Routers:
Read: Chapter 7 – Denial of Service
Second Edition
by William Stallings and Lawrie Brown
Lecture slides by Susan Lincke & Lawrie Brown
Objectives
Objectives:
The student shall be able to:
 Define and describe the advantage of ingress filtering, egress
filtering, black hole filtering, direct broadcast filtering, unicast
reverse path forwarding.
 Write CISCO commands to (for example):
 Prevent tcp packets with port numbers ranging between 135 to 139
into the network from or to any IP address and log any violations.
 Write two commands to establish a state-driven evaluation that
allows only outgoing tcp connections to be established
 Write ACLs in the correct order to configure a secure and efficient
interface.
 Save the active configuration to non-volatile memory (Not 2012)
Classic Denial of Service Attacks
 can use simple flooding ping
 from higher capacity link to lower
 causing loss of traffic
 source of flood traffic easily identified
TCP Connection Handshake
SYN Spoofing
 common attack
 attacks ability of a server to respond to future connection
requests
 overflowing tables used to manage them
 hence an attack on system resource
SYN Spoofing Attack
Types of Flooding Attacks
 classified based on network protocol used
 ICMP Flood
 uses ICMP packets, e.g. echo request
 typically allowed through, some required
 UDP Flood
 alternative uses UDP packets to some port
 TCP SYN Flood
 use TCP SYN (connection request) packets
 but for volume attack
DDoS Control Hierarchy
Distributed Denial of Service Attacks
 have limited volume if single source used
 multiple systems allow much higher traffic volumes to form
a Distributed Denial of Service (DDoS) Attack
 often compromised PC’s / workstations
 zombies with backdoor programs installed
 forming a botnet
 e.g. Tribe Flood Network (TFN), TFN2K
Reflection Attacks
 further variation creates a self-contained loop between
intermediary and target
 fairly easy to filter and block
Amplification Attacks
Send to Broadcast IP address: FF FF
DoS Attack Defenses
 high traffic volumes may be legitimate
 result of high publicity, e.g. “slash-dotted”
 or to a very popular site, e.g. Olympics etc
 or legitimate traffic created by an attacker
 three lines of defense against (D)DoS:
 attack prevention and preemption
 attack detection and filtering
 attack source traceback and identification
Attack Prevention
Src=130.72.33.0
 block spoofed source addresses
IP
 on routers as close to source as possible
130.69.84.0
 still far too rarely implemented
 rate controls in upstream distribution nets
 Slow down the originator or ‘upstream’
 e.g. some packet types: ICMP, some UDP, TCP/SYN
 use modified TCP connection handling
 use SYN cookies or encoded sequence # when table full
 or selective or random drop when table full
Attack Prevention
 block IP directed broadcasts
 block suspicious services & combinations
 manage application attacks with “puzzles” to distinguish
legitimate human requests: e.g., CAPTCHA
 good general system security practices: e.g., hardened
system
 use mirrored and replicated servers when highperformance and reliability required
Router Interfaces
Interfaces are named according to
their speeds:
 Ethernet = 10bT
 FastEthernet = 100bT
 GBICethernet or GbEthernet =
1000bT
 Serial = WAN CSU/DSU (with
command: clockrate 56000)
 0 or 1 = on fixed format routers this
is interface 0 or 1
 0/0 = On Modular routers (which
ours are) this is the first port on the
first card of the router...
 0/1 = Second port first card
 1/0 = second card first port
Example: On some routers you can
have the following interfaces:
 Ethernet 0
 FastEthernet 0/0
 FastEthernet 0/1
 FastEthernet 0/2
 FastEthernet 0/3
 GBICethernet 0/0
 GBICEthernet 1/0
Router Configuration
FastEthernet 0/0
Internet
In
Out
Ingress Filtering
Egress Filtering
Net
Filter
In
Net
Filter
Out
FastEthernet 0/1
LAN
Filter
In
LAN
Filter
Out
In
Out
LAN
Unicast Reverse Path Filtering
Ingress Filtering
Ingress Filtering: Filter packets coming from Internet into
the zoned network
 Protect against flooding, malicious activity from network
 Filter IP addresses: 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24,
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16,
224.0.0.0/4
 Unicast Reverse Path Filtering: Prevents spoofing.
