I manage an equipment demo network accessed via the old Cisco VPN Client. Last night the router seems to have become the subject of attacks that overload the remote access in such a ways as to deny legitimate remote access. No unauthorised remote logins have occurred but the continued connections are a DoS.
Using the command show aaa user all show dozens of connections like this:
Unique id 67 is currently in use.
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
66534E00 0 00000001 connect-progress(36) 4 No Progress
66534E14 0 00000001 pre-session-time(254) 4 19965(4DFD)
66534E28 0 00000001 elapsed_time(324) 4 0(0)
66534E3C 0 00000001 pre-bytes-in(250) 4 0(0)
66534E50 0 00000001 pre-bytes-out(251) 4 0(0)
66534E64 0 00000001 pre-paks-in(252) 4 0(0)
66534E78 0 00000001 pre-paks-out(253) 4 0(0)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=00000040 Unique Id=00000043
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
66534E00 0 00000001 start_time(327) 4 Dec 16 2016 14:54:43
66534E14 0 00000001 session-id(322) 4 64(40)
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
No data for type 11
No data for type IPSEC-TUNNEL
No data for type 13
No data for type RESOURCE
Debg: No data available
Radi: No data available
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 0 Bytes Out = 0
Paks In = 0 Paks Out = 0
StartTime = 14:54:43 UTC Dec 16 2016
Component = VPN_IPSEC
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000043
Session Id = 00000040
Attribute List:
66534E00 0 00000001 port-type(162) 4 Virtual Terminal
66534E14 0 00000009 interface(158) 13 W.X.Y.Z
PerU: No data available
Service Profile: No Service Profile data.
Where W.X.Y.Z is the IP address of the attacker.
I've added a temporary ACL on the class A subnet from where the attacks originate to the public interface of the router but it has no effect:
interface FastEthernet0/1
description Outside interface
ip address .... ....
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
access-list 101 remark temporary attack block attack
access-list 101 deny ip W.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
The relevant local AAA config is:
aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
username ABCD secret 5 ....
I' m struggling to get my head around what's happening, probably not helped by the fact this all occurred at midnight.
Ideas appreciated!