[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Prevention of DOS Attacks

To: Brian Candler <B.Candler at pobox.com>
Subject: Re: Prevention of DOS Attacks
From: Rob Hunter <robh at za.uu.net>
Date: Thu, 26 Jul 2001 05:42:30 +0200 (SAST)
Cc: Joseph Onyango Oguma <joseph at arcc.or.ke>, <afnog at afnog.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: archive at [216.129.132.164]
Delivered-To: <afnog at afnog.org>
In-Reply-To: <20010725104954.C7680 at linnet.org>
Sender: owner-afnog at uol.co.ug

Hi

> OUTBOUND:  allow packets with src = (your netblock)
>            deny all others

take a look at RPF or uRPF, they've done alot of work to improve it.
Depending where/how you use it, it can break asyncronous routing, but then
again, you shouldn't have that anyway :)

Also, make sure that you blackhole things like RFC1918 address space.
Here's an example of something you can consider:

<snip>
! deny RFC1918 space
deny ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
deny ip 172.16.0.0 0.15.255.255 0.0.0.0 255.255.255.255
deny ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255
!
! deny IPv4 link-local addresses
deny ip 169.254.0.0 0.0.255.255 0.0.0.0 255.255.255.255
!
! deny IANA-defined test networks
deny ip 128.66.0.0 0.0.255.255 0.0.0.0 255.255.255.255
deny ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255
!
deny ip 128.0.0.0 0.0.255.255 0.0.0.0 255.255.255.255
deny ip 191.255.0.0 0.0.255.255 0.0.0.0 255.255.255.255
!
! deny last class C nets.  first class C net (192.0.0.0/24) is handled later.
deny ip 223.255.255.0 0.0.0.255 0.0.0.0 255.255.255.255
!
! deny various IANA-reserved nets:
!  net 1.0.0.0/8
deny ip 1.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
!
! deny 0.x.x.x/8
deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255
!
permit ip any any
</snip>

tailor this to suit your needs.

You can find the latest version of the uRPF .pdf at
http://www.cisco.com/public/cons/isp/documents/ (IOS Essentials is a must
aswell).

For other ideas, take a look at some of the papers by Rob Thomas
(http://www.cymru.com/~robt/Docs/Articles/) such as the Secure IOS
Template and if applicable, Secure BGP Template.

The above is mostly for Cisco's, but the ACL should be applicable
anywhere in principle. These are just steps to minimise the affects of a
DoS. There's many types of DoS's. One suggestion might be to rate-limit
ICMP at ingress points to your network. This might not help if it's over an analogue
leased line, as the smallest rate-limit factor is 8K. Be careful when
messing with ICMP though, as it's used for path-mtu discovery
(http://www.worldgate.com/~marcs/mtu/).

Regards

--Rob


-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

References:
- Re: Prevention of DOS Attacks
  - From: Brian Candler <B.Candler at pobox.com>

Prev by Date: Cisco IOS vulnerability
Next by Date: Re: Cisco IOS vulnerability
Prev by thread: Re: Prevention of DOS Attacks
Next by thread: Re: Prevention of DOS Attacks
Index(es):
- Date
- Thread