topic Re: PIX501 - Preventing Outbound DOS Attack in Network Security

PIX501 - Preventing Outbound DOS Attack

evitalcom — Mon, 11 Mar 2019 09:05:46 GMT

Earlier this week our ISP shut us down for a while. They claimed that a DOS attack had come from within our network. I run Symantec Corp AV on all computers and everything is up to date. The majority of users are not administrators on the local machine. As a result of the incident, I have turned on logging and am using Kiwi Syslog Daemon to receive the data.

Anyhow, is there a way with the PIX501 to detect an outbound DOS attack? I have searched the net and the PIX configuration and command manuals. I really haven't found anything that suggests the PIX501 is capable of detecting such an occurrence. Does anyone have any thoughts on this issue? Thank you.

Re: PIX501 - Preventing Outbound DOS Attack

a.kiprawih — Fri, 08 Dec 2006 04:17:37 GMT

What you can do is to implement RFC2827 on your Internet router's (apply ACL on serial link facing ISP) or alternatively on PIX's Outside interface.

Router is more recommended as ot will be the device to filter inbound/outbound traffic.

Detecting DOS attack using PIX501 is very limited. It normally taken care by IPS/IDS/router (using CAR/rate limit & RFC2827). But you can configure RFC2827 to always deny it.

Minimum Action (more can be done with different devices/methods):

- Permit your Public IP Range to go out to serial interface to ISP

- Deny other public IPs to go out to serial interface to ISP

a. On PIX,

- Enable anti spoofing using "ip verify reverse-path" on Outside interface.

Firewall(config)# ip verify reverse-path interface outside

b. On your router (RFC2827), create and apply ACL to the serial interface facing ISP:

Example, if your Public IP Range assigned by ISP is 100.100.100.0/24, you need to permit only this Public IP going out from your network. Deny others.

On ISP end (pre-arrange with them), they will deny your own Public IP range from going back to your own network from ISP end.

- Your internet router (facing ISP):

interface serial0/0

ip add xx.xx.xx.2 255.255.255.252

ip access-group 100 out

access-list 100 permit ip 100.100.100.0 0.0.0.255 any ---> permit your public IP going out to ISP/internet

access-list 100 deny ip any any --> deny other Public IPs from going out/originating from your network

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00804cc4fa.shtml

http://www.ietf.org/rfc/rfc2827.txt

HTH

Re: PIX501 - Preventing Outbound DOS Attack

a.kiprawih — Fri, 08 Dec 2006 04:19:38 GMT

Also, if required, enable PIX's anti spoofing on Inside interface as well.

Firewall(config)# ip verify reverse-path interface inside

Re: PIX501 - Preventing Outbound DOS Attack

evitalcom — Fri, 08 Dec 2006 09:21:54 GMT

Thank you for the reply AK. My search of the manuals did not include the keyword "spoof". I might have been been lost even if I had done so! There is no router, only the PIX501 connected to the cable modem. The commands presently include the following:

ip address outside xxx.xxx.xxx.xx6 255.255.255.224

ip address inside 192.168.21.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx5 1

I plan to add the following commands per your recommendation:

ip verify reverse-path interface outside

ip verify reverse-path interface inside

My only question now is do I need to issue a route command on the inside interface? If so, would the following be correct given the above information:

route inside 192.168.21.0 255.255.255.0 192.168.21.1 1

Can you verify?

And many thanks for the link to the Cisco SAFE Blueprint. There is much to be learned from that document!

Re: PIX501 - Preventing Outbound DOS Attack

a.kiprawih — Fri, 08 Dec 2006 10:18:10 GMT

YOu don't have to specify that static route. PIX will automatically handle it.

You need to do it only, for example if your Inside interface is connected to a L3 device like L3 switch or router that host the 192.168.21.0/24. Meaning that your inside interface is running on differen t subnet.

Static route is needed tell PIX that to reach that segemnt, you need to route or ask the L3 device that has that segment.

HTH