any any eq telnet log
 deny   tcp any any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit icmp any any
 permit gre any any
 deny   udp any any
 deny   ip any any
!
So where would apply your example acl?

Cheers mate.
Don Johnston

It's already denied. There's not much currently being allowed.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
cpatte7372

So how can we prevent this host with the ip address 79.143.x.x from hammering our routers internet facing interface?
Don Johnston

If that ACL is currently applied, then they can't.

You've got:
 deny tcp any any
 deny udp any any
 deny ip any any

Which blocks ALL TCP, UDP and IP traffic from anywhere to anywhere.
ASKER
cpatte7372

Don,

Is there nothing we can do to stop the attack?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
cpatte7372

Don,

The ip address from which were being attacked is 79.173.188.54
Don Johnston

I'm not sure I follow you. You've got an ACL that is blocking the traffic.

What else is there to do?
gbotts

Use a named list... Here is a basic example... I put this on a router interface in the inbound direction. Remove the "_____________"... You may have to tweak it a little and make sure you add your info.  Put the IP you want to block under the "Deny Known RFC..."...

Hope this helps...

ip access-list extended YOURCOMPANY_IN

_____________________THIS SECTION IS IN CASE YOU USE BGP___________________________
 permit tcp host <YOUR SYSTEM> host <PEER> eq bgp
 permit tcp host <YOUR SYSTEM> eq bgp host <PEER>

_____ THIS SECTION IS FOR ANY EXTERNAL TEST SYSTEMS YOU MAY HAVE____________
remark ***ALLOW ACCESS FOR TEST SYSTEMS***
permit ip host <ADD YOU EXTERNAL TEST SYSTEMS HERE> any
remark "END OF TEST ACCESS SECTION"

________ DENY KNOWN RFC, HOSTS AND YOUR EXTERNAL IP BLOCK____________________
 remark ***DENY RFC NETS AND OURS***
 deny   ip <YOUR EXTERNAL CIDR BLOCK> any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip any host  <ADD HOSTS YOU WANT TO BLOCK >
 remark "END OF RFC SECTION"

______THIS SECTION IS DANGEROUS PORTS____________________

 remark ***DENY ACCESS TO DANGEROUS PORTS***
 deny   tcp any any eq 445
 deny   udp any any eq 445
 deny   tcp any any eq 1
 deny   udp any any eq 1
 deny   tcp any any eq echo
 deny   udp any any eq echo
 deny   tcp any any eq discard
 deny   udp any any eq discard
 deny   tcp any any eq 11
 deny   tcp any any eq daytime
 deny   udp any any eq 13
 deny   tcp any any eq 15
 deny   tcp any any eq chargen
 deny   udp any any eq 19
 deny   tcp any any eq 37
 deny   udp any any eq time
 deny   tcp any any eq whois
 deny   udp any any eq bootps
 deny   udp any any eq tftp
 deny   tcp any any eq 76
 deny   tcp any any eq 93
 deny   tcp any any eq ident
 deny   udp any any eq 113
 deny   tcp any any eq sunrpc
 deny   udp any any eq sunrpc
 deny   tcp any any eq 135
 deny   udp any any eq 135
 deny   tcp any any eq 137
 deny   udp any any eq netbios-ns
 deny   tcp any any eq 138
 deny   udp any any eq netbios-dgm
 deny   tcp any any eq 139
 deny   udp any any eq netbios-ss
 deny   tcp any any eq login
 deny   udp any any eq who
 deny   tcp any any eq cmd
 deny   udp any any eq syslog
 deny   tcp any any eq 550
 deny   udp any any eq 550
 deny   tcp any any eq telnet
 deny   tcp any any eq domain
 deny   udp any any eq ntp
 deny   udp any any eq snmp
 deny   udp any any eq snmptrap
 deny   tcp any any eq 161
 deny   tcp any any eq 162
 deny   tcp any any eq 1433
 deny   tcp any any eq 1900
 deny   udp any any eq 1900
 deny   tcp any any eq 5000
 deny   udp any any eq 5000

______________ADD WEBSERVERS HERE_________________________
 remark *** BEGIN WEB SERVER SECTION***
 permit tcp any host <YOUR WEBSERVER> eq www
 deny   tcp any any eq www
 remark *** END WEB SERVER SECTION***


_____________________________________________ADD DNS HERE_____________________
 remark *** NAME SERVERS SECTION***
 permit udp any host <YOUR DNS SERVER> domain
 deny   udp any any eq domain
 remark *** END NAME SERVERS SECTION***

_____________________________________________ADD FTP HERE_____________________
 remark *** BEGIN FTP SERVER SECTION***
 permit tcp any host <YOUR FTP SERVER> eq ftp
 deny   tcp any any eq ftp
 remark *** END FTP SERVER SECTION***



____________________________________________ADD SMTP HERE______________________
 remark *** BEGIN SMTP SERVER SECTION ***
 permit tcp any host <YOUR SMTP SERVER> eq smtp
 deny   tcp any any eq smtp
 remark *** END SMTP SERVER SECTION ***

___________________________________________ADD YOUR USER BLOCK HERE
 remark *** USERS SECTION***
 permit udp any eq domain <Add YOUR IP BLOCK HERE WITH MASK>
 remark ***ALLOW TCP RETURN TRAFFIC***
 permit tcp any <ADD YOUR IP BLOCK with MASK HERE> established
 remark "END RETURN TRAFFIC SECTION"
 remark ***DENY ICMP TRAFFIC***
 deny   icmp any any
 deny   icmp any any redirect
 deny   icmp any any mask-request
 remark "END ICMP SECTION"
 remark ***PERMIT ANY TRAFFIC NOT STATED ABOVE***
 permit ip any <ADD YOUR IP BLOCK with MASK HERE>
 deny   ip any any log
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
cpatte7372

The problem a device keeps on attempting to connect to our public interface. We can place the all the acls necessary but it won't stop a device from still trying to send packets to our router interface.

For example, I could give you our public ip address and no matter what acl I have in place if you know what the ip address is you could overwhelm our public interface with any traffic. However, the acl will prevent to traffic from entering our network but it won't actually stop our public interface with the public ip address from being hit.

Does that make sense?
ASKER CERTIFIED SOLUTION
gbotts

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
cpatte7372

Thanks chaps. You're both correct. We are in touch with our ISP