Task 8.1 Dos Attack

Latest post 08-15-2009 3:43 AM by toby. 2 replies.

Page 1 of 1 (3 items)
	Sort Posts: Previous Next

07-10-2009 2:58 AM

baria
Joined on 07-07-2009
Associate
Points 405

Reply Contact

Hello All,

I have solved this task with the following two lines access list. But I am not sure if it is correct. Does it fullfill the requirement of the task. "R8 's network 191.1.8.0/24 is being used as a reflector for ICMP Smurf and UDP Fraggle attacks" configure R1 and R6 to filter out this attack.

access-list 101 deny udp any 191.1.8.0 0.0.0.255
access-list 101 permit ip any any

Is my solution correct?

The solution guide is using:

deny ip any host 191.1.8.255

permit ip any any

Why we should prevent the whole ip traffic instead of just UDP? (ICMP is also udp traffic)

Please, can you explain?

Many Thanks in advance,

Post Points: 35

07-20-2009 12:41 AM In reply to

jonbov
Joined on 10-21-2008
Professional
Points 2,185

Re: Task 8.1 Dos Attack

Reply Contact

No, ICMP is not UDP and would need a separate entry in ACL

This would break the requirement of max 2 entries in ACL:

access-list 101 deny icmp any 191.1.8.0 0.0.0.255
access-list 101 deny udp any 191.1.8.0 0.0.0.255
access-list 101 permit ip any any

With this ACL you would also block ICMP/UDP to any other IP in this range, including legimate ping to 191.1.8.8 (and in real life perhaps some web servers in this range Wink )

Alternative solution could be blocking icmp and UDP separately, but this still breaks the req. of max 2 entries of ACL:
access-list 101 deny icmp any host 191.1.8.255
access-list 101 deny udp any host 191.1.8.255
access-list 101 permit ip any any

So - Solution guide has correct answer.

Test: Ping using ICMP and Traceroute(IOS) using UDP
BB3-2600#ping 191.1.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.1.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/41/44 ms
BB3-2600#ping 191.1.8.255

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.1.8.255, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
BB3-2600#traceroute 191.1.8.8

Type escape sequence to abort.
Tracing the route to 191.1.8.8

1 204.12.1.1 4 msec 0 msec 4 msec
2 131.1.13.3 56 msec 68 msec 60 msec
3 131.1.35.5 20 msec 24 msec 20 msec
4 191.1.58.8 [AS 10000] 24 msec * 20 msec
BB3-2600#traceroute 191.1.8.255

Type escape sequence to abort.
Tracing the route to 191.1.8.255

1 204.12.1.1 !A * !A
BB3-2600#

Jon

Jon Harald Bøvre, CCIE #25493 (SP)

Post Points: 5

08-15-2009 3:43 AM In reply to

toby
Joined on 07-31-2009
Associate
Points 610

Re: Task 8.1 Dos Attack

Reply Contact

Hi baria,

I thought I would share the solution I used:

Example on R6:
--------------

access-list 100 permit icmp any host 191.1.8.255 echo
access-list 100 permit udp any host 191.1.8.255 eq echo
!
route-map DOS_PREVENTION permit 10
match ip address 100
set interface Null0
!
interface FastEthernet1/0
ip address 204.12.1.1 255.255.255.0
ip policy route-map DOS_PREVENTION
!

Now, technically, I think this should achieve the Task goal.

However, I noticed that it violates the "Lab Do's and Dont's". Oooppsss...!

Just thought I would share my mistake. :-)

BR
Toby

Post Points: 5

Page 1 of 1 (3 items)


About IEOC \| Terms of Use \| RSS \| Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved