SYN Floods & Cisco 2500 serie questions

Discussion in 'Cisco' started by Liam, Oct 7, 2004.

  1. Liam

    Liam Guest

    Hi,

    I have a question about the TCP SYN flood "bug".

    I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over here.
    With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.

    For a test i downloaded a packet builder. I let it build a SYN flood attack
    (just for testing) and when i have an ACL on the interface (e0) it all works
    fine.
    No probs there.

    But when i use an ip adress as source (withing the packet builder) that is
    permitted by the accesslist i get the following things:

    I put on the log function behind the ACL so i could see what whould happen:
    %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets

    My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
    control the router even at the console port and telneting to the router is
    out of the question.

    My question is as follows:
    - What can one do to prevent these SYN flood attacks in a real world
    envoriment? (i'm now just in my lab, so no worries)

    - Is there a command/ acl or something that can filter for SYN flood
    attacks?

    Thanks,

    Greetings
    Liam
     
    Liam, Oct 7, 2004
    #1
    1. Advertising

  2. Liam

    Alin Baltaru Guest

    normally your upstream provider should detect this attack and
    blackhole-it. or if you use BGP with your upstream provider there's the
    method of announceing ip/32 so that your provider will blackhole the
    traffic.

    if you have a flood detector you can configure it to set a static route
    to null0. this only has the effect of spearing the destination of the
    flood. the problem is that your router will remain in a high CPU usage
    state.

    Liam wrote:
    > Hi,
    >
    > I have a question about the TCP SYN flood "bug".
    >
    > I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over here.
    > With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
    >
    > For a test i downloaded a packet builder. I let it build a SYN flood attack
    > (just for testing) and when i have an ACL on the interface (e0) it all works
    > fine.
    > No probs there.
    >
    > But when i use an ip adress as source (withing the packet builder) that is
    > permitted by the accesslist i get the following things:
    >
    > I put on the log function behind the ACL so i could see what whould happen:
    > %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
    >
    > My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
    > control the router even at the console port and telneting to the router is
    > out of the question.
    >
    > My question is as follows:
    > - What can one do to prevent these SYN flood attacks in a real world
    > envoriment? (i'm now just in my lab, so no worries)
    >
    > - Is there a command/ acl or something that can filter for SYN flood
    > attacks?
    >
    > Thanks,
    >
    > Greetings
    > Liam
    >
    >
     
    Alin Baltaru, Oct 7, 2004
    #2
    1. Advertising

  3. Liam

    Liam Guest

    Hi,

    I've got a question for you.
    How does my ISP know what packets to route to the null0 interface and which
    packets are "normal" traffic?

    Cause i don't think anyone whould like to see there normal users
    (/connections) to be routed to a null0 interface.

    What is a flood detector? I hav read some topics about the ip tcp
    syn-waittime commands and some CBAC commands, but does this truly fixes the
    problem?

    The high cpu usage on the router is the main problem (in my lab) cause it
    responds slow at the console port and it is impossible to telnet into the
    router. So what if you have a live network and someone inside your network
    will start a DoS or even a DDoS attack on your routers and switches? Then
    you can only access via console?

    B.t.w. I also tested my 1924 switch and that telnet session did go down in
    about 1 sec. It cannot handle the traffic AT ALL! So how should you protect
    switches against these kind of attacks? The normal ACL whould be pretty
    useless as as packet builders can generate every source in there packet you
    want. So there will be a range that is permitted in the ACL which will kill
    your switch/router or slow it down.

    I got to say it is pretty complicated stuff :)


    Liam


    Gr,
    Liam


    "Alin Baltaru" <> wrote in message
    news:ck4dpm$5b7$...
    > normally your upstream provider should detect this attack and
    > blackhole-it. or if you use BGP with your upstream provider there's the
    > method of announceing ip/32 so that your provider will blackhole the
    > traffic.
    >
    > if you have a flood detector you can configure it to set a static route
    > to null0. this only has the effect of spearing the destination of the
    > flood. the problem is that your router will remain in a high CPU usage
    > state.
    >
    > Liam wrote:
    > > Hi,
    > >
    > > I have a question about the TCP SYN flood "bug".
    > >
    > > I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over

    here.
    > > With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
    > >
    > > For a test i downloaded a packet builder. I let it build a SYN flood

    attack
    > > (just for testing) and when i have an ACL on the interface (e0) it all

    works
    > > fine.
    > > No probs there.
    > >
    > > But when i use an ip adress as source (withing the packet builder) that

    is
    > > permitted by the accesslist i get the following things:
    > >
    > > I put on the log function behind the ACL so i could see what whould

    happen:
    > > %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
    > >
    > > My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
    > > control the router even at the console port and telneting to the router

    is
    > > out of the question.
    > >
    > > My question is as follows:
    > > - What can one do to prevent these SYN flood attacks in a real world
    > > envoriment? (i'm now just in my lab, so no worries)
    > >
    > > - Is there a command/ acl or something that can filter for SYN flood
    > > attacks?
    > >
    > > Thanks,
    > >
    > > Greetings
    > > Liam
    > >
    > >
     
