Service Provider CCIE Advanced Technologies Class ISP Security and Common Attacks.pdf

(129 KB) Pobierz

Service Provider CCIE

Advanced Technologies Class

ISP Security and Common

Attacks

http://www.InternetworkExpert.com

Unicast Reverse Path Forwarding (uRPF)

•

Designed to filter IP packets with spoofed source IP addresses

Filters packets according to the

reverse path

to the source IP address

The router determines the reverse path by comparing the packet’s source

IP address with the interface upon which the packet was received

The theory is that a packet should not be received on any interface except

the interface that the router would use to route to the source of the packet

All equal cost paths are taken into consideration when determining the

interface upon which a packet should be receive on

– uRPF also understands EIGRP unequal cost load balancing

Two modes strict and loose

– Strict mode requires that the packet arrive on the reverse path interface

– Loose mode requires that a route to the packet exist in the routing table out any

interface

– Loose mode will also drop packets automatically if the forwarding interface is

null0

•

Loose mode is commonly used for blackhole filtering

CEF is required for uRPF

www.InternetworkExpert.com

uRPF Basic Configuration

• Strict

– ip verify unicast reverse-path

• Loose

– ip verify unicast source reachable-via any

www.InternetworkExpert.com

Commonly Disabled Services

•

Finger

– no ip finger (global)

Bootp

– no ip bootp server (global)

CDP

– no cdp run (global)

– no cdp enable (interface)

Proxy-ARP

– no ip proxy-arp (interface)

IP Redirects

– no ip redirects (interface)

IP Directed Broadcast (Smurf Attack)

– no ip directed-broadcast (interface)

ICMP Unreachables

– no ip unreachables (interface)

– By default the IOS rate limits the number of ICMP type 3 destination

unreachables it generates to 1 per 500ms. This behavior can be changed by

using the

ip icmp rate-limit unreachable

milliseconds

global configuration

command.

www.InternetworkExpert.com

Smurf Attack

• Outdated attack in today’s

networks

• The source sends an ICMP

ping with the source IP

address of the attack target

and a destination of

directed broadcast

• Solution:

–

no ip directed

broadcast

Internet

• This command is the

default in the IOS and is

according to RFC 2644

• The fraggle attack is just a

variation of the smurf attack

using UDP echos

www.InternetworkExpert.com

Standard Blackhole Filtering

• Forward the traffic in

question to null0 using a

static route

• Creates a problem with

denying access to

legitimate users

• Easy solution for

matching the destination

of the attack but not the

ideal solution when trying

to match the source or

sources of the attack

www.InternetworkExpert.com

Remotely Triggered Blackhole Filtering

• Benefits remote blackhole filtering:

– Quickly mitigate attacks across a whole network by

making a simple change to the “trigger” router

– Can be destination or source based

– Drops traffic at the edge of the network

• For destination based filtering the route to the

destination has its IP next-hop set to null0

• For source based filtering the route to the

source’s IP next-hop is set to null0

• The trigger is commonly done though BGP

www.InternetworkExpert.com

The Attack

Source of the attack

Destination

of the attack

www.InternetworkExpert.com

Remotely Triggered Blackhole Filtering

Trigger Router

Source of the attack

set the next hop to null0

Destination

of the attack

www.InternetworkExpert.com

Remotely Triggered Blackhole Filtering

Configuration – Destination Based

Trigger Router

router bgp 200

neighbor 150.1.3.3 remote-as 200

neighbor 150.1.3.3 update-source Loopback0

neighbor 150.1.6.6 remote-as 200

neighbor 150.1.6.6 update-source Loopback0

redistribute static route-map RTBF

route-map RTBF permit 10

match tag 999

set local-preference 200

set ip next-hop 192.0.2.1

route-map RTBF deny 20

Edge Routers

interface Null0

no ip unreachables

router bgp 200

neighbor 150.1.4.4 remote-as 200

neighbor 150.1.4.4 update-source Loopback0

ip route 192.0.2.1 255.255.255.255 Null0

The Trigger

ip route <destination of the attack> <mask> Null0 tag 999

www.InternetworkExpert.com

Plik z chomika:

jacek_040

Inne pliki z tego folderu:

Exploiting Web-Based Applications - FREE Video Training Course PART 1.rar (506812 KB)
Exploiting Web-Based Applications - FREE Video Training Course PART 2.rar (933817 KB)
50 Android Hacks.pdf (3465 KB)
50 Reasons For Mastering Penetration Testing.azw3 (171 KB)
610.1 - Malware Analysis Fundamentals.pdf (31650 KB)

Service Provider CCIE Advanced Technologies Class ISP Security and Common Attacks.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: