The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги ]

Защита маршрутизатора Cisco от DoS атак.
Резюме статьи http://www.informit.com/articles/article.asp?p=345618
Диагностика:
    Оценка загрузки CPU
       show processes cpu
       show processes cpu history
       sh int switching

    Слежения за счетчиками на ACL
       clear access-list counters N
       show access-list N
 
   Сброс статистики срабатываний ACL в syslog:
       access-list 100 deny icmp any any echo reply log-input

   Netflow
       interface N
          ip route-cache flow  или ip route-cache distributed 
       ip flow-export IP UDP_port
       show ip cache flow
       Code Red Worms
           show ip cache flow | include 0050 
       Smurf Attacks
           show ip cache flow | include 0000
       clear ip flow stats

   TCP SYN Flood Attacks
        access-list 100 tcp permit tcp any any
        ip tcp intercept list 100
        ip tcp intercept mode {intercept | watch}
        ip tcp intercept watch-timeout {seconds}
        ip tcp intercept finrst-timeout {seconds}
        ip tcp intercept connection-timeout {seconds}
        ip tcp intercept max-incomplete high {N}
        ip tcp intercept max-incomplete low {N}
        ip tcp intercept drop-mode {oldest | random}
        show tcp intercept statistics
        show tcp intercept connections 
        debug ip tcp intercept

Защита:
   Cisco Express Forwarding (CEF) Switching:
       scheduler interval Num_of_milliseconds
       scheduler allocate Num_of_milliseconds_of_interrupts Num_of_milliseconds_of_no_interrupts
   
   TCP SYN Flood Attacks
        Синтаксис
        access-list N tcp permit tcp any any
        ip tcp intercept list N
        ip tcp intercept mode {intercept | watch}
        ip tcp intercept watch-timeout {seconds}
        ip tcp intercept finrst-timeout {seconds}
        ip tcp intercept connection-timeout {seconds}
        ip tcp intercept max-incomplete high {N}
        ip tcp intercept max-incomplete low {N}
        ip tcp intercept drop-mode {oldest | random}
        show tcp intercept statistics
        show tcp intercept connections 
        debug ip tcp intercept

       Пример:
       access-list 100 tcp permit tcp any host 192.1.1.1 eq 80
       access-list 100 tcp permit tcp any host 192.1.1.2 eq 25
       ip tcp intercept list 100
       ip tcp intercept mode watch
       ip tcp intercept watch-timeout 20
       ip tcp intercept connection-timeout 120
       ip tcp intercept max-incomplete high 600
       ip tcp intercept min-incomplete low 500
       ip tcp intercept one-minute high 800
       ip tcp intercept one-minute low 600

   CBAC (Context-Based Access Control) и DoS атаки
      Синтаксис:
       ip inspect tcp synwait-time {seconds}
       ip inspect tcp finwait-time {seconds}
       ip inspect tcp idle-time {seconds}
       ip inspect udp idle-time {seconds}
       ip inspect dns-timeout {seconds}
       ip inspect max-incomplete high {number}
       ip inspect max-incomplete low {number}
       ip inspect one-minute high {number}
       ip inspect one-minute low {number}
       ip inspect tcp max-incomplete host {number} block-time {minutes}

       Пример:
       ip inspect tcp synwait-time 20
       ip inspect tcp idle-time 60
       ip inspect udp idle-time 20
       ip inspect max-incomplete high 400
       ip inspect max-incomplete low 300
       ip inspect one-minute high 600
       ip inspect one-minute low 500
       ip inspect tcp max-incomplete host 300 block-time 0

   Rate Limit:
       interface N
           no ip unreachables

       ip icmp rate-limit unreachable [df] {milliseconds}
       Например: ip icmp rate-limit unreachable 1000

       interface N
           rate-limit {input | output} [access-group [rate-limit] acl-index] {bps} {burst_normal}
                          {burst_max} conform-action {action} exceed-action {action}
       Пример 1:
       interface serial0  
           rate-limit output access-group 100 64000 4000 4000  conform-action transmit exceed-action drop
      access-list 100 permit icmp any any echo
      access-list 100 permit icmp any any echo-reply
     
      Пример 2:
      access-list 100 permit tcp any host eq www established
      access-list 101 permit tcp any host eq www
      interface serial0
          rate-limit output access-group 100 1544000 64000 64000
                         conform-action transmit exceed-action drop
          rate-limit output access-group 101 64000 16000 16000
                         conform-action transmit exceed-action drop 

   Мелочи:
       no ip directed-broadcast
       no service tcp-small-servers 
       no service udp small-servers
 
22.10.2004 , Источник: http://www.informit.com/articles/ar...
Ключи: cisco, flood, acl, dos, security / Лицензия: CC-BY
Раздел:    Корень / Маршрутизаторы Cisco, VoIP / ACL, ограничение доступа, безопасность

Ваш комментарий
Имя:         
E-Mail:      
Заголовок:
Текст:



  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
ДобавитьРекламаВебмастеруГИД  
Hosting by Ihor