    Liam, Oct 8, 2004
    #3
  4. Liam

    Ben Guest

    You can also use a the stateful firewall feature 'CBAC'.
    This will dump SYN packets originating on the external interface from
    non-active flows

    "Liam" <> wrote in message
    news:ck3q97$ms0$1.ov.home.nl...
    > Hi,
    >
    > I have a question about the TCP SYN flood "bug".
    >
    > I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over

    here.
    > With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
    >
    > For a test i downloaded a packet builder. I let it build a SYN flood

    attack
    > (just for testing) and when i have an ACL on the interface (e0) it all

    works
    > fine.
    > No probs there.
    >
    > But when i use an ip adress as source (withing the packet builder) that is
    > permitted by the accesslist i get the following things:
    >
    > I put on the log function behind the ACL so i could see what whould

    happen:
    > %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
    >
    > My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
    > control the router even at the console port and telneting to the router is
    > out of the question.
    >
    > My question is as follows:
    > - What can one do to prevent these SYN flood attacks in a real world
    > envoriment? (i'm now just in my lab, so no worries)
    >
    > - Is there a command/ acl or something that can filter for SYN flood
    > attacks?
    >
    > Thanks,
    >
    > Greetings
    > Liam
    >
    >
     
    Ben, Oct 8, 2004
    #4
  5. see also the TCP Intercept feature

    Robert

    "Ben" <> wrote in message
    news:Xut9d.18220$...
    > You can also use a the stateful firewall feature 'CBAC'.
    > This will dump SYN packets originating on the external interface from
    > non-active flows
    >
    > "Liam" <> wrote in message
    > news:ck3q97$ms0$1.ov.home.nl...
    >> Hi,
    >>
    >> I have a question about the TCP SYN flood "bug".
    >>
    >> I have a 2503 router (AUI, 2 x serial, ISDN) for testing purposes over

    > here.
    >> With IOS c2500-is56i-l.120-24.bin and 16mb of RAM.
    >>
    >> For a test i downloaded a packet builder. I let it build a SYN flood

    > attack
    >> (just for testing) and when i have an ACL on the interface (e0) it all

    > works
    >> fine.
    >> No probs there.
    >>
    >> But when i use an ip adress as source (withing the packet builder) that
    >> is
    >> permitted by the accesslist i get the following things:
    >>
    >> I put on the log function behind the ACL so i could see what whould

    > happen:
    >> %SEC-6-IPACCESSLOGS: list 1 permitted 192.168.0.97 76030 packets
    >>
    >> My router's cpu usage goes skyhigh to about 93-97%. It is difficult to
    >> control the router even at the console port and telneting to the router
    >> is
    >> out of the question.
    >>
    >> My question is as follows:
    >> - What can one do to prevent these SYN flood attacks in a real world
    >> envoriment? (i'm now just in my lab, so no worries)
    >>
    >> - Is there a command/ acl or something that can filter for SYN flood
    >> attacks?
    >>
    >> Thanks,
    >>
    >> Greetings
    >> Liam
    >>
    >>

    >
    >
     
    Bob by the Bay, Oct 10, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron Woody
    Replies:
    0
    Views:
    881
    Aaron Woody
    Oct 20, 2003
  2. Babe meneses

    Problems with Cisco serie 7200

    Babe meneses, Dec 29, 2003, in forum: Cisco
    Replies:
    3
    Views:
    5,866
    Randy Horn
    Dec 30, 2003
  3. Michele
    Replies:
    0
    Views:
    560
    Michele
    Apr 8, 2004
  4. Olivier Le Tertre

    Boot problem on Cisco 1600 serie

    Olivier Le Tertre, May 10, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,128
    Olivier Le Tertre
    May 10, 2005
  5. Ton

    Cisco Aironet 100 serie

    Ton, Mar 9, 2006, in forum: Cisco
    Replies:
    1
    Views:
    581
    Martin Bilgrav
    Mar 10, 2006
Loading...

Share This Page