Stopping Denial of Service Attacks
Problem
You want to mitigate Denial of Service attacks by throttling half-open TCP connections.
Solution
You can configure a router to protect your servers against TCP SYN attacks by enabling the ip tcp intercept command:
Router1#configure terminal Router1(config)#access-list 109 permit ip any host 192.168.99.2 Router1(config)#ip tcp intercept list 109 Router1(config)#ip tcp intercept max-incomplete high 10 Router1(config)#ip tcp intercept one-minute high 15 Router1(config)#ip tcp intercept max-incomplete low 5 Router1(config)#ip tcp intercept one-minute low 10 Router1(config)#end Router1#
Discussion
This feature allows the router to take an active role in managing the TCP session initiation between a client and server. In the normal TCP call setup procedure, a client device sends a TCP SYN packet to start the session. The server then responds with a SYN-ACK, and the client's next packet simply has the ACK flag set. Then the Layer 7 application information can start to flow. A relatively common denial of service attack involves sending large numbers of SYN packets, but never actually starting the session. This can fill up the server's connection table with these so-called "half-open" TCP sessions, and eventually prevents any legitimate sessions from starting.
However, when you enable the TCP Intercept feature, the router doesn't forward the initial SYN packet to the server. Instead, it responds directly to the client with a SYN-ACK packet, as if it were the server. If the client is legitimate and begins the TCP session, then the router quickly opens a session to the server, knits the two ends of the connection together, and steps into its more usual role of simply forwarding packets.
If the number of half-open sessions exceeds certain configurable thresholds, the router can protect the server by going into aggressive mode. In this mode, the router does three things:
- It reduces the retransmission timeout from one second to 0.5 seconds, so that the TCP SYN-ACK packets are sent more frequently. This ensures that any legitimately half-open sessions are given an opportunity to respond.
- It reduces the maximum time that it will maintain a half-open session from the default 30 seconds to 15 seconds. Again, there are many reasons why a client might be legitimately slow to respond, but if the server is under attack, then reducing these timers can help to clear out the sessions that aren't legitimate.
- And, most importantly, with each new connection attempt, the router will delete one half-open session from its table. By default, it will delete the oldest session, but you can instead configure it to drop a random entry from the table.
In the configuration example, the first two lines enable the TCP Intercept feature:
Router1(config)#access-list 109 permit ip any host 192.168.99.2 Router1(config)#ip tcp intercept list 109
Here we have defined an ACL that specifies that we are only interested in packets with a destination IP address of 192.168.99.2, which is the server that we intend to protect. You could just as easily create an ACL that would protect a range of addresses. For example, if we wanted to protect all of the devices on the 192.168.99.0/24 subnet, we could have used the following access-list:
Router1(config)#access-list 109 permit ip any 192.168.99.0 0.0.0.255
We don't recommend using a permit ip any any type access-list here because that would force the router to intercept all TCP sessions passing through it, regardless of source or destination. This could cause performance problems on your network.
Then the command ip tcp intercept list enables the TCP intercept feature for the addresses specified in the access-list. Note that this is a global configuration command. It is not specific to an interface. This is useful because one common way to launch this type of attack is to send TCP SYN packets simultaneously from compromised computers throughout the network. If you have several interfaces on your router, you won't in principle know where to expect the packets to originate. It also means that you can protect servers on several different segments with a single command.
The remaining commands in the example simply configure the thresholds for aggressive mode. By default, the router allows 1,100 half-open sessions before going into aggressive mode. Configure this value using the ip tcp intercept max-incomplete high command. In the example, we have set a very low value for demonstration purposes:
Router1(config)#ip tcp intercept max-incomplete high 10
When we deliberately initiate a series of half-open sessions, we see this log message:
Nov 15 13:56:38.944: %TCP-6-INTERCEPT: getting aggressive, count (10/10) 1 min 0
A short time later, the attack ended, and the router went back into its normal mode:
Nov 15 13:58:14.367: %TCP-6-INTERCEPT: calming down, count (0/5) 1 min 11
We will explain the conditions for returning to the normal mode in a moment:
In addition to the total number of half-open sessions, you can also set thresholds on the number of TCP sessions initiated per minute:
Router1(config)#ip tcp intercept one-minute high 15
In this case, we have set the rather low threshold value of 15 for demonstration purposes. In practice, you would almost certainly want to use much higher numbers than these because these thresholds define the total number of connection attempts, whether successful or not. So setting this value too low will mean that your server will not be able to accept very many legitimate sessions.
