DoS Attacks Prevention with CBAC

简介:


 

【实验说明】

使用 CBAC 配置来预防 SYN-Flooding (DOS)攻击;
本实验类似于使用 ip tcp intercept ,但是 CBAC 不仅可以控制TCP,而且可以控制UDP、ICMP等协议;
UDP的DOS攻击的判断方式为:判断连接有无返回流量;
同时CBAC还可以判断单个主机在特定时间内的的半开连接数。

 
【实验拓扑】
ISO: c7200-adventerprisek9-mz.124-24.T3.bin
 

 

【实验配置向导】

 
  • 使用CBAC ,创建TCP 拦截规则 DOS_MITIGATION
  • 配置CBAC 总的半开连接,当他们的数量到达1200 会话时,路由器开始丢弃连接,直到半开连接降低到1000时停止
  • 配置CBAC 1分钟内的半开连接,当每分钟半开连接到达300时开始丢弃连接,直到半开连接降低到100时停止
  • 配置CBAC 阻止任何5分钟内半开连接超过50的主机

 
【实验配置】
R1:
interface FastEthernet1/0
ip address 12.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2:
interface FastEthernet1/0
ip address 12.1.1.2 255.255.255.0
no sh
!
interface FastEthernet1/1
ip address 23.1.1.2 255.255.255.0
no sh
ip inspect DOS out
!配置总的半开连接数,超过1200时丢弃,截止1000;
ip inspect max-incomplete high 1200
ip inspect max-incomplete low 1000
!配置1分钟内半开连接数,超过300时丢弃,截止100;
ip inspect one-minute low 100
ip inspect one-minute high 300
!配置远端主机在5分钟内的半开连接数超过50时丢弃新会话
ip inspect tcp max-incomplete host 50 block-time 5
ip inspect name DOS tcp

 
R3:
interface FastEthernet1/0
ip address 23.1.1.3 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 23.1.1.2

 

 
【实验验证】

 
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [100 : 300] connections
max-incomplete sessions thresholds are [1000 : 1200]
max-incomplete tcp connections per host is 50. Block-time 5 minutes.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name DOS
tcp alert is on audit-trail is off timeout 3600

Interface Configuration
Interface FastEthernet1/1
Inbound inspection rule is not set
Outgoing inspection rule is DOS
tcp alert is on audit-trail is off timeout 3600
Inbound access list is not set
Outgoing access list is not set

 
R2#debug ip inspect protocol tcp
INSPECT TCP Inspection debugging is on

R2#debug ip inspect event
INSPECT special events debugging is on

R1#debug ip tcp transactions
TCP special event debugging is on

R3(config)#int f1/0
R3(config-if)#shutdown

R1#telnet 23.1.1.3
Trying 23.1.1.3 ...
*Jul 19  21:43:26.095: TCB680DA55C created
*Jul 19 21:43:26.095: TCB680DA55C setting property TCP_VRFTABLEID (20) 680DDA74
*Jul 19 21:43:26.095: TCB680DA55C setting property TCP_TOS (11) 680DDA10
*Jul 19 21:43:26.099: TCB680DA55C setting property TCP_RTRANSTMO (31) 680DD940
*Jul 19 21:43:26.099: TCB680DA55C setting property TCP_GIVEUP (34) 680DD944
*Jul 19 21:43:26.099: TCP: Random local port generated 42311, network 1
*Jul 19 21:43:26.099: TCB680DA55C bound to UNKNOWN.42311
*Jul 19 21:43:26.099: TCB680DA55C setting property unknown (24) 680DD970
*Jul 19 21:43:26.103: Reserved port 42311 in Transport Port Agent for TCP IP type 1
*Jul 19 21:43:26.103: TCP: sending SYN, seq 3266893338, ack 0
*Jul 19 21:43:26.107: TCP0: Connection to 23.1.1.3:23, advertising MSS 536
*Jul 19 21:43:26.107: TCP0: state was CLOSED -> SYNSENT [42311 -> 23.1.1.3(23)]
*Jul 19 21:43:28.107: 12.1.1.1:42311 <---> 23.1.1.3:23 congestion window changes
*Jul 19 21:43:28.107: cwnd from 536 to 536, ssthresh from 65535 to 1072
*Jul 19 21:43:28.111: TCP0: timeout #1 - timeout is 4000 ms, seq 3266893338
*Jul 19 21:43:32.107: TCP0: timeout #2 - timeout is 8000 ms, seq 3266893338
*Jul 19 21:43:40.107: TCP0: timeout #3 - timeout is 16000 ms, seq 3266893338
% Connection timed out; remote host not responding
*Jul 19 21:43:56.107: Released port 42311 in Transport Port Agent for TCP IP type 1 delay 240000
*Jul 19 21:43:56.107: TCP0: state was SYNSENT -> CLOSED [42311 -> 23.1.1.3(23)]
*Jul 19 21:43:56.111: TCB 0x680DA55C destroyed
*Jul 19 21:43:26.255: FIREWALL* sis 6768C270 pak 66BD92FC SIS_CLOSED/LISTEN TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)

 

 

 
R2#
*Jul 19 21:43:28.123: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:28.127: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:32.119: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:32.119: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:40.143: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:40.143: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:56.231: FIREWALL sent a TCP pkt (23.1.1.3:23) tcp flag:0x4 -> 12.1.1.1:42311 seq 0 ack 0 wnd 4128, FastEthernet1/1
*Jul 19 21:43:56.231: FIREWALL sent a TCP pkt (12.1.1.1:42311) tcp flag:0x4 -> 23.1.1.3:23 seq 3266893339 ack 0 wnd 0, FastEthernet1/0

 


本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/991711
相关文章
|
6月前
|
存储 Shell Linux
【Shell 命令集合 磁盘维护 】Linux 创建DOS文件系统 mkdosfs命令使用指南
【Shell 命令集合 磁盘维护 】Linux 创建DOS文件系统 mkdosfs命令使用指南
91 2
|
6月前
|
关系型数据库 数据库连接 Windows
windows 常用的dos命令
windows 常用的dos命令
134 0
|
6月前
|
关系型数据库 MySQL 数据库
Python tk dos命令备份mysql数据库
Python tk dos命令备份mysql数据库
59 0
|
6月前
|
Java 程序员 Shell
Java(一)java跨平台原理及dos常用命令
Java(一)java跨平台原理及dos常用命令
50 1
|
6月前
|
算法 Linux Shell
【Shell 命令集合 磁盘管理 】Linux 于挂入MS-DOS文件系统 mmount 命令使用指南
【Shell 命令集合 磁盘管理 】Linux 于挂入MS-DOS文件系统 mmount 命令使用指南
94 0
|
6月前
|
存储 Linux Shell
【Shell 命令集合 磁盘维护 】Linux 创建MS-DOS文件系统 mkfs.msdos命令使用教程
【Shell 命令集合 磁盘维护 】Linux 创建MS-DOS文件系统 mkfs.msdos命令使用教程
95 0
|
12天前
|
Windows
DOS 批处理 setlocal命令、endlocal命令详解
setlocal这是一个命令,它开始局部化环境更改,通常在批处理文件中使用,以确保在脚本中所做的任何环境更改(例如设置或修改环境变量)不会影响到调用此批处理的上下文或其他批处理文件
|
25天前
|
Java Windows
JAVA 常用的 DOS 命令
【10月更文挑战第15天】DOS 命令是 Java 开发中不可或缺的工具,掌握这些命令可以提高开发效率和操作便利性。
36 3
|
3月前
|
监控 JavaScript 前端开发
JAVA常用的DOS命令
JAVA常用的DOS命令