Learning Center
Plans & pricing Sign in
Sign Out



  • pg 1
Read: Chapter 8 – Denial of Service

                                    First Edition
          by William Stallings and Lawrie Brown

   Lecture slides by Susan Lincke & Lawrie Brown
The student shall be able to:
 Define and describe the advantage of ingress filtering, egress
  filtering, black hole filtering, direct broadcast filtering, unicast
  reverse path forwarding.
 Write CISCO commands to (for example):
    Prevent tcp packets with port numbers ranging between 135 to 139
     into the network from or to any IP address and log any violations.
    Write two commands to establish a state-driven evaluation that
     allows only outgoing tcp connections to be established
    Write ACLs in the correct order to configure a secure and efficient
 Save the active configuration to non-volatile memory
Classic Denial of Service Attacks
 can use simple flooding ping
 from higher capacity link to lower
 causing loss of traffic
 source of flood traffic easily identified
TCP Connection Handshake
SYN Spoofing
 common attack
 attacks ability of a server to respond to future connection
 overflowing tables used to manage them
 hence an attack on system resource
SYN Spoofing Attack
Types of Flooding Attacks
 classified based on network protocol used
 ICMP Flood
    uses ICMP packets, eg echo request
    typically allowed through, some required
 UDP Flood
    alternative uses UDP packets to some port
 TCP SYN Flood
    use TCP SYN (connection request) packets
    but for volume attack
DDoS Control Hierarchy
Distributed Denial of Service Attacks
 have limited volume if single source used
 multiple systems allow much higher traffic volumes to form
  a Distributed Denial of Service (DDoS) Attack
 often compromised PC’s / workstations
   zombies with backdoor programs installed
   forming a botnet
 e.g. Tribe Flood Network (TFN), TFN2K
Reflection Attacks
 further variation creates a self-contained loop between
  intermediary and target
 fairly easy to filter and block
Amplification Attacks

        Send to Broadcast IP address
DoS Attack Defenses
 high traffic volumes may be legitimate
    result of high publicity, e.g. “slash-dotted”
    or to a very popular site, e.g. Olympics etc
 or legitimate traffic created by an attacker
 three lines of defense against (D)DoS:
    attack prevention and preemption
    attack detection and filtering
    attack source traceback and identification
Attack Prevention
 block spoofed source addresses
    on routers as close to source as possible
    still far too rarely implemented
 rate controls in upstream distribution nets
    Slow down the originator or ‘upstream’
    e.g. some packet types: ICMP, some UDP, TCP/SYN
 use modified TCP connection handling
    use SYN cookies when table full
    or selective or random drop when table full
Attack Prevention
 block IP directed broadcasts
 block suspicious services & combinations
 manage application attacks with “puzzles” to distinguish
  legitimate human requests
 good general system security practices
 use mirrored and replicated servers when high-
  performance and reliability required
                     Router Interfaces
Interfaces are named according to           Example: On some routers you can
  their speeds:                               have the following interfaces:
 Ethernet = 10bT                            Ethernet 0
 FastEthernet = 100bT                       FastEthernet 0/0
 GBICethernet or GbEthernet =               FastEthernet 0/1
  1000bT                                     FastEthernet 0/2
 Serial = WAN CSU/DSU (with                 FastEthernet 0/3
  command: clockrate 56000)                  GBICethernet 0/0
                                             GBICEthernet 1/0
 0 or 1 = on fixed format routers this
  is interface 0 or 1
 0/0 = On Modular routers (which
  ours are) this is the first port on the
  first card of the router...
    0/1 = Second port first card
    1/0 = second card first port
                        Router Configuration
                         FastEthernet 0/0   FastEthernet 0/1

                  In                                               In

                                 Net              LAN
                                Filter            Filter
                                  In                In

                                  Net             LAN
                                 Filter           Filter
                                  Out              Out

           Ingress Filtering                              Unicast Reverse Path Filtering
           Egress Filtering
                Ingress Filtering
Ingress Filtering: Filter packets coming from Internet into
  the zoned network
 Protect against flooding, malicious activity from network
 Filter IP addresses:,,,,,,,
 Further addresses listed at:
                  Egress Filtering
 Egress Filtering: Filter packets leaving internal network or
  zone towards internet
 Prevents spoof or other attacks from affecting other networks

 Default Permit: “That which is not expressly forbidden is
 Default Deny: “That which is not expressly permitted is
Which would be used for Ingress Filtering, Egress Filtering?
 Unicast Reverse Path Forwarding
 Prevent Forgery/Spoofing: Block packets from outside with
  source IP Addresses = inside
 Source addresses can be verified against the routing table,
  by checking the IP address range from whence the packet
  access-list 110 deny ip any any log-input
  ip cef                     #Enable Cicso Express Forwarding
  interface Ethernet 0
    ip verify unicast reverse-path 110
       Direct Broadcast Filtering
 Disable broadcast destination IP addresses
      no ip direct-broadcast
 Smurf attack: Send SYN to broadcast address – all reply
  with SYN/ACK to origination IP address
                Routing techniques
Black Hole Filtering:                 Net Police Filter:
 Create routes to the null            Prevents routes larger than 20 or
  interface (null0) for specific IP     24 bit masking
  addresses                            Ensures routing table does not
 Avoid looping: We forward all         get too big, thereby slowing
  128.n.n.n to you – but you don’t      routing down
  have and forward it
  back to us.
 Other CISCO routing commands
If Routing configured well, turn off:
 ICMP Redirects: “Don’t send to me – I’ll send it back to you
       no ip redirects
 Source Routing: Source endpoint dictates packet’s route
       no ip source-route
UWP Lab Configuration
 Border Router: Accepts or rejects based on IP/Port address
 Proxy: Application-level control: web & file transfer
 Switch: Routes to Subnet
 Router: Access to/from Subnet

           Subnet       t               S         Border
           10.2.1.n     e               w                      To Internet
                        r               it
           Subnet       u
           10.3.1.n     e        Proxy
                                       IP Routing
 no ip direct-broadcast                             deny ip any log
 ip verify unicast reverse-path                     permit ip any
 no ip source-route                                 deny ip any log

               Subnet              t               S
                                   e                          Border     To Internet
               10.2.1.n                            w
                                   r               it         Router
      Dest=                               c
      Dest=                                                        Dest=
               Subnet              u
                                   t                Proxy
               10.3.1.n            e
          Standard ACL format:
       (Checks source IP addresses)
    access-list <number> <permit/deny> <sourceIP> [wildcard]
 where <number> = 1-99 or 1300-1999
 Example: Checks that all outgoing packets from a subnet have
  valid IP source addresses:
        access-list 2 permit
        access-list 2 permit (same – not allowed)
 Example: Checks that all incoming packets from the network
  have a valid source IP address (do not have an address with a
  first byte of 10):
        access-list 3 deny
              Extended ACL format:
(Checks source & dest IP & Port addresses)
          access-list <number> <permit/deny> <protocol>
                  <sourceIP> [wildcard] [src-port]
          <destIP> [wildcard] [dest-port] [other-options]
 where <number> = 100-199 or 2000-2699
 Example: Do not allow any TCP packets with port numbers
  between 135-139 (with ‘any’ source or destination IP addresses):
       access-list 101 deny tcp any any range 135 139 log
 Example: Permit UDP packets to destination host
  with destination port number 600:
       access-list 102 permit udp any host eq 600
                Reflexive ACL format:
  (Only allow outgoing sessions in this service)
 Uses a state table to track state of session. Uses more CPU and
  memory than other formats. Works only with services that use a single
  transport connection (e.g., not active FTP.) The following rule
  requests that the state be tracked for the indicated connections:
      <permit/deny> tcp <sourceIP> [wildcard] [port] <destination>
                               [wildcard] [port]
                            reflect <rulename>
 The following command indicates that reply sessions (not-initiated)
  only are allowed in this direction:
       evaluate <rulename>
 Example: Only permit outgoing SSH sessions:
     permit tcp any any eq 22 reflect ssh-filter
     evaluate ssh-filter
 Rules must be specified in a named access-list.
               Router Interfaces
          FastEthernet 0/0            FastEthernet 0/1