The conditions for returning to normal mode are defined by these two commands:
Router1(config)#ip tcp intercept max-incomplete low 5 Router1(config)#ip tcp intercept one-minute low 10
The first command sets the low-water mark for the total number of half-open sessions, while the second command sets the low-water mark for the number of session-initiation attempts per minute. The router will not return to normal mode until both of these conditions are true. The default value for both of these thresholds is 900.
|
The TCP Intercept feature also allows you to monitor for inactivity on the TCP sessions that it helped to initiate. By default, the router will allow a TCP session to be inactive for 24 hours (86,400 seconds). However, you can change this using the ip tcp intercept connection-timeout command, which accepts an argument in seconds. Here we set a maximum value of one hour:
Router1(config)#ip tcp intercept connection-timeout 3600
When this time is exceeded, the router will force a disconnection on this session.
As we mentioned earlier, by default the aggressive mode of the TCP Intercept feature will drop the oldest half-open connection each time it receives a new connection attempt. However, you can instead configure it to drop a randomly selected connection out of the table:
Router1(config)#ip tcp intercept drop-mode random
The theory behind this is that the attack might be very short lived. In this case, the oldest entries in the table are probably the only ones that are not associated with the attack, so you might prefer to drop a random session instead.
You can configure how long the router will watch a session, waiting for it to complete the TCP session initiation. By default, it waits 30 seconds, but you can change this value with the following command, which specifies this timeout value in seconds:
Router1(config)#ip tcp intercept watch-timeout 15
And one final option allows you to set whether the router actively intercepts and responds to TCP SYN packets, or instead allows these packets to pass through normally, but watches the session to ensure that it connects properly. By default the router will completely protect the server by taking over all responsibility for setting up the session. You can configure it to let the server handle the call, and only step in if there is a problem by configuring watch mode:
Router1(config)#ip tcp intercept mode watch
This is useful in situations when your router is watching a large number of servers or the server is configured to safely handle large numbers of half-open sessions. In such situations, you can save resources on your router by using watch mode.
There are two commands for monitoring the TCP Intercept feature. The first looks at the entire connection table:
Router1#show tcp intercept connections Incomplete: Client Server State Create Timeout Mode 192.168.100.201:3304 192.168.99.2:23 SYNRCVD 00:00:11 00:00:07 I 192.168.100.201:3305 192.168.99.2:23 SYNRCVD 00:00:08 00:00:02 I 192.168.100.201:3300 192.168.99.2:23 SYNRCVD 00:00:18 00:00:04 I 192.168.100.201:3301 192.168.99.2:23 SYNRCVD 00:00:16 00:00:06 I 192.168.100.201:3302 192.168.99.2:23 SYNRCVD 00:00:15 00:00:07 I 192.168.100.201:3303 192.168.99.2:23 SYNRCVD 00:00:13 00:00:01 I 192.168.100.201:3297 192.168.99.2:23 SYNRCVD 00:00:23 00:00:07 I 192.168.100.201:3298 192.168.99.2:23 SYNRCVD 00:00:21 00:00:09 I 192.168.100.201:3299 192.168.99.2:23 SYNRCVD 00:00:20 00:00:10 I Established: Client Server State Create Timeout Mode 192.168.100.1:26643 192.168.99.2:23 ESTAB 00:00:04 23:59:56 I Router1#
You will notice that there are usually very few sessions listed as Established at the end of this display. This is because the router only includes those sessions that have been established but for which it has not yet completely stepped out of the picture. This command output is useful for looking at who is attacking your servers. In this case, it looks like there is somebody attacking our server from the IP address 192.168.100.201. However, if you are using higher thresholds, this output is awkward to use.
