參考閱讀:http://www.ciscopress.com/articles/article.asp?p=345618&seqNum=4
使用 CBAC 配置來預防 SYN-Flooding (DOS)攻擊;
本實驗類似于使用 ip tcp intercept ,但是 CBAC 不僅可以控制TCP,而且可以控制UDP、ICMP等協定;
UDP的DOS攻擊的判斷方式為:判斷連接配接有無傳回流量;
同時CBAC還可以判斷單個主機在特定時間内的的半開連接配接數。
【實驗拓撲】
ISO:c7200-adventerprisek9-mz.124-24.T3.bin
【實驗配置向導】
- 使用CBAC ,建立TCP 攔截規則 DOS_MITIGATION
- 配置CBAC 總的半開連接配接,當他們的數量到達1200 會話時,路由器開始丢棄連接配接,直到半開連接配接降低到1000時停止
- 配置CBAC 1分鐘内的半開連接配接,當每分鐘半開連接配接到達300時開始丢棄連接配接,直到半開連接配接降低到100時停止
- 配置CBAC 阻止任何5分鐘内半開連接配接超過50的主機
【實驗配置】
R1:
interface FastEthernet1/0
ip address 12.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2:
ip address 12.1.1.2 255.255.255.0
!
interface FastEthernet1/1
ip address 23.1.1.2 255.255.255.0
ip inspect DOS out
!配置總的半開連接配接數,超過1200時丢棄,截止1000;
ip inspect max-incomplete high 1200
ip inspect max-incomplete low 1000
!配置1分鐘内半開連接配接數,超過300時丢棄,截止100;
ip inspect one-minute low 100
ip inspect one-minute high 300
!配置遠端主機在5分鐘内的半開連接配接數超過50時丢棄新會話
ip inspect tcp max-incomplete host 50 block-time 5
ip inspect name DOS tcp
R3:
ip address 23.1.1.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 23.1.1.2
【實驗驗證】
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [100 : 300] connections
max-incomplete sessions thresholds are [1000 : 1200]
max-incomplete tcp connections per host is 50. Block-time 5 minutes.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name DOS
tcp alert is on audit-trail is off timeout 3600
Interface Configuration
Interface FastEthernet1/1
Inbound inspection rule is not set
Outgoing inspection rule is DOS
Inbound access list is not set
Outgoing access list is not set
R2#debug ip inspect protocol tcpINSPECT TCP Inspection debugging is on
R2#debug ip inspect eventINSPECT special events debugging is on
R1#debug ip tcp transactionsTCP special event debugging is on
R3(config)#int f1/0 R3(config-if)#shutdown R1#telnet 23.1.1.3Trying 23.1.1.3 ...
*Jul 19 21:43:26.095: TCB680DA55C created
*Jul 19 21:43:26.095: TCB680DA55C setting property TCP_VRFTABLEID (20) 680DDA74
*Jul 19 21:43:26.095: TCB680DA55C setting property TCP_TOS (11) 680DDA10
*Jul 19 21:43:26.099: TCB680DA55C setting property TCP_RTRANSTMO (31) 680DD940
*Jul 19 21:43:26.099: TCB680DA55C setting property TCP_GIVEUP (34) 680DD944
*Jul 19 21:43:26.099: TCP: Random local port generated 42311, network 1
*Jul 19 21:43:26.099: TCB680DA55C bound to UNKNOWN.42311
*Jul 19 21:43:26.099: TCB680DA55C setting property unknown (24) 680DD970
*Jul 19 21:43:26.103: Reserved port 42311 in Transport Port Agent for TCP IP type 1
*Jul 19 21:43:26.103: TCP: sending SYN, seq 3266893338, ack 0
*Jul 19 21:43:26.107: TCP0: Connection to 23.1.1.3:23, advertising MSS 536
*Jul 19 21:43:26.107: TCP0: state was CLOSED -> SYNSENT [42311 -> 23.1.1.3(23)]
*Jul 19 21:43:28.107: 12.1.1.1:42311 <---> 23.1.1.3:23 congestion window changes
*Jul 19 21:43:28.107: cwnd from 536 to 536, ssthresh from 65535 to 1072
*Jul 19 21:43:28.111: TCP0: timeout #1 - timeout is 4000 ms, seq 3266893338
*Jul 19 21:43:32.107: TCP0: timeout #2 - timeout is 8000 ms, seq 3266893338
*Jul 19 21:43:40.107: TCP0: timeout #3 - timeout is 16000 ms, seq 3266893338
% Connection timed out; remote host not responding
*Jul 19 21:43:56.107: Released port 42311 in Transport Port Agent for TCP IP type 1 delay 240000
*Jul 19 21:43:56.107: TCP0: state was SYNSENT -> CLOSED [42311 -> 23.1.1.3(23)]
*Jul 19 21:43:56.111: TCB 0x680DA55C destroyed
*Jul 19 21:43:26.255: FIREWALL* sis 6768C270 pak 66BD92FC SIS_CLOSED/LISTEN TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
R2#
*Jul 19 21:43:28.123: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:28.127: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:32.119: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:32.119: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:40.143: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:40.143: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:56.231: FIREWALL sent a TCP pkt (23.1.1.3:23) tcp flag:0x4 -> 12.1.1.1:42311 seq 0 ack 0 wnd 4128, FastEthernet1/1
*Jul 19 21:43:56.231: FIREWALL sent a TCP pkt (12.1.1.1:42311) tcp flag:0x4 -> 23.1.1.3:23 seq 3266893339 ack 0 wnd 0, FastEthernet1/0