                    In                  Out
     Network                                          LAN/
                    Out                 In

Each interface has rules for its input and output
Rules are processed in order. Therefore, most common
rules should be specified first for best performance.
If an ICMP message is returned to the TCP SSH connect
request, we won’t get it.
               Named Access Lists:
                (Grouped rules)
 An alternate way to specify rules is by grouping them into
 an access-list, and naming the access list:
    ip access-list extended FilterOut
    permit tcp any any eq 22 reflect ssh-filter
    deny tcp any eq ftp any range 0 1024           FilterOut
    permit udp any host eq ftp-data    Named Access List
    deny udp any any range 0 1024
    ! (Note: all other access implicitly denied)
    ip access-list extended FilterIn               FilterIn Named Access
    evaluate ssh-filter                            List
   Associating an Access List with an
 The access-list is then associated with an interface:
    interface FastEthernet 0/0
    ip address
    ip access-group FilterIn in
    ip access-group FilterOut out
                        Cisco Router:
                     Access Control Lists
    <permit/deny> <protocol>          Example:
   <sourceIP> [wildcard] [src-port]   ip access-list extended FilterOut
   <destIP> [wildcard] [dest-port]
           [other-options]               permit tcp any any eq 22 reflect ssh-
   deny tcp any any range 135            permit tcp any any eq 80
     139 log                             deny tcp any any range 0 1024
   permit udp any host                   deny tcp any any gt 1024 eq 600                  deny udp any any range 0 1024
<permit/deny> <sourceIP> [wildcard]
    [port] <destination> [wildcard]   ip access-list extended FilterIn
       [port] reflect <rulename>         evaluate ssh-filter
                                         permit tcp any any eq 80
Example FilterOut
Evaluate for efficiency & protection:
ip access-list extended FilterOut
   permit tcp any reflect tcp-filter
   permit udp any reflect udp-filter
   permit icmp any reflect icmp-filter
   evaluate smtp-filter
   deny ip any any log


      Internet      in                  out
                                                 Inner Network
                   out                   in
          Static versus Reflexive:
 Use static for absolutes: blocking private IP addresses, or
  specific protocols: SNMP, ping. Static is faster than
 Use Reflexives when necessary: Outgoing connections only
  are allowed.
 Router Modes for User Interface
                        > enable                # configure
                User               Privileged                 Configuration
                Mode               Mode                       Mode
                       # disable                # (config)
                                                 interface    router          …

User mode: User can view information but cannot change anything.
Privileged mode: Supports modifications to routing tables, use of test
  and debug commands, and access to configuration modes.
 To enter and exit Privileged mode, use commands enable and disable.
        Router> enable
        Router# disable
  Router Modes for User Interface
                             > enable                # configure
                   User                 Privileged                 Configuration
                   Mode                 Mode                       Mode
                            # disable                # (config)
                                                      interface    router          …

Global configuration mode: Used to enter one-line configuration (or routing)
 To enter Configuration mode, use commands configure and exit. At console, specify
  config terminal:
          Router# config terminal
 Configuration mode has a number of submodes: interface, router, subinterface,
  controller, map-list, map-class, line.
          Router(config)# interface ethernet 0
          Router(config-if)# exit
                   Getting Help
 Tab: Complete command for me
 ?: Show commands, options

