Solved

DoS Attack on Cisco Routers

Posted on 2014-01-14
16
523 Views
Last Modified: 2014-01-15
Hello Expert,

I have just resubscribed to EE because the company I work for appears to be subject to DDoS attack.

The attack is coming from 79.173.X.X and it using port 1029 to attack port 4500 on our router. The application is identified as 'Solid Mux'. When I did some research I found the following statement:

“The port 1029 is a Registered port. It is one of the first of this kind after the Well Known ports. A user must have privileged access, such as administrator access, to open Well Known ports from 0 to 1023. The Registered ports can be opened by other programs and users. It is used by the Solid Mux Server. The port 1029 is vulnerable to worms, Trojans and other malicious software.”

Can someone please help with a access-list to block the ip the address?

Cheers

Carlton
0
Comment
Question by:cpatte7372
  • 8
  • 6
  • 2
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780785
You could put an ACL on the outside interface.

access-list 101 deny ip host 79.173.x.x host <ip address of router>

Since it's an attack, I wouldn't worry about legitimate traffic from that address.

But if you're worried about the attacks coming from other addresses:

access-list 101 deny tcp any eq 1029 <ip address of router> eq 4500

I wasn't sure which port was the source and which was the destination.
0
 

Author Comment

by:cpatte7372
ID: 39780806
Hey donjohnston,

It's been a long time. Happy New Year.

The source of the attack is from 79.173.x.x and the destination is our router with public ip addresss 194.21.x.x

Cheers
0
 

Author Comment

by:cpatte7372
ID: 39780811
Don,

By applying the acls will it take immediate effect, or will I have to re-apply the acl to interface?

Cheers
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780820
If you simply add the line to an existing ACL that's already applied, then it will immediately take effect.

Otherwise, you will need to apply the ACL to an interface with the "ip access-group 101 in" statement.

And I left off the "permit any any" line that comes after the deny statement. So don't forget that or nothing will get in.
0
 

Author Comment

by:cpatte7372
ID: 39780830
Don,

So glad you're around.

We currently have the following access-list:

ip access-list extended incoming_from_internet
 deny   tcp any any eq telnet log
 deny   tcp any any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit icmp any any
 permit gre any any
 deny   udp any any
 deny   ip any any
!
So where would apply your example acl?

Cheers mate.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780868
It's already denied. There's not much currently being allowed.
0
 

Author Comment

by:cpatte7372
ID: 39780872
So how can we prevent this host with the ip address 79.143.x.x from hammering our routers internet facing interface?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780889
If that ACL is currently applied, then they can't.

You've got:
 deny tcp any any
 deny udp any any
 deny ip any any

Which blocks ALL TCP, UDP and IP traffic from anywhere to anywhere.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:cpatte7372
ID: 39780896
Don,

Is there nothing we can do to stop the attack?
0
 

Author Comment

by:cpatte7372
ID: 39780899
Don,

The ip address from which were being attacked is 79.173.188.54
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780902
I'm not sure I follow you. You've got an ACL that is blocking the traffic.

What else is there to do?
0
 
LVL 1

Expert Comment

by:gbotts
ID: 39780915
Use a named list... Here is a basic example... I put this on a router interface in the inbound direction. Remove the "_____________"... You may have to tweak it a little and make sure you add your info.  Put the IP you want to block under the "Deny Known RFC..."...

Hope this helps...

ip access-list extended YOURCOMPANY_IN

_____________________THIS SECTION IS IN CASE YOU USE BGP___________________________
 permit tcp host <YOUR SYSTEM> host <PEER> eq bgp
 permit tcp host <YOUR SYSTEM> eq bgp host <PEER>

_____ THIS SECTION IS FOR ANY EXTERNAL TEST SYSTEMS YOU MAY HAVE____________
remark ***ALLOW ACCESS FOR TEST SYSTEMS***
permit ip host <ADD YOU EXTERNAL TEST SYSTEMS HERE> any
remark "END OF TEST ACCESS SECTION"

________ DENY KNOWN RFC, HOSTS AND YOUR EXTERNAL IP BLOCK____________________
 remark ***DENY RFC NETS AND OURS***
 deny   ip <YOUR EXTERNAL CIDR BLOCK> any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip any host  <ADD HOSTS YOU WANT TO BLOCK >
 remark "END OF RFC SECTION"

