Defending Against Attacks with ACLs Chanel oe Ril elas OS Aad ll Joel eI gee ym Ge Se SY ACLs plait Sets Ce ce pol SF Aa lS py Uh hl) Giga lag y SYN le che AS32 le iy eal pellaga i taney Ady yee bbl pad ACLs can be used for much more than simply granting or denying access to a service or utility. They can be used to guard against known attacks on the network, such as SYN and DoS attacks. This is due to the fact that many tools use known and identifiable patterns in their attacks. 1- Anti-DoS ACLs 33.55 of cin aM AAI ine png Sl UEEI y S oy all le Gh pl IS on al ACL il oa 2) Canine gle DOS i 85 bad Go ASA USI Cuininl a dal Ge, Ae Cas ‘These ACLs work by recognizing the protocol and port selection of the DoS attack. It is, possible that by using these ACLs, you may block legitimate applications that have chosen the same high port values, so that must be taken into account. In order to prevent hosts inside the network from participating in a DoS on an Internet host, you should consider placing these on all interfaces, in both directions. At the minimum, you will place these lists on the inbound interfaces that are connected to the Internet. In the configuration fragment that follows, the first section (ports 27665, 31335,27444) of the list is designed to block the TRINOO DDoS, and the second section (ports 6776, 6669, 2222, 7000) is designed to block the SubSeven DDoS. Router (config) #access-list 160 deny tep any any eq 27665 Router (config) #access-list 160 deny udp any any eq 31335 Router (config) #access-list 160 deny udp any any eq 27444 Router (config) #access-list 160 deny top any any eq 6776 Router (config) faccess-list 160 deny tep any any eq 6669 Router (config) faccess-list 160 deny tep any any eq 2222 Router (config) faccess-list 160 deny tep any any eq 7000 Anti-SYN ACLs 0 oa ON leg pad) Natl thy Ghyll Cinna png cll gil] Jl 98 SYN TCP psn DB ce GLE) 6 TCP NASI Hey tall ean ACL Gf cing lie gia te aa sgh Gull J ACB ASE le Te) ¢ JAM Sa stall 5g Cla poe CLA GS, ASB UY cipal BES le 5 hah 1) Sy hg LSS LS yall Sym CL pL AT Gas Sl Ik gb Gee cu ‘The TCP SYN attack is where the attacker floods the target host and disallows any legitimate connections to be made by the target host, To work on blocking this, the ACL must allow legitimate TCP connections, which are created by hosts inside the network, but disallow connections to those hosts from outside (like on the Internet). In this first configuration fragment, traffic that is established internally is allowed out, and. incoming connections are not able to create new sessions Router#configure terminal Router (config) #access-list 170 permit tep any 192.168.20.0 0.0.0.255 established Router (config) #access-1ist 170 deny ip any any Router (config) #interface Serial 0 Router (config-if) #ip access-group 170 in Router (config-if) #*Z Router#3- Anti-Land ACLs Beal ly ay ee Ya le 9 ad IP IP lp jall Dua! ens psy pgm Another type of attack that has been around for some time is the Land attack. The Land attack is rather simple in design, but it can cause serious network damage to unprotected systems, ‘The attack works by sending a packet from an IP address to the same IP address, and using the same ports. So, a packet would be sent from 10.10.10.10:5700 to 10.10.10.10:5700 causing a significant slowdown or DoS of the target. The following configuration fragment shows the defense against a Land attack on host 10.20.30.50, which is an IP address of an external interface on the router. Router#configure terminal Router (config) #interface Serial 0 Router (config-if) #ip address 10.20.30.50 255.255.255.0 Router (config-if) #exit Router (config) # Router (config) faccess-list 110 deny ip host 10.20.30.50 host 10.20.30.50 log Router (config) faccess-list 110 permit ip any any Router (config) #interface Serial 0 Router (config-if) #ip access-group 110 in Router (config-if) #*Z Router# 4- Anti-spoofing ACLs pbie IP Aad cole Gyasstenall ply SI iy jo IP aul 9 is pet Spoofing of packets has become more commonplace due to the increased number of tools that provide this function, You can use your router to combat this issue by not allowing packets to ‘enter the network if they are coming from an internal IP address. When you create these lists, you want them to be complete. In other words, do not forget to block the broadcast addresses (to prevent attacks like the Smurf attack), the network addresses themselves, and private or reserved addresses. In the following configuration fragment, the intemal network is 152.148.10.0/24, and you will see that there are quite a few Iines necessary to provide for full spoof protection: Routerf#configure terminal Router (config) #access-list 130 deny ip 152.148.10.0 0.0.0.255 any Router (config) #access-1ist 130 deny ip 127.0.0.0 0.255.255.255 any Router (config) #access-list 130 deny ip 0.0.0.0 255.255.255.255 any Router (config) #access-list 130 deny ip 10.0.0.0 0.255.255.255 any Router (config) #access-list 130 deny ip 172.16.0.0 0.0.240.255 any Router (config) #access-list 130 deny ip 192.168.0.0 0.0.255.255 any Router (config) #access-list 130 deny ip host 255.255.255.255 any Router (config) #access-list 130 permit ip any 152.148.10.0 0.0.0.255 Router (config) #interface Serial 0 Router (config-if) #ip access-group 130 in Router (config-if) #*Z Router#