Another command that is particularly useful with higher threshold values looks at the gross statistics:
Router1#show tcp intercept statistics Intercepting new connections using access-list 109 9 incomplete, 1 established connections (total 10) 8 connection requests per minute Router1#
In this case, you can see that there are nine incomplete sessions and one established. This output also shows the number of connection attempts per minute.
Router Configuration and File Management
- Configuring the Router via TFTP
- Saving Router Configuration to Server
- Booting the Router Using a Remote Configuration File
- Storing Configuration Files Larger Than NVRAM
- Clearing the Startup Configuration
- Loading a New IOS Image
- Booting a Different IOS Image
- Booting over the Network
- Copying an IOS Image to a Server
- Copying an IOS Image Through the Console
- Deleting Files from Flash
- Partitioning Flash
- Using the Router as a TFTP Server
- Using FTP from the Router
- Generating Large Numbers of Router Configurations
- Changing the Configurations of Many Routers at Once
- Extracting Hardware Inventory Information
- Backing Up Router Configurations
- Warm Reload
- Warm Upgrade
- Configuration Archiving
- Locking Configuration Access
Router Management
- Creating Command Aliases
- Managing the Routers ARP Cache
- Tuning Router Buffers
- Auto Tuning Buffers
- Using the Cisco Discovery Protocol
- Disabling the Cisco Discovery Protocol
- Using the Small Servers
- Enabling HTTP Access to a Router
- Enabling Secure HTTP (HTTPS) Access to a Router
- Using Static Hostname Tables
- Enabling Domain Name Services
- Disabling Domain Name Lookups
- Specifying a Router Reload Time
- Scheduling of Router Commands
- Displaying Historical CPU Values
- Creating Exception Dump Files
- Generating a Report of Interface Information
- Generating a Report of Routing Table Information
- Generating a Report of ARP Table Information
- Generating a Server Host Table File
User Access and Privilege Levels
- Setting Up User IDs
- Encrypting Passwords
- Using Better Password-Encryption Techniques
- Removing Passwords from a Router Configuration File
- Deciphering Ciscos Weak Password Encryption
- Displaying Active Users
- Sending Messages to Other Users
- Changing the Number of VTYs
- Changing VTY Timeouts
- Restricting VTY Access by Protocol
- Enabling Absolute Timeouts on VTY Lines
- Implementing Banners
- Disabling Banners on a Port
- Disabling Router Lines
- Reserving a VTY Port for Administrative Access
- Restricting Inbound Telnet Access
- Logging Telnet Access
- Setting the Source Address for Telnet
- Automating the Login Sequence
- Using SSH for Secure Access
- Changing Privilege Level of IOS Commands
- Defining Per User Privileges
- Defining Per Port Privileges
TACACS+
- Authenticating Login IDs from a Central System
- Restricting Command Access
- Losing Access to the TACACS+ Server
- Disabling TACACS+ Authentication on a Particular Line
- Capturing User Keystrokes
- Logging System Events
- Setting the IP Source Address for TACACS+ Messages
- Sample Server Configuration Files
IP Routing
- Finding an IP Route
- Finding Types of IP Routes
- Converting Different Mask Formats
- Using Static Routing
- Floating Static Routes
- Using Policy-Based Routing to Route Based on Source Address
- Using Policy-Based Routing to Route Based on Application Type
- Examining Policy-Based Routing
- Changing Administrative Distances
- Routing Over Multiple Paths with Equal Costs
- Static Routes That Track Interfaces or Other Routes
- Keeping Statistics on Routing Table Changes
RIP
- Configuring RIP Version 1
- Filtering Routes with RIP
- Redistributing Static Routes into RIP
- Redistributing Routes Using Route Maps
