« 关闭路由器不需要的服务郁闷! »

2008-7-25 23:32:4

在边界路由器上的ACL过滤

一、过滤Bogons网段

bogon网段不会出现在Internet上. 包括下列地址:

  • RFC 1918定义的私有地址
  • Loopback 口地址(127.0.0.0/8).
  • IANA 保留的地址.
  • 多播地址 (224.0.0.0/4).
  • 学术研究用地址 (240.0.0.0/4).
  • DHCP 本地私有地址 (169.254.0.0/16). This is what your PC uses if it cannot find a DHCP server from which to acquire its addressing information. 

这些地址不在互联网上的路由表中出现,黑客经常使用这些地址用来发起DOS攻击,或是IP欺骗等

你可以使用下面的方法来堵塞这些地址:

  • ACL filtering
  • BGP prefix filtering
  • Black hole routing
  • Route policy filtering with route maps

这里讨论的是ACL的包过滤护:

例子:在Internet的进口处启用ACL过滤Bogons

试验拓扑:

Router(config)# ip access-list extended ingress-filter

Router(config-ext-nacl)# remark Unassigned IANA addresses   //IANA未分配的地址

Router(config-ext-nacl)# deny ip 1.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 2.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 5.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 7.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 23.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 27.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 31.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 36.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 37.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 39.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 41.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 42.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 49.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 50.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 58.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 59.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 60.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 70.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 71.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 72.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 73.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 74.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 75.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 76.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 77.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 78.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 79.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 83.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 84.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 85.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 86.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 87.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 88.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 89.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 90.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 91.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 92.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 93.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 94.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 95.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 96.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 97.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 98.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 99.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 100.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 101.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 102.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 103.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 104.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 105.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 106.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 107.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 108.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 109.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 110.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 111.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 112.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 113.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 114.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 115.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# deny ip 116.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 117.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 118.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 119.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 120.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 121.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 122.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 123.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 124.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 125.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 126.0.0.0 0.255.255.255 any 
Router(config-ext-nacl)# deny ip 197.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 201.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# remark RFC 1918 private addresses  //RFC1918定义的私有地址

Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any

Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any

Router(config-ext-nacl)# remark Other bogons  //其他bogons地址

Router(config-ext-nacl)# deny ip 224.0.0.0 15.255.255.255 any  //组播地址

Router(config-ext-nacl)# deny ip 240.0.0.0 15.255.255.255 any  //学术研究地址

Router(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 any

Router(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any   //DHCP 本地私有地址

Router(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any       //测试地址

Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any   //回环口地址

Router(config-ext-nacl)# remark Internal networks  //内部网段的地址

Router(config-ext-nacl)# deny ip 200.1.1.0 0.0.0.255 any    //内部服务器网段的地址

Router(config-ext-nacl)# remark Allow Internet to specific services

Router(config-ext-nacl)# remark permit <what you need to permit>

Router(config-ext-nacl)# deny ip any any

Router(config-ext-nacl)# exit

Router(config)# interface ethernet1

Router(config-if)# ip access-group ingress-filter in       在WAN口的IN方向上应用

注意:这里过滤内部服务器网段的地址很容易被人忽视,用来阻止外部网段使用相同的内部地址,通常可以用来实施DDoS攻击。

例子:在Internet的出口处启用ACL,只允许合法的地址出去:

Router(config)# ip access-list extended egress-filter
Router(config-ext-nacl)# permit ip 200.1.1.0 0.0.0.255 any
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit
Router(config)# interface ethernet1
Router(config-if)# ip access-group egress-filter out

注意:这里应用的是在WAN口的OUT方向,则只需要使用可路由的公网地址,如果应用在内口的IN方向,还应该考虑私有地址的NAT问题。同事也能在私网的OUT方向上过滤内网发送到外网的Bogon地址,防止内网的机器被黑客控制,使用Bogon地址来攻击ISP

二、防止TCP SYN洪水攻击

TCP SYN 洪水攻击是DoS攻击的一种,黑客通常用真实地址或者假冒的源地址发送TCP SYN报文到服务器,使服务器挂起所有的TCP请求,耗尽服务器的资源

试验拓扑:

Router(config)#  ip access-list extended tcp-syn-flood
Router(config -ext-nacl)# permit tcp any 200.1.1.0 0.0.0.255 established   //允许内部发起的TCP连接
Router(config -ext-nacl)# permit tcp any host 200.1.1.11 eq 25    //只允许Internet发送到内部的SMTP的TCP SYN请求
<--output omitted-->
Router(config -ext-nacl)# deny ip any any
Router(config -ext-nacl)# exit
Router(config)#  interface ethernet1
Router(config -if)# ip access-group tcp-syn-flood in

注意:这种ACL不能很好的防止TCP SYN洪水攻击,只能用来限制TCP SYN洪水攻击的范围,这里如果黑客使用TCP端口25作为TCP SYN攻击端口就没有办法了

三、过滤smurf-fraggle攻击

First, the hacker puts a directed broadcast into the destination field of the IP packet header. Directed broadcasts, unlike local broadcasts, are routable. Depending on the user's device, a directed broadcast can be either the first or the last address in a network or subnet. Typically, it is the last address. For example, with network 192.168.1.0/24,the directed broadcast address could be 192.168.1.0 or 192.168.1.255. Second, instead of using his own address as
the source address of the packet, the hacker replaces it with the address of the device that he wants to attack. If the destination network or networks do not filter the directed broadcast, all the destinations on the segment of the directed broadcast respond with an echo reply to the source address in the packet (the victim).

Figure 7-6 illustrates the process of a Smurf attack. In this example, the hacker wants to attack the internal server (200.1.2.1). The attacker then finds a network that allows directed broadcasts into the network. This could be the same network (not likely) or another network connected to the Internet (most likely). The hacker then sends an ICMP echo with a destination-directed broadcast to the segment that will initiate the attack and puts a source address in the packet header of the actual victim (200.1.2.1). When the destinations on 200.1.1.0/24 receive the echo-directed broadcast, each device responds to the source address with an echo reply. These devices commonly are called reflectors  because they are being used to reflect the attack to the actual victim. In this example, only three user devices—200.1.1.1, 200.1.1.2, and 200.1.1.3—send an echo reply to 200.1.2.1.

Tags: CISCO  安全  
分类:Cisco | 评论:0

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

日历

最近发表

Powered By Z-Blog 1.8 Spirit Build 80722

Copyright 2007-2008 John Winning`s WebSite. All Rights Reserved.