1. Use ip verfy unicast reverse-path network interface command
This function checks every packet passing through the router. In the router's CEF (Cisco Express Forwarding) table, in all routing items of the network interface to which the packet arrives, if there is no route to the packet source IP address, the router will discard the packet. For example, a router receives a packet with a source IP address of 1.2.3.4, and if no routing is provided for IP address 1.2.3.4 (i.e., the route required for reverse packet transmission) is provided by the router.
Unicast Reverse Path Forwarding (Unicast Reverse Path Forwarding) implements the ISP (local side) to block SMURF attacks and other attacks based on IP address masquerading. This protects the network and customers from intrusions from other parts of the Internet. Using Unicast RPF requires the router's "CEF swing" or "CEF distributed switching" options to be turned on. There is no need to configure the input interface as CEF switching. As long as the router has CEF enabled, all independent network interfaces can be configured in other switching modes. RPF (reverse transmission path forwarding) belongs to the input function activated on a network interface or sub-interface to process data packets received by the router.
It is very important to turn on the CEF function on the router, because RPF must rely on CEF. Unicast RPF is included in Cisco IOS 12.0 and above that supports CEF, but does not support Cisco IOS 11.2 or 11.3.
2. Use access control list (ACL) to filter all addresses listed in RFC 1918
Refer to the following example:
interface xy
ip access-group 101 in
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit ip any any
3. Refer to RFC 2267, use access control list (ACL) to filter incoming and outgoing messages
Refer to the following example:
{ISP Center} -- ISP End-Border Router -- Client End-Border Router -- {Client Network}
The ISP border router should only accept communications whose source address belongs to the client network, while the client network should only accept communications whose source address is not filtered by the client network. The following is an example of the access control list (ACL) of the ISP end boundary router:
access-list 190 permit ip {client network} {client network mask} any
access-list 190 deny ip any any [log]
interface {internal network interface} {network interface number}
ip access-group 190 in
Here is an example of ACL for a client-bound router:
access-list 187 deny ip {client network} {client network mask} any
access-list 187 permit ip any any
access-list 188 permit ip {client network} {client network mask} any
access-list 188 deny ip any any
interface {external network interface} {network interface number}
ip access-group 187 in
ip access-group 188 out
If the CEF function is turned on, the length of the access control list (ACL) can be sufficiently shortened to improve router performance by using single address reverse path forwarding (Unicast RPF). In order to support Unicast RPF, you only need to turn on CEF completely on the router; the network interface that opens this function does not need to be a CEF switch interface.
4. Use CAR (Control Access Rate) to limit the traffic rate of ICMP packets
Refer to the following example:
interface xy
rate-limit output access-group 2020 3000000 512000 786000 conform-action
transmit exceed-action drop
access-list 2020 permit icmp any any echo-reply
5. Set SYN packet traffic rate
interface {int}
rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop
access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established
In the implementation application, necessary modifications are required, and replacement is required:
45000000 is the maximum connection bandwidth
1000000 is a value between 30% and 50% of the SYN flood traffic rate.
The two rates of burst normal and burst max (maximum mutation) are correct values.
Note that if the mutation rate is set above 30%, many legitimate SYN packets may be lost. Use the "show interfaces rate-limit" command to view the normal and excessive rates of the network interface, which can help determine the appropriate mutation rate. This SYN rate limit value setting standard is to ensure that normal communication is as small as possible.
Warning: It is generally recommended to measure the SYN packet traffic rate when the network is working normally, and adjust it with this reference value. The network must be ensured to work properly while the measurement is performed to avoid large errors.
In addition, it is recommended to consider installing IP filtering toolkits such as IP Filter on hosts that may become SYN attacks.
6. Collect evidence and contact the cybersecurity department or organization
If possible, capture attack packets for analysis. It is recommended to use a SUN workstation or a high-speed computer such as Linux to capture data packets. Commonly used packet capture tools include TCPDump and snoop. The basic syntax is:
tcpdump -i interface -s 1500 -w capture_file
snoop -d interface -o capture_file -s 1500
In this example, the MTU size is assumed to be 1500. If the MTU is greater than 1500, the corresponding parameters need to be modified. Provide these captured packets and logs as evidence to the relevant cybersecurity department or agency.
Article entry: csh Editor in charge: csh