- dos attack
!
ip tcp intercept list 101
ip tcp intercept connection-timeout 1800
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 600
ip tcp intercept max-incomplete high 800
ip tcp intercept mode watch
ip tcp intercept drop-mode random
access-list 101
- nat virtual interface
ip nat pool NATPOOL 150.50.5.3 150.50.5.255 netmask 255.255.255.0
ip nat source list 10 pool NATPOOL
int f0/0
ip add 150.50.4.8 255.255.255.0
ip nat enable
int s0/0
ip nat enable
R8(config-if)#do ping 150.50.5.3 source 150.50.4.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.50.5.3, timeout is 2 seconds:
Packet sent with a source address of 150.50.4.8
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4ms
R8(config-if)#do sho ip nat nvi tran
Pro Source global Source local Destin local Destin global
icmp 150.50.5.3:5 150.50.4.8:5 150.50.5.3:5 150.50.5.3:5
— 150.50.5.3 150.50.4.8 — —
- Configuring VLAN Maps
Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section and the “Creating a VLAN Map” section.
Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Step 3 In access-map configuration mode, optionally enter an action—forward (the default) or drop—and enter the match command to specify an IP packet or a non-IP packet (with only a known MAC address) and to match the packet against one or more ACLs (standard or extended).Note If the VLAN map is configured with a match clause for a type of packet (IP or MAC) and the map action is drop, all packets that match the type are dropped. If the VLAN map has no match clause, and the configured action is drop, all IP and Layer 2 packets are dropped.
Step 4 Use the vlan filter global configuration command to apply a VLAN map to one or more
VLANs.
Example 1
This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip 1ACL to permit any TCP packet and no other packets. Because there is a match clause for IP packets in the VLAN map, the default action is to drop any IP packet that does not match any of the match clauses.
Switch(config)# ip access-list extended ip1
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map map_1 10
Switch(config-access-map)# match ip address ip1
Switch(config-access-map)# action drop
Example 2
In this example, the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets. Used with standard ACL 101 and extended named access lists igmp-match and tcp-match, the map will have the following results:
•Forward all UDP packets
•Drop all IGMP packets
•Forward all TCP packets
•Drop all other IP packets
•Forward all non-IP packets
Switch(config)# access-list 101 permit udp any any
Switch(config)# ip access-list extended igmp-match
Switch(config-ext-nacl)# permit igmp any any
Switch(config)# ip access-list extended tcp-match
Switch(config-ext-nacl)# permit tcp any any
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map drop-ip-default 10
Switch(config-access-map)# match ip address 101
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan access-map drop-ip-default 20
Switch(config-access-map)# match ip address igmp-match
Switch(config-access-map)# action drop
Switch(config-access-map)# exit
Switch(config)# vlan access-map drop-ip-default 30
Switch(config-access-map)# match ip address tcp-match
Switch(config-access-map)# action forward
Example 3In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good protocols, the map will have the following results:
•Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211
•Forward MAC packets with decnet-iv or vines-ip protocols
•Drop all other non-IP packets
•Forward all IP packets
Switch(config)# mac access-list extended good-hosts
Switch(config-ext-macl)# permit host 000.0c00.0111 any
Switch(config-ext-macl)# permit host 000.0c00.0211 any
Switch(config-ext-nacl)# exit
Switch(config)# mac access-list extended good-protocols
Switch(config-ext-macl)# permit any any decnet-ip
Switch(config-ext-macl)# permit any any vines-ip
Switch(config-ext-nacl)# exit
Switch(config)# vlan access-map drop-mac-default 10
Switch(config-access-map)# match mac address good-hosts
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan access-map drop-mac-default 20
Switch(config-access-map)# match mac address good-protocols
Switch(config-access-map)# action forward
Example 4
In this example, the VLAN map has a default action of drop for all packets (IP and non-IP).Used with access lists tcp-match and good-hosts from Examples 2 and 3, the map will have the following results:
•Forward all TCP packets
•Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211
•Drop all other IP packets
•Drop all other MAC packets
Switch(config)# vlan access-map drop-all-default 10
Switch(config-access-map)# match ip address tcp-match
Switch(config-access-map)# action forward
Switch(config-access-map)# exit
Switch(config)# vlan access-map drop-all-default 20
Switch(config-access-map)# match mac address good-hosts
Switch(config-access-map)# action forward
Applying a VLAN Map to a VLAN
This example shows how to apply VLAN map 1 to VLANs 20 through 22:
Switch(config)# vlan filter map 1 vlan-list 20-22
Creating Named MAC Extended ACLs
Switch(config)# mac access-list extended mac1
Switch(config-ext-macl)# deny any any decnet-iv
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# end
Switch # show access-lists
Extended MAC access list mac1
10 deny any any decnet-iv
20 permit any any
Applying a MAC ACL to a Layer 2 Interface
This example shows how to apply MAC access list mac1 to a port to filter packets entering the port:
Switch(config)# interface gigabitethernet0/2
Router(config-if)# mac access-group mac1 in
Note The mac access-group interface configuration command is only valid when applied to a
physical Layer 2 interface.You cannot use the command on EtherChannel port channels.
- The syntax for standard access-lists is as follows:
“I wish to permit all IP traffic from host [host-ip-address]“
“I wish to permit all traffic from [subnet] [wildcard-mask]“
“I wish to deny all IP traffic from host [host-ip-address]“
“I wish to deny all traffic from [subnet] [wildcard-mask]“
The syntax for extended access-lists is slightly different:
“I wish to [permit/deny] [type-of-traffic] going from to [destination-address] [destination-wildcard-mask] [optional port-number]“
5. ddos attack
Extended IP access list 102
10 permit tcp 150.50.46.0 0.0.0.255 host 150.50.17.80
20 permit tcp 150.50.56.0 0.0.0.255 host 150.50.17.80
ip tcp intercept list 102
ip tcp intercept watch-timeout 20
ip tcp intercept mode watch
6. code red
Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url “*default.ida*”
Router(config-cmap)#match protocol http url “*cmd.exe*”
Router(config-cmap)#match protocol http url “*root.exe*”
Router(config)#policy-map mark-inbound-http-hacks
Router(config-pmap)#class http-hacks
Router(config-pmap-c)#set ip dscp 1
Router(config)#interface serial 0/0
Router(config-if)#service-policy input mark-inbound-http-hacks
Router(config)#access-list 105 deny ip any any dscp 1
Router(config)#access-list 105 permit ip any any
Router(config)#interface ethernet 0/1
Router(config-if)#ip access-group 105 out
7. login – prevent dictionary attack – Under aaa > cisco ios enhancements if there are a5 attempts in 5 seconds block for 60sec. 8 max failed logons lock the database.
login block-for 60 attempts 5 within 5
aaa new-model
aaa local authentication attempts max-fail 8
!
aaa authentication login default local
aaa authentication login MyCon line
8. ip source-track
IP source tracking allows you to gather information about the traffic that is flowing to a host that is suspected of being under attack. It also allows you to easily trace a denial-of-service (DoS) attack to its entry point into the network.
Router# configure interface
Router(config)# ip source-track 10.10.0.1
Router(config)# ip source-track syslog-interval 2
Router(config)# ip source-track export-interval 60
to read
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_afrt_shp_ic_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/reg_pkt_flow_shaping.html#wp1046537
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_wred_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_pq_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/config_wfq_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_d1.html#wp1025051
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_trfc_nbar_map_ps6350_TSD_Products_Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_tcp_intercpt_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1000905
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml
NOTES:
