Add to collection(s) Add to saved
  1. Business

Goal: Prevent a host on your network that is scanning a TCP port on

advertisement 
Lab 7: Preventing DoS from Scanning Hosts
Answers
Goal: Prevent a host on your network that is scanning a TCP port on
all IP numbers from creating (S,G) state in your routers and causing
your network to advertise an excessive number of multicast sources
via MSDP.
- Before you start, note the (S,G) state in your RP router and the number of sources it
is advertising to its peers.
show ip mroute summary
show ip msdp peer 206.244.x.z advertised
- Start Wireshark on Host-Q or Host-R, and on the same host run the script “lab7.ssm”.
sudo lab7.ssm
- Watch the output packets on Wireshark. When the script has completed, look at the
summary of the (S,G) state on your RP and the number of sources it is advertising to
its peers.
- Now run the script “lab7.asm”.
sudo lab7.asm
- Again watch the output packets on Wireshark. When the script has completed,
look at the summary of the (S,G) state on your RP and the number of sources it is
advertising to its peers. You may also log into your neighboring pod’s RP and look at
the MSDP state created by a scanning host on your network.
- Note the difference between scanning the SSM range and an ASM range.
- Now create an extended IP access list that only allows UDP traffic when the
destination address is within the multicast address range.
ip access-list extended multicast-sanity
remark Multicast should only be udp
remark Block TCP and ICMP scans of multicast address space
deny
tcp any 224.0.0.0 15.255.255.255 log
deny
icmp any 224.0.0.0 15.255.255.255 log
permit ip any any
- Apply the inbound IP access list to the interfaces on your Customer-D and
Customer-E routers that Host-Q, Host-R and the switch are attached to.
int eth x
ip access-group multicast-sanity in
- If the (S,G) state created earlier has not yet timed out on your RP, then clear it.
clear ip mroute *
clear ip msdp sa-cache 206.244.x.q/r
- Run the scripts again and see if the IP access list blocks the (S,G) state from being
created and MSDP advertisements from being sent.
- Extra credit - Modify your access list if needed to allow PIM traffic and OSPF etc. And
also allow ICMP traffic on group 224.0.0.1 (See RFC 1256).
ip access-list extended multicast-sanity
remark 224.0.0.x never creates state, it is link-local only
permit ip any 224.0.0.0 0.0.0.255
remark Multicast should only be udp
remark Block TCP and ICMP scans of multicast address space
deny
tcp any 224.0.0.0 15.255.255.255 log
deny
icmp any 224.0.0.0 15.255.255.255 log
remark never multicast source address
deny
ip 224.0.0.0 15.255.255.255 any log
permit ip any any
Related documents
Chapter 10
Chapter 10
Congestion Control Algorithm for Tree-based
Congestion Control Algorithm for Tree-based
Learn TCP/IP Quiz
Learn TCP/IP Quiz
Homework 1
Homework 1
Template
Template
Alumni Survey Word Document
Alumni Survey Word Document
Wireshark Lab: TCP
Wireshark Lab: TCP
PowerPoint 프레젠테이션
PowerPoint 프레젠테이션
final
final
IP Multicast Overview
IP Multicast Overview
site_a - Cisco Support Community
site_a - Cisco Support Community
3. issues on ip multicast
3. issues on ip multicast
P1010TI_2
P1010TI_2
RP - NETS
RP - NETS
IP Multicast Technology Overview
IP Multicast Technology Overview
Download
advertisement