Refer to the following illustration:
Behind a Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that is running a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.
Attackers have been known to use the following 4 programs to launch DDoS attacks: Trinoo, TFN, TFN2K and Stacheldraht.
In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which the attackers:
Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour.
Communication between clients, handlers and agents use the following ports:
1524 tcp 27665 tcp 27444 udp 31335 udp
Important Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.
Communication between clients, handlers and agents use ICMP ECHO and ICMP ECHO REPLY packets.
Communication between clients, handlers and agents use the following ports:
16660 tcp 65000 tcp ICMP ECHO ICMP ECHO REPLY
Important Note: The ports listed above are the default ports for this tool. Use these ports for orientation and example only, because the port numbers can easily be changed.
Communication between clients, handlers and agents does not use any specific port (it may be supplied on run time or it will be chosen randomly by a program) but is a combination of UDP, ICMP and TCP packets.
For a detailed analysis of DDoS programs, read the following articles (Note: The following links point to external web sites not maintained by Cisco Systems):
The
DoS Project's "trinoo" distributed denial of service attack tool
The
"Tribe Flood Network" distributed denial of service attack tool
The
"stacheldraht" distributed denial of service attack tool
Additional information regarding DDoS tools and their variants can be found at the Packet Storm web site's Index of Distributed Attack Tools.
This feature checks each packet that is routed into router. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.
The effect of Unicast RPF is that it stops SMURF attacks (and other attacks that depend on source IP address spoofing) at the ISP’s POP (lease and dial-up). This protects your network and customers, as well as the rest of the Internet. To use unicast RPF, enable ‘CEF switching’ or ‘CEF distributed switching’ in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes. RPF is an input side function that enabled on an interface or sub-interface and operates on packets received by the router.
It is very important for CEF to be turned on in the router. RPF will not
work without CEF. Unicast RPF was first supported in 11.1(17)CC
CEF 13 images on the RSP7000, 7200 and 7500 platforms. It is not supported
in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that
support CEF, including the AS5800. Hence, unicast RFP can be configured on
the PSTN/ISDN dial-up interfaces on the AS5800.
Refer to the following example:
interface xy ip access-group 101 in access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any
Refer to the following example:
interface xy
rate-limit
output access-group 2020 3000000 512000 786000 conform-action
transmit exceed-action drop
access-list 2020 permit icmp any any echo-reply
For more information, refer to IOS Essential Features.
Refer to the following example:
interface {int}
rate-limit
output access-group 153 45000000 100000
100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000
100000 100000 conform-action
transmit exceed-action drop
access-list 152 permit tcp any host
access-list 153 permit tcp any host
In the above example, replace:
Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.
WARNING: It is recommended that you first measure amount of SYN packets during normal state (before attacks occur) and use those values to limit. Review the numbers carefully before deploying this measure.
If an SYN attack is aimed against a particular host, consider installing an IP filtering package on that host. One such package is IP Filter. This can be found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples for implementation details.
tcpdump -i interface -s 1500 -w capture_file snoop -d interface -o capture_file -s 1500The MTU size in this example is 1500; change this parameter if the MTU is greater than 1500.
Preserve these logs as evidence for law enforcement.
For more information, read the following Internet Security Advisories:
All contents copyright © 1992--2000 Cisco Systems Inc. Important Notices and Privacy Statement.