______THIS SECTION IS DANGEROUS PORTS____________________

 remark ***DENY ACCESS TO DANGEROUS PORTS***
 deny   tcp any any eq 445
 deny   udp any any eq 445
 deny   tcp any any eq 1
 deny   udp any any eq 1
 deny   tcp any any eq echo
 deny   udp any any eq echo
 deny   tcp any any eq discard
 deny   udp any any eq discard
 deny   tcp any any eq 11
 deny   tcp any any eq daytime
 deny   udp any any eq 13
 deny   tcp any any eq 15
 deny   tcp any any eq chargen
 deny   udp any any eq 19
 deny   tcp any any eq 37
 deny   udp any any eq time
 deny   tcp any any eq whois
 deny   udp any any eq bootps
 deny   udp any any eq tftp
 deny   tcp any any eq 76
 deny   tcp any any eq 93
 deny   tcp any any eq ident
 deny   udp any any eq 113
 deny   tcp any any eq sunrpc
 deny   udp any any eq sunrpc
 deny   tcp any any eq 135
 deny   udp any any eq 135
 deny   tcp any any eq 137
 deny   udp any any eq netbios-ns
 deny   tcp any any eq 138
 deny   udp any any eq netbios-dgm
 deny   tcp any any eq 139
 deny   udp any any eq netbios-ss
 deny   tcp any any eq login
 deny   udp any any eq who
 deny   tcp any any eq cmd
 deny   udp any any eq syslog
 deny   tcp any any eq 550
 deny   udp any any eq 550
 deny   tcp any any eq telnet
 deny   tcp any any eq domain
 deny   udp any any eq ntp
 deny   udp any any eq snmp
 deny   udp any any eq snmptrap
 deny   tcp any any eq 161
 deny   tcp any any eq 162
 deny   tcp any any eq 1433
 deny   tcp any any eq 1900
 deny   udp any any eq 1900
 deny   tcp any any eq 5000
 deny   udp any any eq 5000

______________ADD WEBSERVERS HERE_________________________
 remark *** BEGIN WEB SERVER SECTION***
 permit tcp any host <YOUR WEBSERVER> eq www
 deny   tcp any any eq www
 remark *** END WEB SERVER SECTION***


_____________________________________________ADD DNS HERE_____________________
 remark *** NAME SERVERS SECTION***
 permit udp any host <YOUR DNS SERVER> domain
 deny   udp any any eq domain
 remark *** END NAME SERVERS SECTION***

_____________________________________________ADD FTP HERE_____________________
 remark *** BEGIN FTP SERVER SECTION***
 permit tcp any host <YOUR FTP SERVER> eq ftp
 deny   tcp any any eq ftp
 remark *** END FTP SERVER SECTION***



____________________________________________ADD SMTP HERE______________________
 remark *** BEGIN SMTP SERVER SECTION ***
 permit tcp any host <YOUR SMTP SERVER> eq smtp
 deny   tcp any any eq smtp
 remark *** END SMTP SERVER SECTION ***

___________________________________________ADD YOUR USER BLOCK HERE
 remark *** USERS SECTION***
 permit udp any eq domain <Add YOUR IP BLOCK HERE WITH MASK>
 remark ***ALLOW TCP RETURN TRAFFIC***
 permit tcp any <ADD YOUR IP BLOCK with MASK HERE> established
 remark "END RETURN TRAFFIC SECTION"
 remark ***DENY ICMP TRAFFIC***
 deny   icmp any any
 deny   icmp any any redirect
 deny   icmp any any mask-request
 remark "END ICMP SECTION"
 remark ***PERMIT ANY TRAFFIC NOT STATED ABOVE***
 permit ip any <ADD YOUR IP BLOCK with MASK HERE>
 deny   ip any any log
0
 

Author Comment

by:cpatte7372
ID: 39780975
The problem a device keeps on attempting to connect to our public interface. We can place the all the acls necessary but it won't stop a device from still trying to send packets to our router interface.

For example, I could give you our public ip address and no matter what acl I have in place if you know what the ip address is you could overwhelm our public interface with any traffic. However, the acl will prevent to traffic from entering our network but it won't actually stop our public interface with the public ip address from being hit.

Does that make sense?
0
 
LVL 1

Accepted Solution

by:
gbotts earned 250 total points
ID: 39780995
When you have an issue like that, you would call your ISP and inform them. It would be up to them to stop that.  I would call the ISP and open a ticket.  That way the traffic is blocked on their outbound interface to you.

Short of that, the traffic is going to hit you.  What model router are you using for your Internet connection?  If you run a "show proc cpu" it will tell you how much it is "taxing" you. If it's pretty bad, I would call and get that ticket opened right away....

hope this helps...
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 250 total points
ID: 39781041
You would have to stop the traffic at the source or have your ISP try to stop it.

I agree with gbotts, notify your ISP and try to make their problem.
0
 

Author Closing Comment

by:cpatte7372
ID: 39781952
Thanks chaps. You're both correct. We are in touch with our ISP
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now