Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DoS Attack on Cisco Routers

Posted on 2014-01-14
16
Medium Priority
?
626 Views
Last Modified: 2014-01-15
Hello Expert,

I have just resubscribed to EE because the company I work for appears to be subject to DDoS attack.

The attack is coming from 79.173.X.X and it using port 1029 to attack port 4500 on our router. The application is identified as 'Solid Mux'. When I did some research I found the following statement:

“The port 1029 is a Registered port. It is one of the first of this kind after the Well Known ports. A user must have privileged access, such as administrator access, to open Well Known ports from 0 to 1023. The Registered ports can be opened by other programs and users. It is used by the Solid Mux Server. The port 1029 is vulnerable to worms, Trojans and other malicious software.”

Can someone please help with a access-list to block the ip the address?

Cheers

Carlton
0
Comment
Question by:cpatte7372
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780785
You could put an ACL on the outside interface.

access-list 101 deny ip host 79.173.x.x host <ip address of router>

Since it's an attack, I wouldn't worry about legitimate traffic from that address.

But if you're worried about the attacks coming from other addresses:

access-list 101 deny tcp any eq 1029 <ip address of router> eq 4500

I wasn't sure which port was the source and which was the destination.
0
 

Author Comment

by:cpatte7372
ID: 39780806
Hey donjohnston,

It's been a long time. Happy New Year.

The source of the attack is from 79.173.x.x and the destination is our router with public ip addresss 194.21.x.x

Cheers
0
 

Author Comment

by:cpatte7372
ID: 39780811
Don,

By applying the acls will it take immediate effect, or will I have to re-apply the acl to interface?

Cheers
0
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780820
If you simply add the line to an existing ACL that's already applied, then it will immediately take effect.

Otherwise, you will need to apply the ACL to an interface with the "ip access-group 101 in" statement.

And I left off the "permit any any" line that comes after the deny statement. So don't forget that or nothing will get in.
0
 

Author Comment

by:cpatte7372
ID: 39780830
Don,

So glad you're around.

We currently have the following access-list:

ip access-list extended incoming_from_internet
 deny   tcp any any eq telnet log
 deny   tcp any any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit icmp any any
 permit gre any any
 deny   udp any any
 deny   ip any any
!
So where would apply your example acl?

Cheers mate.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780868
It's already denied. There's not much currently being allowed.
0
 

Author Comment

by:cpatte7372
ID: 39780872
So how can we prevent this host with the ip address 79.143.x.x from hammering our routers internet facing interface?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780889
If that ACL is currently applied, then they can't.

You've got:
 deny tcp any any
 deny udp any any
 deny ip any any

Which blocks ALL TCP, UDP and IP traffic from anywhere to anywhere.
0
 

Author Comment

by:cpatte7372
ID: 39780896
Don,

Is there nothing we can do to stop the attack?
0
 

Author Comment

by:cpatte7372
ID: 39780899
Don,

The ip address from which were being attacked is 79.173.188.54
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39780902
I'm not sure I follow you. You've got an ACL that is blocking the traffic.

What else is there to do?
0
 
LVL 1

Expert Comment

by:gbotts
ID: 39780915
Use a named list... Here is a basic example... I put this on a router interface in the inbound direction. Remove the "_____________"... You may have to tweak it a little and make sure you add your info.  Put the IP you want to block under the "Deny Known RFC..."...

Hope this helps...

ip access-list extended YOURCOMPANY_IN

_____________________THIS SECTION IS IN CASE YOU USE BGP___________________________
 permit tcp host <YOUR SYSTEM> host <PEER> eq bgp
 permit tcp host <YOUR SYSTEM> eq bgp host <PEER>

_____ THIS SECTION IS FOR ANY EXTERNAL TEST SYSTEMS YOU MAY HAVE____________
remark ***ALLOW ACCESS FOR TEST SYSTEMS***
permit ip host <ADD YOU EXTERNAL TEST SYSTEMS HERE> any
remark "END OF TEST ACCESS SECTION"

________ DENY KNOWN RFC, HOSTS AND YOUR EXTERNAL IP BLOCK____________________
 remark ***DENY RFC NETS AND OURS***
 deny   ip <YOUR EXTERNAL CIDR BLOCK> any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip any host  <ADD HOSTS YOU WANT TO BLOCK >
 remark "END OF RFC SECTION"