- Creating a Default Route in RIP
- Disabling RIP on an Interface
- Default Passive Interface
- Unicast Updates for RIP
- Applying Offsets to Routes
- Adjusting Timers
- Configuring Interpacket Delay
- Enabling Nonperiodic Updates
- Increasing the RIP Input Queue
- Configuring RIP Version 2
- Enabling RIP Authentication
- RIP Route Summarization
- Route Tagging
EIGRP
- Configuring EIGRP
- Filtering Routes with EIGRP
- Redistributing Routes into EIGRP
- Redistributing Routes into EIGRP Using Route Maps
- Disabling EIGRP on an Interface
- Adjusting EIGRP Metrics
- Adjusting Timers
- Enabling EIGRP Authentication
- EIGRP Route Summarization
- Logging EIGRP Neighbor State Changes
- Limiting EIGRPs Bandwidth Utilization
- EIGRP Stub Routing
- Route Tagging
- Viewing EIGRP Status
OSPF
- Configuring OSPF
- Filtering Routes in OSPF
- Adjusting OSPF Costs
- Creating a Default Route in OSPF
- Redistributing Static Routes into OSPF
- Redistributing External Routes into OSPF
- Manipulating DR Selection
- Setting the OSPF RID
- Enabling OSPF Authentication
- Selecting the Appropriate Area Types
- Using OSPF on Dial Interfaces
- Summarizing Routes in OSPF
- Disabling OSPF on Certain Interfaces
- Changing the Network Type on an Interface
- OSPF Route Tagging
- Logging OSPF Adjacency Changes
- Adjusting OSPF Timers
- Reducing OSPF Traffic in Stable Networks
- OSPF Virtual Links
- Viewing OSPF Status with Domain Names
- Debugging OSPF
BGP
- Configuring BGP
- Using eBGP Multihop
- Adjusting the Next-Hop Attribute
- Connecting to Two ISPs
- Connecting to Two ISPs with Redundant Routers
- Restricting Networks Advertised to a BGP Peer
- Adjusting Local Preference Values
- Load-Balancing
- Removing Private ASNs from the AS Path
- Filtering BGP Routes Based on AS Paths
- Reducing the Size of the Received Routing Table
- Summarizing Outbound Routing Information
- Prepending ASNs to the AS Path
- Redistributing Routes with BGP
- Using Peer Groups
- Authenticating BGP Peers
- Using BGP Communities
- Using BGP Route Reflectors
- Putting It All Together
Frame Relay
- Setting Up Frame Relay with Point-to-Point Subinterfaces
- Adjusting LMI Options
- Setting Up Frame Relay with Map Statements
- Using Multipoint Subinterfaces
- Configuring Frame Relay SVCs
- Simulating a Frame Relay Cloud
- Compressing Frame Relay Data on a Subinterface
- Compressing Frame Relay Data with Maps
- PPP over Frame Relay
- Viewing Frame Relay Status Information
Handling Queuing and Congestion
- Fast Switching and CEF
- Setting the DSCP or TOS Field
- Using Priority Queuing
- Using Custom Queuing
- Using Custom Queues with Priority Queues
- Using Weighted Fair Queuing
- Using Class-Based Weighted Fair Queuing
- Using NBAR Classification
- Controlling Congestion with WRED
- Using RSVP
- Manual RSVP Reservations
- Aggregating RSVP Reservations
- Using Generic Traffic Shaping
- Using Frame-Relay Traffic Shaping
- Using Committed Access Rate
- Implementing Standards-Based Per-Hop Behavior
- AutoQoS
- Viewing Queue Parameters
Tunnels and VPNs
- Creating a Tunnel
- Tunneling Foreign Protocols in IP
- Tunneling with Dynamic Routing Protocols
- Viewing Tunnel Status
- Creating an Encrypted Router-to-Router VPN in a GRE Tunnel
- Creating an Encrypted VPN Between the LAN Interfaces of Two Routers
- Generating RSA Keys
- Creating a Router-to-Router VPN with RSA Keys
- Creating a VPN Between a Workstation and a Router
- Creating an SSL VPN
- Checking IPSec Protocol Status
Dial Backup
- Automating Dial Backup
- Using Dialer Interfaces
- Using an Async Modem on the AUX Port
- Using Backup Interfaces
- Using Dialer Watch
- Using Virtual Templates
- Ensuring Proper Disconnection
- View Dial Backup Status
- Debugging Dial Backup
NTP and Time
- Time-Stamping Router Logs