  Router# clock ?
  set Set the time and date
  Router# clock set ?
  Current Time (hh : mm : ss)
                  Configuration Files
Two configuration files exist:
1. RAM=running-config
                                                             configure terminal
2. NVRAM=startup-config                     console
                                            or VTerm
                                                            show running config
Running-config: What the erase startup-
  router uses.                       config
 Commands to the config file                     NVRAM     configure memory
  change this file. Beta test
  all configurations before   Bit bucket
                                                           copy running-config
  storing to nonvolatile (NV)             copy tftp
  RAM: NVRAM.                     startup-config
                                                        copy tftp running-config
Startup-config: The file the         tftp server
  router uses after it boots.                             copy running-config
     Table of CISCO Keywords in Routing
Keyword       Meaning                                    Special Notes
access-list   Privileged mode: Establish a rule          Example:
              Format for 1-99, 1300-1999:                access-list 3 deny any log
              access-list <num> <permit/deny> <sourceIP> access-list 101 deny tcp any any
              <wildcard>                                 range 135 139 log
              Format for 100-199, 2000-2699:
              See above.
any           Any IP address is accepted                 Value =
banner        Privileged mode:                           Example:
              Sets the default banner upon login         banner #
                                                         Access restricted to UWP system
deny          ACL Command mode: Deny these packets       Example:
                                                         deny icmp any host

description   Interface Command mode:                   Description Engineering LAN
              Assign a description to an interface
eq            Equal: Match a port address               Example:
                                                        deny tcp any any eq telnet
                     CISCO Table (2)
established   Check to make sure SYN bit is not on. Example:
              Use reflexive rules instead.             access-list 100 permit tcp any
                                                       any established
evaluate      ACL Command mode: Check a Format:
              reflexive rule. Ensure connection is evaluate <rule>
              active before accepting packets.
              Reflexive rule is created with ‘reflect’
host          Check all bits: expect an exact match Value =
              for IP address                           Example:
                                                       deny      icmp     any    host
hostname      Config mode:
              Changes name of router, and default
                          CISCO Table (3)
                  Privileged mode, sets Config mode             Example:
                  Define an interface. Can include a set of interface FastEthernet 0/0
                  commands ending with a                        ip access-group 135 in
                  !                                             !
ip access-list    Privileged mode:                              Example:
                  Establish a set of rules as an access-list    ip access-list extended filtrout
                                                                permit tcp any any
ip access-group   Privileged mode:                              Example:
                  Match a rule or access list to a router port. interface Ethernet0
                                                                ip access-group 135 in
                                                                This applies rule 135 to inward-bound
                                                                packets for the Ethernet0 interface
ip address        Config mode:                                  Example:
                  Assign an IP address to an interface.         ip address
                  Placed within interface ! command
line              Privileged mode, sets Line mode: Enter Example:
                  permitted methods to access router:           line vty 0 4
                  Aux, con, vty, …
                  See more extensive documentation for details
                          CISCO Table (4)
log              Log any matches to this rule                   Example:
log-input        Log-input: Also record layer 2 address         deny tcp any any eq 1024 log
no ip <option>   Privileged mode (usually): Disallow options:   Example:
                 directed-broadcast                             no ip directed-broadcast
                 source-route                                   no ip source-route
                 finger                                         no ip finger

permit           ACL command mode: Allow these packets          Example:
                                                                permit tcp any any eq 65

range            Match a port address to a range                Example:
                                                                range 135 139
reflect          ACL command mode: Specify a reflexive rule: permit        <protocol>    <sourceIP>
                 Save the state of the session relating to this <destIP> reflect <name>
                 protocol, source and dest IP address.
                 Check state when evaluate command specified
Remark           ACL command mode: Comment                      remark This is a comment
                      CISCO Table (5)
show running-config   Privileged Mode:
                      Show the currently active
                      configuration file.
show startup-config   Privileged Mode: Show the
                      configuration file that will become
                      active next time the router reboots.
shutdown              Interface config mode:
no shutdown           Turns an interface off and back on.
tcp                   Specific protocol name matches       Example:
udp                                                        permit tcp …
icmp-echo                                                  permit icmp …

To top