Task 8.1 Dos Attack

Hello All,

I have solved this task with the following two lines access list. But I am not sure if it is correct. Does it fullfill the requirement of the task. "R8 's network 191.1.8.0/24 is being used as a reflector for ICMP Smurf and UDP Fraggle attacks" configure R1 and R6 to filter out this attack.

access-list 101 deny udp any 191.1.8.0 0.0.0.255 
access-list 101 permit ip any any

Is my solution correct?

The solution guide is using:

deny ip any host 191.1.8.255

permit ip any any

Why we should prevent the whole ip traffic instead of just UDP?  (ICMP is also udp traffic)

Please, can you explain?

Many Thanks in advance,

 

 

 

Comments

  • jonbovjonbov ✭✭

    Hi

    No, ICMP is not UDP and would need a separate entry in ACL

    This would break the requirement of max 2 entries in ACL:

    access-list 101 deny icmp any 191.1.8.0 0.0.0.255
    access-list 101 deny udp any 191.1.8.0 0.0.0.255 
    access-list 101 permit ip any any

    With this ACL you would also block ICMP/UDP to any other IP in this range, including legimate ping to 191.1.8.8 (and in real life perhaps some web servers in this range[;)])

    Alternative solution could be blocking icmp and UDP separately, but this still breaks the req. of max 2 entries of ACL:
    access-list 101 deny icmp any host 191.1.8.255
    access-list 101 deny udp any host 191.1.8.255 
    access-list 101 permit ip any any

    So - Solution guide has correct answer.

    Test: Ping using ICMP and Traceroute(IOS) using UDP
    BB3-2600#ping 191.1.8.8

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 191.1.8.8, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/41/44 ms
    BB3-2600#ping 191.1.8.255

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 191.1.8.255, timeout is 2 seconds:
    U.U.U
    Success rate is 0 percent (0/5)
    BB3-2600#traceroute 191.1.8.8

    Type escape sequence to abort.
    Tracing the route to 191.1.8.8

      1 204.12.1.1 4 msec 0 msec 4 msec
      2 131.1.13.3 56 msec 68 msec 60 msec
      3 131.1.35.5 20 msec 24 msec 20 msec
      4 191.1.58.8 [AS 10000] 24 msec *  20 msec
    BB3-2600#traceroute 191.1.8.255

    Type escape sequence to abort.
    Tracing the route to 191.1.8.255

      1 204.12.1.1 !A  *  !A
    BB3-2600#

     

    Jon

  • Hi baria,

    I thought I would share the solution I used:

    Example on R6:
    --------------

    access-list 100 permit icmp any host 191.1.8.255 echo
    access-list 100 permit udp any host 191.1.8.255 eq echo
    !
    route-map DOS_PREVENTION permit 10
     match ip address 100
     set interface Null0
    !
    interface FastEthernet1/0
     ip address 204.12.1.1 255.255.255.0
     ip policy route-map DOS_PREVENTION
    !

    Now, technically, I think this should achieve the Task goal.

    However, I noticed that it violates the "Lab Do's and Dont's". Oooppsss...!

    Just thought I would share my mistake. :-)

    BR
    Toby

Sign In or Register to comment.