DoS Attack on Cisco Routers
Hello Expert,
I have just resubscribed to EE because the company I work for appears to be subject to DDoS attack.
The attack is coming from 79.173.X.X and it using port 1029 to attack port 4500 on our router. The application is identified as 'Solid Mux'. When I did some research I found the following statement:
“The port 1029 is a Registered port. It is one of the first of this kind after the Well Known ports. A user must have privileged access, such as administrator access, to open Well Known ports from 0 to 1023. The Registered ports can be opened by other programs and users. It is used by the Solid Mux Server. The port 1029 is vulnerable to worms, Trojans and other malicious software.”
Can someone please help with a access-list to block the ip the address?
Cheers
Carlton
I have just resubscribed to EE because the company I work for appears to be subject to DDoS attack.
The attack is coming from 79.173.X.X and it using port 1029 to attack port 4500 on our router. The application is identified as 'Solid Mux'. When I did some research I found the following statement:
“The port 1029 is a Registered port. It is one of the first of this kind after the Well Known ports. A user must have privileged access, such as administrator access, to open Well Known ports from 0 to 1023. The Registered ports can be opened by other programs and users. It is used by the Solid Mux Server. The port 1029 is vulnerable to worms, Trojans and other malicious software.”
Can someone please help with a access-list to block the ip the address?
Cheers
Carlton
Last Comment
ASKER
Hey donjohnston,
It's been a long time. Happy New Year.
The source of the attack is from 79.173.x.x and the destination is our router with public ip addresss 194.21.x.x
Cheers
It's been a long time. Happy New Year.
The source of the attack is from 79.173.x.x and the destination is our router with public ip addresss 194.21.x.x
Cheers
ASKER
Don,
By applying the acls will it take immediate effect, or will I have to re-apply the acl to interface?
Cheers
By applying the acls will it take immediate effect, or will I have to re-apply the acl to interface?
Cheers
If you simply add the line to an existing ACL that's already applied, then it will immediately take effect.
Otherwise, you will need to apply the ACL to an interface with the "ip access-group 101 in" statement.
And I left off the "permit any any" line that comes after the deny statement. So don't forget that or nothing will get in.
Otherwise, you will need to apply the ACL to an interface with the "ip access-group 101 in" statement.
And I left off the "permit any any" line that comes after the deny statement. So don't forget that or nothing will get in.
ASKER
Don,
So glad you're around.
We currently have the following access-list:
ip access-list extended incoming_from_internet
deny tcp any any eq telnet log
deny tcp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit icmp any any
permit gre any any
deny udp any any
deny ip any any
!
So where would apply your example acl?
Cheers mate.
So glad you're around.
We currently have the following access-list:
ip access-list extended incoming_from_internet
deny tcp any any eq telnet log
deny tcp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit icmp any any
permit gre any any
deny udp any any
deny ip any any
!
So where would apply your example acl?
Cheers mate.
It's already denied. There's not much currently being allowed.
ASKER
So how can we prevent this host with the ip address 79.143.x.x from hammering our routers internet facing interface?
If that ACL is currently applied, then they can't.
You've got:
deny tcp any any
deny udp any any
deny ip any any
Which blocks ALL TCP, UDP and IP traffic from anywhere to anywhere.
You've got:
deny tcp any any
deny udp any any
deny ip any any
Which blocks ALL TCP, UDP and IP traffic from anywhere to anywhere.
ASKER
Don,
Is there nothing we can do to stop the attack?
Is there nothing we can do to stop the attack?
ASKER
Don,
The ip address from which were being attacked is 79.173.188.54
The ip address from which were being attacked is 79.173.188.54
I'm not sure I follow you. You've got an ACL that is blocking the traffic.
What else is there to do?
What else is there to do?
Use a named list... Here is a basic example... I put this on a router interface in the inbound direction. Remove the "_____________"... You may have to tweak it a little and make sure you add your info. Put the IP you want to block under the "Deny Known RFC..."...
