HostedDB - Dedicated UNIX Servers

index_79
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 79   For outbound ICMP traffic, one should allow the message types Echo, Parameter Problem and Source Quench and block all other message types.  With Echo packets users will be able to ping external hosts.  Parameter Problem packets and Source Quench packets improve connections by informing about problems with packet headers and by slowing down traffic when it is necessary.  See the example below for outbound ICMP traffic. East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255                 any echo East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255                 any parameter-problem East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255                 any source-quench East(config)# access-list 102 deny   icmp any any log Another program that deals with certain ICMP message types is traceroute.   Traceroute is a utility that prints the IP addresses of the routers that handle a packet as the packet hops along the network from source to destination.  On Unix and Linux operating systems, traceroute uses UDP packets and causes routers along the path to generate ICMP message types ‘Time Exceeded’ and ‘Unreachable’. An attacker can use traceroute response to create a map of the subnets and hosts behind the router, just as they could do with ping’s ICMP Echo Reply messages.  Therefore, block inbound traceroute including a rule in the inbound interface access list, as shown in the example below (ports 33400 through 34400 are the UDP ports commonly used for traceroute). East(config)# access-list 100 deny udp any any range 33400 34400 log A router may be configured to allow outbound traceroute by adding a rule to the outbound interface access list, as shown in the example below. East(config)# access-list 102 permit udp any any range 33400 34400 log Distributed Denial of Service (DDoS) Attacks Several high-profile DDoS attacks have been observed on the Internet.  While routers cannot prevent DDoS attacks in general, it is usually sound security practice to discourage the activities of specific DDoS agents (a.k.a. zombies) by adding access list rules that block their particular ports.  The example below shows access list rules for blocking several popular DDoS attack tools.  [Note that some of these rules may also impose a slight impact on normal users, because they block high-numbered ports that legitimate network clients may randomly select.]  These rules would normally be applied to traffic in both directions between an internal or trusted network and an untrusted network. ! the TRINOO DDoS systems access-list 170 deny tcp any any eq 27665 log access-list 170 deny udp any any eq 31335 log access-list 170 deny udp any any eq 27444 log