 Further addresses listed at:
http://www.cymru.com/Documents/bogon-dd.html
Egress Filtering
 Egress Filtering: Filter packets leaving internal network or
zone towards internet
 Prevents spoof or other attacks from affecting other networks
Rules:
 Default Permit: “That which is not expressly forbidden is
permitted”
 Default Deny: “That which is not expressly permitted is
forbidden”
Which would be used for Ingress Filtering, Egress Filtering?
Unicast Reverse Path Forwarding
 Prevent Forgery/Spoofing: Block packets from outside with
source IP Addresses = inside
 Source addresses can be verified against the routing table,
by checking the IP address range from whence the packet
arrived
access-list 110 deny ip any any log-input
ip cef
#Enable Cicso Express Forwarding
interface Ethernet 0
ip verify unicast reverse-path 110
Direct Broadcast Filtering
 Disable broadcast destination IP addresses
no ip direct-broadcast
 Smurf attack: Send SYN to broadcast address – all reply
with SYN/ACK to origination IP address
Routing techniques
Black Hole Filtering:
Net Police Filter:
 Create routes to the null
 Prevents routes larger than 20 or
interface (null0) for specific IP
addresses
 E.g., Non-existent addresses
 Avoid looping: We forward all
128.n.n.n to you – but you don’t
have 128.37.64.25 and forward it
back to us.
24 bit masking
 Ensures routing table does not
get too big, thereby slowing
routing down
Other CISCO routing commands
If Routing configured well, turn off:
 ICMP Redirects: “Don’t send to me – I’ll send it back to you
anyway”
no ip redirects
 Source Routing: Source endpoint dictates packet’s route
no ip source-route
UWP Lab Configuration
 Border Router: Accepts or rejects based on IP/Port address
 Proxy: Application-level control: web & file transfer
 Switch: Routes to Subnet
 Router: Access to/from Subnet
Subnet
10.2.1.n
Subnet
10.3.1.n
R
o
u
t
e
r
R
o
u
t
e
r
10.1.1.22
10.1.1.1
S
w
it
c
h
10.1.1.23
Border
Router
Proxy
To Internet
10.1.1.3
IP Routing
 no ip direct-broadcast
 deny ip 0.0.0.0 0.255.255.255 any log
 ip verify unicast reverse-path
 permit ip any 10.2.1.0 0.0.0.255
 no ip source-route
 deny ip any 10.2.0.0 0.0.255.255 log
Src=10.3.1.1
Subnet
10.2.1.n
Dest=10.2.2.25
Dest=10.2.1.255
Subnet
10.3.1.n
R
o
u
t
e
r
R
o
u
t
e
r
10.1.1.22
10.1.1.1
S
w
it
c
h
Border
Router
To Internet
Dest=10.3.1.1
Proxy
10.1.1.23
Standard ACL format:
(Checks source IP addresses)
access-list <number> <permit/deny> <sourceIP> [wildcard]
 where <number> = 1-99 or 1300-1999
 Example: Checks that all outgoing packets from a subnet have
valid IP source addresses:
access-list 2 permit 220.10.5.0 0.0.0.255
access-list 2 permit 220.10.5.0/24 (same – not allowed)
 Example: Checks that all incoming packets from the network
have a valid source IP address (do not have an address with a
first byte of 10):
access-list 3 deny 10.0.0.0 0.255.255.255
Extended ACL format:
(Checks source & dest IP & Port addresses)
access-list <number> <permit/deny> <protocol>
<sourceIP> [wildcard] [src-port]
<destIP> [wildcard] [dest-port] [other-options]
 where <number> = 100-199 or 2000-2699
 Example: Do not allow any TCP packets with port numbers
between 135-139 (with ‘any’ source or destination IP addresses):
access-list 101 deny tcp any any range 135 139 log
 Example: Permit UDP packets to destination host 220.10.5.33
with destination port number 600:
access-list 102 permit udp any host 220.10.5.33 eq 600
Reflexive ACL format:
(Only allow outgoing sessions in this service)
 Uses a state table to track state of session. Uses more CPU and
memory than other formats. Works only with services that use a single
transport connection (e.g., not active FTP.) The following rule
requests that the state be tracked for the indicated connections:
<permit/deny> tcp <sourceIP> [wildcard] [port] <destination>
[wildcard] [port]
reflect <rulename>
 The following command indicates that reply sessions (not-initiated)
only are allowed in this direction:
SYN
Reflect
evaluate <rulename>
 Example: Only permit outgoing SSH sessions: Evaluate SYN-ACK
Out Direction: permit tcp any any eq 22 reflect ssh-filter
In Direction: evaluate ssh-filter
 Rules must be specified in a named access-list.
