Download Cisco ISP Essentials PDF

TitleCisco ISP Essentials
File Size985.3 KB
Total Pages182
Document Text Contents
Page 92

Wednesday, June 06, 2001

Cisco Systems Inc 92
170 West Tasman Drive.
San Jose, CA 95134-1706
Phone: +1 408 526-4000
Fax: +1 408 536-4100

no ip redirects
no ip directed-broadcast
no ip proxy-arp
ip verify unicast reverse-path
ip access-group 111 in
ip access-group 110 out
!
access-list 110 permit ip 165.21.0.0 0.0.255.255 any
access-list 110 deny ip any any log
access-list 111 deny ip host 0.0.0.0 any log
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny ip 165.21.0.0 0.0.255.255 any log
access-list 111 permit ip any any



Other Considerations
This example used a very simple single homed ISP to demonstrate the concepts of ingress/egress filters. Be mindful that
ISPs are usually not single homed (or if they are, they soon become multihomed). Hence, provisions for asymmetrical
flows26 need to be designed into the filters on the ISP’s borders.



Committed Access Rate (CAR) to Rate Limit or Drop Packets27

Why use a QoS Tool for Security?
The use of a QoS tool like Committed Access Rate (CAR) is an unintended result of the types of attacks on the Internet. In
1997 a new generation of attacks were launched on the Internet – SMURFs. The “smurf” attack is a specific Denial of
Service (DoS) attack, named after its exploit program. It is a recent category of network-level attacks against hosts. A
perpetrator sends a large amount of ICMP echo (ping) traffic to specific IP broadcast addresses. All the ICMP echo
packets will have the spoofed source address of a victim. If the routing device delivering traffic to those broadcast
addresses performs the IP broadcast to layer 2, then the ICMP broadcast function will be forward to all host on the layer 2
medium (see Figure 30). Most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply.
This multiplies the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially
be hundreds of machines to reply to each packet.

The “smurf” attack’s cousin is “fraggle”, which uses UDP echo packets in the same fashion as the ICMP echo packets; it
was a simple re-write of the “smurf” programme. Currently, the systems most commonly hit are Internet Relay Chat (IRC)
servers and their providers.

Two parties are hurt by this attack:


• The intermediary (broadcast) devices – called the “amplifiers”
• The spoofed address target – the “victim”


The victim is the target of the large amount of traffic that the amplifiers generate.

Consider a scenario, which paints a picture of the dangerous nature of this attack. Assume a co-location switched network
with 100 hosts, and that the attacker has a T1 circuit. The attacker sends, say, a 768kb/s stream of ICMP echo (ping)
packets, with a spoofed source address of the victim, to the broadcast address of the “bounce” or amplifier site. These ping
packets hit the bounce site’s broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100


26 Asymmetrical Flows are when the outbound traffic goes out one link and returns via a different link.
27 This section is a edited version of Craig A. Huegen’s work on SMURF and FRAG protection. For the latest information, please refer to Craig’s page at
http://www.pentics.net/. Craig can be contacted at [email protected]

Similer Documents