Hope this helps...
ip access-list extended YOURCOMPANY_IN
_____________________THIS SECTION IS IN CASE YOU USE BGP_______________________
permit tcp host <YOUR SYSTEM> host <PEER> eq bgp
permit tcp host <YOUR SYSTEM> eq bgp host <PEER>
_____ THIS SECTION IS FOR ANY EXTERNAL TEST SYSTEMS YOU MAY HAVE____________
remark ***ALLOW ACCESS FOR TEST SYSTEMS***
permit ip host <ADD YOU EXTERNAL TEST SYSTEMS HERE> any
remark "END OF TEST ACCESS SECTION"
________ DENY KNOWN RFC, HOSTS AND YOUR EXTERNAL IP BLOCK____________________
remark ***DENY RFC NETS AND OURS***
deny ip <YOUR EXTERNAL CIDR BLOCK> any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip any host <ADD HOSTS YOU WANT TO BLOCK >
remark "END OF RFC SECTION"
______THIS SECTION IS DANGEROUS PORTS____________________
remark ***DENY ACCESS TO DANGEROUS PORTS***
deny tcp any any eq 445
deny udp any any eq 445
deny tcp any any eq 1
deny udp any any eq 1
deny tcp any any eq echo
deny udp any any eq echo
deny tcp any any eq discard
deny udp any any eq discard
deny tcp any any eq 11
deny tcp any any eq daytime
deny udp any any eq 13
deny tcp any any eq 15
deny tcp any any eq chargen
deny udp any any eq 19
deny tcp any any eq 37
deny udp any any eq time
deny tcp any any eq whois
deny udp any any eq bootps
deny udp any any eq tftp
deny tcp any any eq 76
deny tcp any any eq 93
deny tcp any any eq ident
deny udp any any eq 113
deny tcp any any eq sunrpc
deny udp any any eq sunrpc
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 138
deny udp any any eq netbios-dgm
deny tcp any any eq 139
deny udp any any eq netbios-ss
deny tcp any any eq login
deny udp any any eq who
deny tcp any any eq cmd
deny udp any any eq syslog
deny tcp any any eq 550
deny udp any any eq 550
deny tcp any any eq telnet
deny tcp any any eq domain
deny udp any any eq ntp
deny udp any any eq snmp
deny udp any any eq snmptrap
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 1433
deny tcp any any eq 1900
deny udp any any eq 1900
deny tcp any any eq 5000
deny udp any any eq 5000
______________ADD WEBSERVERS HERE______________________
remark *** BEGIN WEB SERVER SECTION***
permit tcp any host <YOUR WEBSERVER> eq www
deny tcp any any eq www
remark *** END WEB SERVER SECTION***
__________________________
remark *** NAME SERVERS SECTION***
permit udp any host <YOUR DNS SERVER> domain
deny udp any any eq domain
remark *** END NAME SERVERS SECTION***
__________________________
remark *** BEGIN FTP SERVER SECTION***
permit tcp any host <YOUR FTP SERVER> eq ftp
deny tcp any any eq ftp
remark *** END FTP SERVER SECTION***
__________________________
remark *** BEGIN SMTP SERVER SECTION ***
permit tcp any host <YOUR SMTP SERVER> eq smtp
deny tcp any any eq smtp
remark *** END SMTP SERVER SECTION ***
__________________________
remark *** USERS SECTION***
permit udp any eq domain <Add YOUR IP BLOCK HERE WITH MASK>
remark ***ALLOW TCP RETURN TRAFFIC***
permit tcp any <ADD YOUR IP BLOCK with MASK HERE> established
remark "END RETURN TRAFFIC SECTION"
remark ***DENY ICMP TRAFFIC***
deny icmp any any
deny icmp any any redirect
deny icmp any any mask-request
remark "END ICMP SECTION"
remark ***PERMIT ANY TRAFFIC NOT STATED ABOVE***
permit ip any <ADD YOUR IP BLOCK with MASK HERE>
deny ip any any log
Hope this helps...
ip access-list extended YOURCOMPANY_IN
_____________________THIS SECTION IS IN CASE YOU USE BGP_______________________
permit tcp host <YOUR SYSTEM> host <PEER> eq bgp
permit tcp host <YOUR SYSTEM> eq bgp host <PEER>
_____ THIS SECTION IS FOR ANY EXTERNAL TEST SYSTEMS YOU MAY HAVE____________
remark ***ALLOW ACCESS FOR TEST SYSTEMS***
permit ip host <ADD YOU EXTERNAL TEST SYSTEMS HERE> any
remark "END OF TEST ACCESS SECTION"
________ DENY KNOWN RFC, HOSTS AND YOUR EXTERNAL IP BLOCK____________________
remark ***DENY RFC NETS AND OURS***
deny ip <YOUR EXTERNAL CIDR BLOCK> any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip any host <ADD HOSTS YOU WANT TO BLOCK >
remark "END OF RFC SECTION"
______THIS SECTION IS DANGEROUS PORTS____________________
remark ***DENY ACCESS TO DANGEROUS PORTS***
deny tcp any any eq 445
deny udp any any eq 445
deny tcp any any eq 1
deny udp any any eq 1
deny tcp any any eq echo
deny udp any any eq echo
deny tcp any any eq discard
deny udp any any eq discard
deny tcp any any eq 11
deny tcp any any eq daytime
deny udp any any eq 13
deny tcp any any eq 15
deny tcp any any eq chargen
deny udp any any eq 19
deny tcp any any eq 37
deny udp any any eq time
deny tcp any any eq whois
deny udp any any eq bootps
deny udp any any eq tftp
deny tcp any any eq 76
deny tcp any any eq 93
deny tcp any any eq ident
deny udp any any eq 113
deny tcp any any eq sunrpc
deny udp any any eq sunrpc
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ns
deny tcp any any eq 138
deny udp any any eq netbios-dgm
deny tcp any any eq 139
deny udp any any eq netbios-ss
deny tcp any any eq login
deny udp any any eq who
deny tcp any any eq cmd
deny udp any any eq syslog
deny tcp any any eq 550
deny udp any any eq 550
deny tcp any any eq telnet
deny tcp any any eq domain
deny udp any any eq ntp
deny udp any any eq snmp
deny udp any any eq snmptrap
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 1433
deny tcp any any eq 1900
deny udp any any eq 1900
deny tcp any any eq 5000
deny udp any any eq 5000
______________ADD WEBSERVERS HERE______________________
remark *** BEGIN WEB SERVER SECTION***
permit tcp any host <YOUR WEBSERVER> eq www
deny tcp any any eq www
remark *** END WEB SERVER SECTION***
__________________________
remark *** NAME SERVERS SECTION***
permit udp any host <YOUR DNS SERVER> domain
deny udp any any eq domain
remark *** END NAME SERVERS SECTION***
__________________________
remark *** BEGIN FTP SERVER SECTION***
permit tcp any host <YOUR FTP SERVER> eq ftp
deny tcp any any eq ftp
remark *** END FTP SERVER SECTION***
__________________________
remark *** BEGIN SMTP SERVER SECTION ***
permit tcp any host <YOUR SMTP SERVER> eq smtp
deny tcp any any eq smtp
remark *** END SMTP SERVER SECTION ***
__________________________
remark *** USERS SECTION***
permit udp any eq domain <Add YOUR IP BLOCK HERE WITH MASK>
remark ***ALLOW TCP RETURN TRAFFIC***
permit tcp any <ADD YOUR IP BLOCK with MASK HERE> established
remark "END RETURN TRAFFIC SECTION"
remark ***DENY ICMP TRAFFIC***
deny icmp any any
deny icmp any any redirect
deny icmp any any mask-request
remark "END ICMP SECTION"
remark ***PERMIT ANY TRAFFIC NOT STATED ABOVE***
permit ip any <ADD YOUR IP BLOCK with MASK HERE>
deny ip any any log
ASKER
The problem a device keeps on attempting to connect to our public interface. We can place the all the acls necessary but it won't stop a device from still trying to send packets to our router interface.
For example, I could give you our public ip address and no matter what acl I have in place if you know what the ip address is you could overwhelm our public interface with any traffic. However, the acl will prevent to traffic from entering our network but it won't actually stop our public interface with the public ip address from being hit.
Does that make sense?
For example, I could give you our public ip address and no matter what acl I have in place if you know what the ip address is you could overwhelm our public interface with any traffic. However, the acl will prevent to traffic from entering our network but it won't actually stop our public interface with the public ip address from being hit.
Does that make sense?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks chaps. You're both correct. We are in touch with our ISP
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
access-list 101 deny ip host 79.173.x.x host <ip address of router>
Since it's an attack, I wouldn't worry about legitimate traffic from that address.
But if you're worried about the attacks coming from other addresses:
access-list 101 deny tcp any eq 1029 <ip address of router> eq 4500
I wasn't sure which port was the source and which was the destination.