Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > SYN Floods & Cisco 2500 serie questions

Reply
Thread Tools

SYN Floods & Cisco 2500 serie questions

 
 
Liam
Guest
Posts: n/a
 
      10-07-2004
Hi,

I have a question about the TCP SYN flood "bug".

I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over here.
With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.

For a test i downloaded a packet builder. I let it build a SYN flood attack
(just for testing) and when i have an ACL on the interface (e0) it all works
fine.
No probs there.

But when i use an ip adress as source (withing the packet builder) that is
permitted by the accesslist i get the following things:

I put on the log function behind the ACL so i could see what whould happen:
%SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets

My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
control the router even at the console port and telneting to the router is
out of the question.

My question is as follows:
- What can one do to prevent these SYN flood attacks in a real world
envoriment? (i'm now just in my lab, so no worries)

- Is there a command/ acl or something that can filter for SYN flood
attacks?

Thanks,

Greetings
Liam


 
Reply With Quote
 
 
 
 
Alin Baltaru
Guest
Posts: n/a
 
      10-07-2004
normally your upstream provider should detect this attack and
blackhole-it. or if you use BGP with your upstream provider there's the
method of announceing ip/32 so that your provider will blackhole the
traffic.

if you have a flood detector you can configure it to set a static route
to null0. this only has the effect of spearing the destination of the
flood. the problem is that your router will remain in a high CPU usage
state.

Liam wrote:
> Hi,
>
> I have a question about the TCP SYN flood "bug".
>
> I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over here.
> With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
>
> For a test i downloaded a packet builder. I let it build a SYN flood attack
> (just for testing) and when i have an ACL on the interface (e0) it all works
> fine.
> No probs there.
>
> But when i use an ip adress as source (withing the packet builder) that is
> permitted by the accesslist i get the following things:
>
> I put on the log function behind the ACL so i could see what whould happen:
> %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
>
> My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
> control the router even at the console port and telneting to the router is
> out of the question.
>
> My question is as follows:
> - What can one do to prevent these SYN flood attacks in a real world
> envoriment? (i'm now just in my lab, so no worries)
>
> - Is there a command/ acl or something that can filter for SYN flood
> attacks?
>
> Thanks,
>
> Greetings
> Liam
>
>

 
Reply With Quote
 
 
 
 
Liam
Guest
Posts: n/a
 
      10-08-2004
Hi,

I've got a question for you.
How does my ISP know what packets to route to the null0 interface and which
packets are "normal" traffic?

Cause i don't think anyone whould like to see there normal users
(/connections) to be routed to a null0 interface.

What is a flood detector? I hav read some topics about the ip tcp
syn-waittime commands and some CBAC commands, but does this truly fixes the
problem?

The high cpu usage on the router is the main problem (in my lab) cause it
responds slow at the console port and it is impossible to telnet into the
router. So what if you have a live network and someone inside your network
will start a DoS or even a DDoS attack on your routers and switches? Then
you can only access via console?

B.t.w. I also tested my 1924 switch and that telnet session did go down in
about 1 sec. It cannot handle the traffic AT ALL! So how should you protect
switches against these kind of attacks? The normal ACL whould be pretty
useless as as packet builders can generate every source in there packet you
want. So there will be a range that is permitted in the ACL which will kill
your switch/router or slow it down.

I got to say it is pretty complicated stuff


Liam


Gr,
Liam


"Alin Baltaru" <(E-Mail Removed)> wrote in message
news:ck4dpm$5b7$(E-Mail Removed)...
> normally your upstream provider should detect this attack and
> blackhole-it. or if you use BGP with your upstream provider there's the
> method of announceing ip/32 so that your provider will blackhole the
> traffic.
>
> if you have a flood detector you can configure it to set a static route
> to null0. this only has the effect of spearing the destination of the
> flood. the problem is that your router will remain in a high CPU usage
> state.
>
> Liam wrote:
> > Hi,
> >
> > I have a question about the TCP SYN flood "bug".
> >
> > I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over

here.
> > With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
> >
> > For a test i downloaded a packet builder. I let it build a SYN flood

attack
> > (just for testing) and when i have an ACL on the interface (e0) it all

works
> > fine.
> > No probs there.
> >
> > But when i use an ip adress as source (withing the packet builder) that

is
> > permitted by the accesslist i get the following things:
> >
> > I put on the log function behind the ACL so i could see what whould

happen:
> > %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
> >
> > My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
> > control the router even at the console port and telneting to the router

is
> > out of the question.
> >
> > My question is as follows:
> > - What can one do to prevent these SYN flood attacks in a real world
> > envoriment? (i'm now just in my lab, so no worries)
> >
> > - Is there a command/ acl or something that can filter for SYN flood
> > attacks?
> >
> > Thanks,
> >
> > Greetings
> > Liam
> >
> >



 
Reply With Quote
 
Ben
Guest
Posts: n/a
 
      10-08-2004
You can also use a the stateful firewall feature 'CBAC'.
This will dump SYN packets originating on the external interface from
non-active flows

"Liam" <(E-Mail Removed)> wrote in message
news:ck3q97$ms0$(E-Mail Removed)1.ov.home.nl...
> Hi,
>
> I have a question about the TCP SYN flood "bug".
>
> I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over

here.
> With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
>
> For a test i downloaded a packet builder. I let it build a SYN flood

attack
> (just for testing) and when i have an ACL on the interface (e0) it all

works
> fine.
> No probs there.
>
> But when i use an ip adress as source (withing the packet builder) that is
> permitted by the accesslist i get the following things:
>
> I put on the log function behind the ACL so i could see what whould

happen:
> %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
>
> My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
> control the router even at the console port and telneting to the router is
> out of the question.
>
> My question is as follows:
> - What can one do to prevent these SYN flood attacks in a real world
> envoriment? (i'm now just in my lab, so no worries)
>
> - Is there a command/ acl or something that can filter for SYN flood
> attacks?
>
> Thanks,
>
> Greetings
> Liam
>
>



 
Reply With Quote
 
Bob by the Bay
Guest
Posts: n/a
 
      10-10-2004
see also the TCP Intercept feature

Robert

"Ben" <(E-Mail Removed)> wrote in message
news:Xut9d.18220$(E-Mail Removed)...
> You can also use a the stateful firewall feature 'CBAC'.
> This will dump SYN packets originating on the external interface from
> non-active flows
>
> "Liam" <(E-Mail Removed)> wrote in message
> news:ck3q97$ms0$(E-Mail Removed)1.ov.home.nl...
>> Hi,
>>
>> I have a question about the TCP SYN flood "bug".
>>
>> I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over

> here.
>> With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
>>
>> For a test i downloaded a packet builder. I let it build a SYN flood

> attack
>> (just for testing) and when i have an ACL on the interface (e0) it all

> works
>> fine.
>> No probs there.
>>
>> But when i use an ip adress as source (withing the packet builder) that
>> is
>> permitted by the accesslist i get the following things:
>>
>> I put on the log function behind the ACL so i could see what whould

> happen:
>> %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
>>
>> My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
>> control the router even at the console port and telneting to the router
>> is
>> out of the question.
>>
>> My question is as follows:
>> - What can one do to prevent these SYN flood attacks in a real world
>> envoriment? (i'm now just in my lab, so no worries)
>>
>> - Is there a command/ acl or something that can filter for SYN flood
>> attacks?
>>
>> Thanks,
>>
>> Greetings
>> Liam
>>
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco Aironet 100 serie Ton Cisco 1 03-10-2006 07:04 PM
Boot problem on Cisco 1600 serie Olivier Le Tertre Cisco 2 05-10-2005 07:49 PM
Re: Catalyst 5500, multicast floods Michele Cisco 0 04-08-2004 08:42 PM
Problems with Cisco serie 7200 Babe meneses Cisco 3 12-30-2003 04:10 PM
Re: OSPF Equal cost balancing in serie 2500 routers Aaron Woody Cisco 0 10-20-2003 02:42 PM



Advertisments