Defending Against Attacks with ACLs
Chanel oe Ril elas OS Aad ll Joel eI gee ym Ge Se SY ACLs plait Sets
Ce ce pol SF Aa lS py Uh hl) Giga lag y SYN le che AS32 le iy eal
pellaga i taney Ady yee bbl pad
ACLs can be used for much more than simply granting or denying access to a service or
utility. They can be used to guard against known attacks on the network, such as SYN and
DoS attacks. This is due to the fact that many tools use known and identifiable patterns in
their attacks.
1- Anti-DoS ACLs
33.55 of cin aM AAI ine png Sl UEEI y S oy all le Gh pl IS on al ACL il oa
2) Canine gle DOS i 85 bad Go ASA USI Cuininl a dal Ge, Ae Cas
‘These ACLs work by recognizing the protocol and port selection of the DoS attack. It is,
possible that by using these ACLs, you may block legitimate applications that have chosen
the same high port values, so that must be taken into account. In order to prevent hosts inside
the network from participating in a DoS on an Internet host, you should consider placing
these on all interfaces, in both directions. At the minimum, you will place these lists on the
inbound interfaces that are connected to the Internet.
In the configuration fragment that follows, the first section (ports 27665, 31335,27444) of the
list is designed to block the TRINOO DDoS, and the second section (ports 6776, 6669, 2222,
7000) is designed to block the SubSeven DDoS.
Router (config) #access-list 160 deny tep any any eq 27665
Router (config) #access-list 160 deny udp any any eq 31335
Router (config) #access-list 160 deny udp any any eq 27444
Router (config) #access-list 160 deny top any any eq 6776
Router (config) faccess-list 160 deny tep any any eq 6669
Router (config) faccess-list 160 deny tep any any eq 2222
Router (config) faccess-list 160 deny tep any any eq 7000
Anti-SYN ACLs
0 oa ON leg pad) Natl thy Ghyll Cinna png cll gil] Jl 98 SYN TCP psn
DB ce GLE) 6 TCP NASI Hey tall ean ACL Gf cing lie gia te aa sgh Gull J
ACB ASE le Te) ¢ JAM Sa stall 5g Cla poe CLA GS, ASB UY cipal
BES le 5 hah 1) Sy hg LSS LS yall Sym CL pL AT Gas Sl Ik gb
Gee cu
‘The TCP SYN attack is where the attacker floods the target host and disallows any legitimate
connections to be made by the target host, To work on blocking this, the ACL must allow
legitimate TCP connections, which are created by hosts inside the network, but disallow
connections to those hosts from outside (like on the Internet).
In this first configuration fragment, traffic that is established internally is allowed out, and.
incoming connections are not able to create new sessions
Router#configure terminal
Router (config) #access-list 170 permit tep any 192.168.20.0
0.0.0.255 established
Router (config) #access-1ist 170 deny ip any any
Router (config) #interface Serial 0
Router (config-if) #ip access-group 170 in
Router (config-if) #*Z
Router#3- Anti-Land ACLs
Beal ly ay ee
Ya le 9 ad IP IP lp jall Dua! ens psy pgm
Another type of attack that has been around for some time is the Land attack. The Land attack
is rather simple in design, but it can cause serious network damage to unprotected systems,
‘The attack works by sending a packet from an IP address to the same IP address, and using
the same ports. So, a packet would be sent from 10.10.10.10:5700 to 10.10.10.10:5700
causing a significant slowdown or DoS of the target.
The following configuration fragment shows the defense against a Land attack on host
10.20.30.50, which is an IP address of an external interface on the router.
Router#configure terminal
Router (config) #interface Serial 0
Router (config-if) #ip address 10.20.30.50 255.255.255.0
Router (config-if) #exit
Router (config) #
Router (config) faccess-list 110 deny ip host 10.20.30.50 host
10.20.30.50 log
Router (config) faccess-list 110 permit ip any any
Router (config) #interface Serial 0
Router (config-if) #ip access-group 110 in
Router (config-if) #*Z
Router#
4- Anti-spoofing ACLs
pbie IP Aad cole Gyasstenall ply SI iy jo IP aul 9 is pet
Spoofing of packets has become more commonplace due to the increased number of tools that
provide this function, You can use your router to combat this issue by not allowing packets to
‘enter the network if they are coming from an internal IP address.
When you create these lists, you want them to be complete. In other words, do not forget to
block the broadcast addresses (to prevent attacks like the Smurf attack), the network
addresses themselves, and private or reserved addresses. In the following configuration
fragment, the intemal network is 152.148.10.0/24, and you will see that there are quite a few
Iines necessary to provide for full spoof protection:
Routerf#configure terminal
Router (config) #access-list 130 deny ip 152.148.10.0 0.0.0.255 any
Router (config) #access-1ist 130 deny ip 127.0.0.0 0.255.255.255
any
Router (config) #access-list 130 deny ip 0.0.0.0 255.255.255.255
any
Router (config) #access-list 130 deny ip 10.0.0.0 0.255.255.255 any
Router (config) #access-list 130 deny ip 172.16.0.0 0.0.240.255 any
Router (config) #access-list 130 deny ip 192.168.0.0 0.0.255.255
any
Router (config) #access-list 130 deny ip host 255.255.255.255 any
Router (config) #access-list 130 permit ip any 152.148.10.0
0.0.0.255
Router (config) #interface Serial 0
Router (config-if) #ip access-group 130 in
Router (config-if) #*Z
Router#