ACK
Router Interfaces
FastEthernet 0/0
In
FastEthernet 0/1
Router
Out
Network
Out
In
LAN/
Terminals
Each interface has rules for its input and output
Rules are processed in order. Therefore, most common
rules should be specified first for best performance.
If an ICMP message is returned to the TCP SSH connect
request, we won’t get it.
Named Access Lists:
(Grouped rules)
 An alternate way to specify rules is by grouping them into
an access-list, and naming the access list:
ip access-list extended FilterOut
permit tcp any any eq 22 reflect ssh-filter
deny tcp any eq ftp any range 0 1024
permit udp any host 192.168.2.5 eq ftp-data
deny udp any any range 0 1024
! (Note: all other access implicitly denied)
ip access-list extended FilterIn
evaluate ssh-filter
FilterOut
Named Access List
Definition
FilterIn Named Access
List
Associating an Access List with an
Interface
 The access-list is then associated with an interface:
interface FastEthernet 0/0
ip address 220.10.5.36 255.255.255.0
ip access-group FilterIn in
ip access-group FilterOut out
Cisco Router:
Access Control Lists
<permit/deny> <protocol>
<sourceIP> [wildcard] [src-port]
<destIP> [wildcard] [dest-port]
[other-options]
deny tcp any any range 135
139 log
permit udp any host
220.10.5.33 eq 600
<permit/deny> <sourceIP> [wildcard]
[port] <destination> [wildcard]
[port] reflect <rulename>
Example:
ip access-list extended FilterOut
permit tcp any any eq 22 reflect sshfilter
permit tcp any any eq 80
deny tcp any any range 0 1024
deny tcp any any gt 1024
deny udp any any range 0 1024
!
ip access-list extended FilterIn
evaluate ssh-filter
permit tcp any any eq 80
Example FilterOut
Evaluate for efficiency & protection:
ip access-list extended FilterOut
permit tcp 10.2.1.0 0.0.0.255 any reflect tcp-filter
permit udp 10.2.1.0 0.0.0.255 any reflect udp-filter
permit icmp 10.2.1.0 0.0.0.255 any reflect icmp-filter
evaluate smtp-filter
deny ip any any log
Router
Internet
in
out
out
in
Inner Network
Static versus Reflexive:
 Use static for absolutes: blocking private IP addresses, or
specific protocols: SNMP, ping. Static is faster than
Reflexives.
 E.g., permit tcp any any eq 80
 Use Reflexives when necessary: Outgoing connections only
are allowed.
 permit icmp 10.2.1.0 0.0.0.255 any reflect icmp-filter
 evaluate smtp-filter
Router Modes for User Interface
> enable
User
Mode
# configure
Privileged
Mode
# disable
Configuration
Mode
# (config)
exit
interface
router
…
User mode: User can view information but cannot change anything.
Router>
Privileged mode: Supports modifications to routing tables, use of test
and debug commands, and access to configuration modes.
 To enter and exit Privileged mode, use commands enable and disable.
Router> enable
Router# disable
Router Modes for User Interface
> enable
User
Mode
# configure
Privileged
Mode
# disable
Configuration
Mode
# (config)
exit
interface
router
…
Global configuration mode: Used to enter one-line configuration (or routing)
commands.
 To enter Configuration mode, use commands configure and exit. At console, specify
config terminal:
Router# config terminal
Router(config)#
 Configuration mode has a number of submodes: interface, router, subinterface,
controller, map-list, map-class, line.
Router(config)# interface ethernet 0
Router(config-if)# exit
Router(config)
Getting Help
 Tab: Complete command for me
 ?: Show commands, options
Example:
Router# clock ?
set Set the time and date
Router# clock set ?
Current Time (hh : mm : ss)
Configuration Files
Two configuration files exist:
1. RAM=running-config
2. NVRAM=startup-config
configure terminal
console
or VTerm
show running config
Running-config: What the erase startuprouter uses.
config
NVRAM
configure memory
 Commands to the config file
change this file. Beta test
copy running-config
all configurations before
Bit bucket
startup-config
storing to nonvolatile (NV)
copy tftp
startup-config
RAM: NVRAM.
copy tftp running-config
Startup-config: The file the
tftp server
router uses after it boots.
copy running-config
tftp
RAM
Table of CISCO Keywords in Routing
Commands
Keyword
access-list
any
banner
deny
description
eq
Meaning
Special Notes
Privileged mode: Establish a rule
Example:
Format for 1-99, 1300-1999:
access-list 3 deny any log
access-list <num> <permit/deny> <sourceIP> access-list 101 deny tcp any any
<wildcard>
range 135 139 log
Format for 100-199, 2000-2699:
See above.