- Setting the Time
- Setting the Time Zone
- Adjusting for Daylight Saving Time
- Synchronizing the Time on All Routers (NTP)
- Configuring NTP Redundancy
- Setting the Router As the NTP Master for the Network
- Changing NTP Synchronization Periods
- Using NTP to Send Periodic Broadcast Time Updates
- Using NTP to Send Periodic Multicast Time Updates
- Enabling and Disabling NTP Per Interface
- NTP Authentication
- Limiting the Number of Peers
- Restricting Peers
- Setting the Clock Period
- Checking the NTP Status
- Debugging NTP
- NTP Logging
- Extended Daylight Saving Time
- NTP Server Configuration
DLSw
- Simple Bridging
- Configuring DLSw
- Using DLSw to Bridge Between Ethernet and Token Ring
- Converting Ethernet and Token Ring MAC Addresses
- Configuring SDLC
- Configuring SDLC for Multidrop Connections
- Using STUN
- Using BSTUN
- Controlling DLSw Packet Fragmentation
- Tagging DLSw Packets for QoS
- Supporting SNA Priorities
- DLSw+ Redundancy and Fault Tolerance
- Viewing DLSw Status Information
- Viewing SDLC Status Information
- Debugging DSLw
Router Interfaces and Media
- Viewing Interface Status
- Configuring Serial Interfaces
- Using an Internal T1 CSU/DSU
- Using an Internal ISDN PRI Module
- Using an Internal 56 Kbps CSU/DSU
- Configuring an Async Serial Interface
- Configuring ATM Subinterfaces
- Setting Payload Scrambling on an ATM Circuit
- Classical IP Over ATM
- Configuring Ethernet Interface Features
- Configuring Token Ring Interface Features
- Connecting VLAN Trunks with ISL
- Connecting VLAN Trunks with 802.1Q
- LPD Printer Support
Simple Network Management Protocol
- Configuring SNMP
- Extracting Router Information via SNMP Tools
- Recording Important Router Information for SNMP Access
- Using SNMP to Extract Inventory Information from a List of Routers
- Using Access Lists to Protect SNMP Access
- Logging Unauthorized SNMP Attempts
- Limiting MIB Access
- Using SNMP to Modify a Routers Running Configuration
- Using SNMP to Copy a New IOS Image
- Using SNMP to Perform Mass Configuration Changes
- Preventing Unauthorized Configuration Modifications
- Making Interface Table Numbers Permanent
- Enabling SNMP Traps and Informs
- Sending Syslog Messages As SNMP Traps and Informs
- Setting SNMP Packet Size
- Setting SNMP Queue Size
- Setting SNMP Timeout Values
- Disabling Link Up/Down Traps per Interface
- Setting the IP Source Address for SNMP Traps
- Using RMON to Send Traps
- Enabling SNMPv3
- Strong SNMPv3 Encryption
- Using SAA
Logging
- Enabling Local Router Logging
- Setting the Log Size
- Clearing the Routers Log
- Sending Log Messages to Your Screen
- Using a Remote Log Server
- Enabling Syslog on a Unix Server
- Changing the Default Log Facility
- Restricting What Log Messages Are Sent to the Server
- Setting the IP Source Address for Syslog Messages
- Logging Router Syslog Messages in Different Files
- Maintaining Syslog Files on the Server
- Testing the Syslog Sever Configuration
- Preventing the Most Common Messages from Being Logged
- Rate-Limiting Syslog Traffic
- Enabling Error Log Counting
- XML-Formatted Log Messages
- Modifying Log Messages
Access-Lists
- Filtering by Source or Destination IP Address
- Adding a Comment to an ACL
- Filtering by Application
- Filtering Based on TCP Header Flags
- Restricting TCP Session Direction
- Filtering Multiport Applications
- Filtering Based on DSCP and TOS
- Logging When an Access-List Is Used
- Logging TCP Sessions
- Analyzing ACL Log Entries
- Using Named and Reflexive Access-Lists
- Dealing with Passive Mode FTP
- Using Time-Based Access-Lists
- Filtering Based on Noncontiguous Ports
- Advanced Access-List Editing
- Filtering IPv6
DHCP
- Using IP Helper Addresses for DHCP
