I have skipped QoS and moved onto Security – a tactic I will more than likely employ in the Lab.
Q. DoS Prevention:- One of the routers is being used as a reflector for IBMP Smurf and UDP Fraggle attacks. Configure two of the routers to filter out the attack received from the relevant AS and configure this ACL in less than three lines.
Solution:- Okay I missed this section of my blueprint notes so here goes ->
ICMP is used by the IP layer to send one-way informational messages to a host. There is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets. There are a few types of attacks that are associated with ICMP shown as follows:
ICMP DOS Attack : Attacker could use either the ICMP “Time exceeded” or “Destination unreachable” messages. Both of these ICMP messages can cause a host to immediately drop a connection. An attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or both of the communicating hosts. Their connection will then be broken. The ICMP “Redirect” message is commonly used by gateways when a host has mistakenly assumed the destination is not on the local network. If an attacker forges an ICMP “Redirect” message, it can cause another host to send packets for certain connections through the attacker’s host.
ICMP packet magnification (or ICMP Smurf): An attacker sends forged ICMP echo packets to vulnerable networks’ broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system’s available bandwidth and creating a denial of service (DoS) to legitimate traffic.
Ping of death: An attacker sends an ICMP echo request packet that’s larger than the maximum IP packet size. Since the received ICMP echo request packet is larger than the normal IP packet size, it’s fragmented. The target can’t reassemble the packets, so the OS crashes or reboots.
ICMP PING flood attack: A broadcast storm of pings overwhelms the target system so it can’t respond to legitimate traffic.
ICMP nuke attack: Nukes send a packet of information that the target OS can’t handle, which causes the system to crash.
ICMP Attacks Mitigation:
Most ICMP attacks can be effectively reduced by deploying Firewalls at critical locations of a network to filter un-wanted traffic and from iffy destinations. In addition, to keep a reasonable balance between services and security, you should configure your ICMP parameters in your network devices as follows:
- Allow ping ICMP Echo-Request outbound and Echo-Reply messages inbound.
- Allow traceroute TTL-Exceeded and Port-Unreachable messages inbound.
- Allow path MTU ICMP Fragmentation-DF-Set messages inbound.
- Blocking other types of ICMP traffic
A fraggle attack is a type of denial-of-service attack where an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. This is a simple rewrite of the smurf attack code.
Specifically referencing this question, the destination of the attack will be the broadcast address of the reflector therefore we will need to deny ICMP Echo for the Smurf and UDP Echo for the Fraggle attacks. However as the question states NG than 2 lines then we cannot be specific to deny icmp echo or UDP echo so our config will look like this ->
ip access-group NO_DOS in
ip access-list extended NO_DOS
deny ip any host 191.x.x.x <- This is the broadcast address
permit ip any
Corresponding config on the 2nd router.
Q. Spoof Prevention:- There’s concern regarding TCP SYN attacks, configure the above two routers to drop any traffic from a designated AS where the traffic doesn’t have a route pointing out the incoming interface of the receiving traffic.
Solution:- The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For Internet service providers (ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table.
When Unicast RPF is enabled on an interface, the router examines all packets received as input on that interface to make sure that the source address and source interface appear in the routing table and match the interface on which the packet was received. This “look backwards” ability is available only when Cisco express forwarding (CEF) is enabled on the router, because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation. Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
When a packet is received at the interface where Unicast RPF and ACLs have been configured, the following actions occur:
Step 1 Input ACLs configured on the inbound interface are checked.
Step 2 Unicast RPF checks to see if the packet has arrived on the best return path to the source, which it does by doing a reverse lookup in the FIB table.
Step 3 CEF table (FIB) lookup is carried out for packet forwarding.
Step 4 Output ACLs are checked on the outbound interface.
Step 5 The packet is forwarded.
Specifically referencing this question -> the two routers simply require the ip verifiy unicast reverse-path statement under the appropriate interface to drop that traffic fulfilling the question criteria.