______THIS SECTION IS DANGEROUS PORTS____________________

 remark ***DENY ACCESS TO DANGEROUS PORTS***
 deny   tcp any any eq 445
 deny   udp any any eq 445
 deny   tcp any any eq 1
 deny   udp any any eq 1
 deny   tcp any any eq echo
 deny   udp any any eq echo
 deny   tcp any any eq discard
 deny   udp any any eq discard
 deny   tcp any any eq 11
 deny   tcp any any eq daytime
 deny   udp any any eq 13
 deny   tcp any any eq 15
 deny   tcp any any eq chargen
 deny   udp any any eq 19
 deny   tcp any any eq 37
 deny   udp any any eq time
 deny   tcp any any eq whois
 deny   udp any any eq bootps
 deny   udp any any eq tftp
 deny   tcp any any eq 76
 deny   tcp any any eq 93
 deny   tcp any any eq ident
 deny   udp any any eq 113
 deny   tcp any any eq sunrpc
 deny   udp any any eq sunrpc
 deny   tcp any any eq 135
 deny   udp any any eq 135
 deny   tcp any any eq 137
 deny   udp any any eq netbios-ns
 deny   tcp any any eq 138
 deny   udp any any eq netbios-dgm
 deny   tcp any any eq 139
 deny   udp any any eq netbios-ss
 deny   tcp any any eq login
 deny   udp any any eq who
 deny   tcp any any eq cmd
 deny   udp any any eq syslog
 deny   tcp any any eq 550
 deny   udp any any eq 550
 deny   tcp any any eq telnet
 deny   tcp any any eq domain
 deny   udp any any eq ntp
 deny   udp any any eq snmp
 deny   udp any any eq snmptrap
 deny   tcp any any eq 161
 deny   tcp any any eq 162
 deny   tcp any any eq 1433
 deny   tcp any any eq 1900
 deny   udp any any eq 1900
 deny   tcp any any eq 5000
 deny   udp any any eq 5000

______________ADD WEBSERVERS HERE_________________________
 remark *** BEGIN WEB SERVER SECTION***
 permit tcp any host <YOUR WEBSERVER> eq www
 deny   tcp any any eq www
 remark *** END WEB SERVER SECTION***


_____________________________________________ADD DNS HERE_____________________
 remark *** NAME SERVERS SECTION***
 permit udp any host <YOUR DNS SERVER> domain
 deny   udp any any eq domain
 remark *** END NAME SERVERS SECTION***

_____________________________________________ADD FTP HERE_____________________
 remark *** BEGIN FTP SERVER SECTION***
 permit tcp any host <YOUR FTP SERVER> eq ftp
 deny   tcp any any eq ftp
 remark *** END FTP SERVER SECTION***



____________________________________________ADD SMTP HERE______________________
 remark *** BEGIN SMTP SERVER SECTION ***
 permit tcp any host <YOUR SMTP SERVER> eq smtp
 deny   tcp any any eq smtp
 remark *** END SMTP SERVER SECTION ***

___________________________________________ADD YOUR USER BLOCK HERE
 remark *** USERS SECTION***
 permit udp any eq domain <Add YOUR IP BLOCK HERE WITH MASK>
 remark ***ALLOW TCP RETURN TRAFFIC***
 permit tcp any <ADD YOUR IP BLOCK with MASK HERE> established
 remark "END RETURN TRAFFIC SECTION"
 remark ***DENY ICMP TRAFFIC***
 deny   icmp any any
 deny   icmp any any redirect
 deny   icmp any any mask-request
 remark "END ICMP SECTION"
 remark ***PERMIT ANY TRAFFIC NOT STATED ABOVE***
 permit ip any <ADD YOUR IP BLOCK with MASK HERE>
 deny   ip any any log
0
 

Author Comment

by:cpatte7372
ID: 39780975
The problem a device keeps on attempting to connect to our public interface. We can place the all the acls necessary but it won't stop a device from still trying to send packets to our router interface.

For example, I could give you our public ip address and no matter what acl I have in place if you know what the ip address is you could overwhelm our public interface with any traffic. However, the acl will prevent to traffic from entering our network but it won't actually stop our public interface with the public ip address from being hit.

Does that make sense?
0
 
LVL 1

Accepted Solution

by:
gbotts earned 1000 total points
ID: 39780995
When you have an issue like that, you would call your ISP and inform them. It would be up to them to stop that.  I would call the ISP and open a ticket.  That way the traffic is blocked on their outbound interface to you.

Short of that, the traffic is going to hit you.  What model router are you using for your Internet connection?  If you run a "show proc cpu" it will tell you how much it is "taxing" you. If it's pretty bad, I would call and get that ticket opened right away....

hope this helps...
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 1000 total points
ID: 39781041
You would have to stop the traffic at the source or have your ISP try to stop it.

I agree with gbotts, notify your ISP and try to make their problem.
0
 

Author Closing Comment

by:cpatte7372
ID: 39781952
Thanks chaps. You're both correct. We are in touch with our ISP
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question