【实验说明】
使用 CBAC 配置来预防 SYN-Flooding (DOS)攻击;
本实验类似于使用 ip tcp intercept ,但是 CBAC 不仅可以控制TCP,而且可以控制UDP、ICMP等协议;
UDP的DOS攻击的判断方式为:判断连接有无返回流量;
同时CBAC还可以判断单个主机在特定时间内的的半开连接数。
【实验拓扑】
ISO:
c7200-adventerprisek9-mz.124-24.T3.bin
【实验配置向导】
- 使用CBAC ,创建TCP 拦截规则 DOS_MITIGATION
- 配置CBAC 总的半开连接,当他们的数量到达1200 会话时,路由器开始丢弃连接,直到半开连接降低到1000时停止
- 配置CBAC 1分钟内的半开连接,当每分钟半开连接到达300时开始丢弃连接,直到半开连接降低到100时停止
- 配置CBAC 阻止任何5分钟内半开连接超过50的主机
【实验配置】
R1:
interface FastEthernet1/0
ip address 12.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 12.1.1.2
R2:
interface FastEthernet1/0
ip address 12.1.1.2 255.255.255.0
no sh
!
interface FastEthernet1/1
ip address 23.1.1.2 255.255.255.0
no sh
ip inspect DOS out
!配置总的半开连接数,超过1200时丢弃,截止1000;
ip inspect max-incomplete high 1200
ip inspect max-incomplete low 1000
!配置1分钟内半开连接数,超过300时丢弃,截止100;
ip inspect one-minute low 100
ip inspect one-minute high 300
!配置远端主机在5分钟内的半开连接数超过50时丢弃新会话
ip inspect tcp max-incomplete host 50 block-time 5
ip inspect name DOS tcp
R3:
interface FastEthernet1/0
ip address 23.1.1.3 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 23.1.1.2
R2#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [100 : 300] connections
max-incomplete sessions thresholds are [1000 : 1200]
max-incomplete tcp connections per host is 50. Block-time 5 minutes.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name DOS
tcp alert is on audit-trail is off timeout 3600
Interface Configuration
Interface FastEthernet1/1
Inbound inspection rule is not set
Outgoing inspection rule is DOS
tcp alert is on audit-trail is off timeout 3600
Inbound access list is not set
Outgoing access list is not set
R2#debug ip inspect protocol tcp
INSPECT TCP Inspection debugging is on
R2#debug ip inspect event
INSPECT special events debugging is on
R1#debug ip tcp transactions
TCP special event debugging is on
R3(config)#int f1/0
R3(config-if)#shutdown
R1#telnet 23.1.1.3
Trying 23.1.1.3 ...
*Jul 19
21:43:26.095: TCB680DA55C created
*Jul 19 21:43:26.095: TCB680DA55C setting property TCP_VRFTABLEID (20) 680DDA74
*Jul 19 21:43:26.095: TCB680DA55C setting property TCP_TOS (11) 680DDA10
*Jul 19 21:43:26.099: TCB680DA55C setting property TCP_RTRANSTMO (31) 680DD940
*Jul 19 21:43:26.099: TCB680DA55C setting property TCP_GIVEUP (34) 680DD944
*Jul 19 21:43:26.099: TCP: Random local port generated 42311, network 1
*Jul 19 21:43:26.099: TCB680DA55C bound to UNKNOWN.42311
*Jul 19 21:43:26.099: TCB680DA55C setting property unknown (24) 680DD970
*Jul 19 21:43:26.103: Reserved port 42311 in Transport Port Agent for TCP IP type 1
*Jul 19 21:43:26.103: TCP: sending SYN, seq 3266893338, ack 0
*Jul 19 21:43:26.107: TCP0: Connection to 23.1.1.3:23, advertising MSS 536
*Jul 19 21:43:26.107: TCP0: state was CLOSED -> SYNSENT [42311 -> 23.1.1.3(23)]
*Jul 19 21:43:28.107: 12.1.1.1:42311 <---> 23.1.1.3:23 congestion window changes
*Jul 19 21:43:28.107: cwnd from 536 to 536, ssthresh from 65535 to 1072
*Jul 19 21:43:28.111: TCP0: timeout #1 - timeout is 4000 ms, seq 3266893338
*Jul 19 21:43:32.107: TCP0: timeout #2 - timeout is 8000 ms, seq 3266893338
*Jul 19 21:43:40.107: TCP0: timeout #3 - timeout is 16000 ms, seq 3266893338
% Connection timed out; remote host not responding
*Jul 19 21:43:56.107: Released port 42311 in Transport Port Agent for TCP IP type 1 delay 240000
*Jul 19 21:43:56.107: TCP0: state was SYNSENT -> CLOSED [42311 -> 23.1.1.3(23)]
*Jul 19 21:43:56.111: TCB 0x680DA55C destroyed
*Jul 19 21:43:26.255: FIREWALL* sis 6768C270 pak 66BD92FC SIS_CLOSED/LISTEN TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
R2#
*Jul 19 21:43:28.123: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:28.127: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:32.119: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:32.119: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:40.143: FIREWALL* sis 6768C270 pak 66BD92FC SIS_OPENING/SYNSENT TCP SYN SEQ 3266893338 LEN 0 (12.1.1.1:42311) => (23.1.1.3:23)
*Jul 19 21:43:40.143: FIREWALL* sis 6768C270 L4 inspect result: SKIP packet 66BD92FC (12.1.1.1:42311) (23.1.1.3:23) bytes 0 ErrStr = Retransmitted Segment tcp
*Jul 19 21:43:56.231: FIREWALL sent a TCP pkt (23.1.1.3:23) tcp flag:0x4 -> 12.1.1.1:42311 seq 0 ack 0 wnd 4128, FastEthernet1/1
*Jul 19 21:43:56.231: FIREWALL sent a TCP pkt (12.1.1.1:42311) tcp flag:0x4 -> 23.1.1.3:23 seq 3266893339 ack 0 wnd 0, FastEthernet1/0
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/991711