index_79
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
79
For outbound ICMP traffic, one should allow the message types Echo, Parameter
Problem and Source Quench and block all other message types. With Echo packets
users will be able to ping external hosts. Parameter Problem packets and Source
Quench packets improve connections by informing about problems with packet
headers and by slowing down traffic when it is necessary. See the example below for
outbound ICMP traffic.
East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255
any echo
East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255
any parameter-problem
East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255
any source-quench
East(config)# access-list 102 deny icmp any any log
Another program that deals with certain ICMP message types is traceroute.
Traceroute is a utility that prints the IP addresses of the routers that handle a packet
as the packet hops along the network from source to destination. On Unix and Linux
operating systems, traceroute uses UDP packets and causes routers along the path to
generate ICMP message types Time Exceeded and Unreachable. An attacker can
use traceroute response to create a map of the subnets and hosts behind the router,
just as they could do with pings ICMP Echo Reply messages. Therefore, block
inbound traceroute including a rule in the inbound interface access list, as shown in
the example below (ports 33400 through 34400 are the UDP ports commonly used
for traceroute).
East(config)# access-list 100 deny udp any any range 33400 34400 log
A router may be configured to allow outbound traceroute by adding a rule to the
outbound interface access list, as shown in the example below.
East(config)# access-list 102 permit udp any any range 33400 34400 log
Distributed Denial of Service (DDoS) Attacks
Several high-profile DDoS attacks have been observed on the Internet. While routers
cannot prevent DDoS attacks in general, it is usually sound security practice to
discourage the activities of specific DDoS agents (a.k.a. zombies) by adding access
list rules that block their particular ports. The example below shows access list rules
for blocking several popular DDoS attack tools. [Note that some of these rules may
also impose a slight impact on normal users, because they block high-numbered ports
that legitimate network clients may randomly select.] These rules would normally be
applied to traffic in both directions between an internal or trusted network and an
untrusted network.
! the TRINOO DDoS systems
access-list 170 deny tcp any any eq 27665 log
access-list 170 deny udp any any eq 31335 log
access-list 170 deny udp any any eq 27444 log