Any IP address is accepted
Value = 255.255.255.255
Privileged mode:
Example:
Sets the default banner upon login
banner #
Access restricted to UWP system
administrators
#
ACL Command mode: Deny these packets
Example:
deny icmp any host 24.33.22.1
Interface Command mode:
Assign a description to an interface
Equal: Match a port address
Description Engineering LAN
Example:
deny tcp any any eq telnet
CISCO Table (2)
established
evaluate
host
hostname
Check to make sure SYN bit is not on. Example:
Use reflexive rules instead.
access-list 100 permit tcp any
any established
ACL Command mode: Check a Format:
reflexive rule. Ensure connection is evaluate <rule>
active before accepting packets.
Reflexive rule is created with ‘reflect’
keyword.
Check all bits: expect an exact match Value = 0.0.0.0
for IP address
Example:
deny
icmp
any
host
24.33.22.1
Config mode:
Changes name of router, and default
prompt.
interface
ip access-list
ip access-group
ip address
line
CISCO Table (3)
Privileged mode, sets Config mode
Example:
Define an interface. Can include a set of interface FastEthernet 0/0
commands ending with a
ip access-group 135 in
!
!
Privileged mode:
Example:
Establish a set of rules as an access-list
ip access-list extended filtrout
permit tcp any any
Privileged mode:
Example:
Match a rule or access list to a router port.
interface Ethernet0
ip access-group 135 in
!
This applies rule 135 to inward-bound
packets for the Ethernet0 interface
Config mode:
Example:
Assign an IP address to an interface.
ip address 129.33.22.44
Placed within interface ! command
Privileged mode, sets Line mode: Enter Example:
permitted methods to access router:
line vty 0 4
Aux, con, vty, …
See more extensive documentation for details
CISCO Table (4)
log
log-input
no ip <option>
Log any matches to this rule
Log-input: Also record layer 2 address
Privileged mode (usually): Disallow options:
directed-broadcast
source-route
finger
Example:
deny tcp any any eq 1024 log
Example:
no ip directed-broadcast
no ip source-route
no ip finger
permit
ACL command mode: Allow these packets
Example:
permit tcp any any eq 65
range
Match a port address to a range
reflect
Remark
Example:
range 135 139
ACL command mode: Specify a reflexive rule: permit
<protocol>
<sourceIP>
Save the state of the session relating to this <destIP> reflect <name>
protocol, source and dest IP address.
Check state when evaluate command specified
ACL command mode: Comment
remark This is a comment
CISCO Table (5)
show running-config
show startup-config
shutdown
no shutdown
tcp
udp
icmp-echo
telnet
ftp
ftp-data
Privileged Mode:
Show the currently active
configuration file.
Privileged Mode: Show the
configuration file that will become
active next time the router reboots.
Interface config mode:
Turns an interface off and back on.
Specific protocol name matches
Example:
permit tcp …
permit icmp …
A configuration
Subnet 10.2.1.n
Subnet 10.3.1.n
R
o
u
T
e
r
R
o
u
T
e
r
10.1.1.22
10.1.1.1
S
w
it
c
h
10.1.1.23
Main
Router
To Internet
Router Configuration
Eth 01: computer
Eth 00: network
Tty: terminal
The configuration we will set up is as follows:
10.1.1.22
10.2.1.2
Subnet
Router
10.2.1.3
10.3.1.2
10.3.1.3
Main
Router
Rest of World
10.2.1.1
10.1.1.1
Subnet
Router
10.3.1.1
Ethernet 0/1
10.1.1.23
Ethernet 0/0
Review
Attack name
Attack characteristics
Router/Firewall
Technique
Flood or DDOS Attack
If uses Spoofed address
ip verify unicast reversepath
Controlling flow
Reflection Attack
Uses spoofed address
ip verify unicast reversepath
Controlling flow
Amplification Attack
Uses Broadcast IP address
no ip direct-broadcast
Worm, Illegal packets
Invalid port or IP address
permit tcp any any eq 22
no ip source-route
Invalid port or IP address in
incoming direction
permit tcp 10.2.1.0
0.0.0.255 any reflect tcpfilter