- Limiting the Impact of IP Helper Addresses
- Using DHCP to Dynamically Configure Router IP Addresses
- Dynamically Allocating Client IP Addresses via DHCP
- Defining DHCP Configuration Options
- Defining DHCP Lease Periods
- Allocating Static IP Addresses with DHCP
- Configuring a DHCP Database Client
- Configuring Multiple DHCP Servers per Subnet
- DHCP Static Mapping
- DHCP-Secured IP Address Assignment
- Showing DHCP Status
- Debugging DHCP
NAT
- Configuring Basic NAT Functionality
- Allocating External Addresses Dynamically
- Allocating External Addresses Statically
- Translating Some Addresses Statically and Others Dynamically
- Using Route Maps to Refine Static Translation Rules
- Translating in Both Directions Simultaneously
- Rewriting the Network Prefix
- Using NAT for Server Load Distribution
- Stateful NAT Failover
- Adjusting NAT Timers
- Changing TCP Ports for FTP
- Checking NAT Status
- Debugging NAT
First Hop Redundancy Protocols
- Configuring Basic HSRP Functionality
- Using HSRP Preempt
- Making HSRP React to Problems on Other Interfaces
- Load-Balancing with HSRP
- Redirecting ICMP with HSRP
- Manipulating HSRP Timers
- Using HSRP on Token Ring
- HSRP SNMP Support
- Increasing HSRP Security
- Showing HSRP State Information
- Debugging HSRP
- HSRP Version 2
- VRRP
- Gateway Load-Balancing Protocol
IP Multicast
- Configuring Basic Multicast Functionality with PIM-DM
- Routing Multicast Traffic with PIM-SM and BSR
- Routing Multicast Traffic with PIM-SM and Auto-RP
- Filtering PIM Neighbors
- Configuring Routing for a Low-Frequency Multicast Application
- Multicast over Frame Relay or ATM WANs
- Configuring CGMP
- Using IGMP Version 3
- Static Multicast Routes and Group Memberships
- Routing Multicast Traffic with MOSPF
- Routing Multicast Traffic with DVMRP
- DVMRP Tunnels
- Configuring Bidirectional PIM
- Controlling Multicast Scope with TTL
- Controlling Multicast Scope with Administratively Scoped Addressing
- Exchanging Multicast Routing Information with MBGP
- Using MSDP to Discover External Sources
- Configuring Anycast RP
- Converting Broadcasts to Multicasts
- Showing Multicast Status
- Debugging Multicast Routing
IP Mobility
- Local Area Mobility
- Home Agent Configuration
- Foreign Agent Configuration
- Making a Router a Mobile Node
- Reverse-Tunnel Forwarding
- Using HSRP for Home Agent Redundancy
IPv6
- Automatically Generating IPv6 Addresses for an Interface
- Manually Configuring IPv6 Addresses on an Interface
- Configuring DHCP for IPv6
- Dynamic Routing with RIP
- Modifying the Default RIP Parameters
- IPv6 Route Filtering and Metric Manipulation in RIP
- Using OSPF for IPv6
- IPv6 Route Filtering and Metric Manipulation in OSPF
- Route Redistribution
- Dynamic Routing with MBGP
- Tunneling IPv6 Through an Existing IPv4 Network
- Translating Between IPv6 and IPv4
MPLS
- Configuring a Basic MPLS P Router
- Configuring a Basic MPLS PE Router
- Configuring Basic MPLS CE Routers
- Configuring MPLS over ATM
- PE-CE Communication via RIP
- PE-CE Communication via OSPF
- PE-CE Communication via EIGRP
- PE-CE Communication via BGP
- QoS over MPLS
- MPLS Traffic Engineering with Autoroute
- Multicast Over MPLS
- Your Service Provider Doesnt Do What You Want
Security
- Using AutoSecure
- Using Context-Based Access-Lists
- Transparent Cisco IOS Firewall
- Stopping Denial of Service Attacks
- Inspecting Applications on Different Port Numbers
- Intrusion Detection and Prevention
- Login Password Retry Lockout
- Authentication Proxy
Appendix 1. External Software Packages
Appendix 2. IP Precedence, TOS, and DSCP Classifications
- IP Precedence, TOS, and DSCP Classifications
- Queueing Algorithms
- Dropping Packets and Congestion Avoidance
Index
EAN: 2147483647
Pages: 505
