12-07-2006 07:23 PM - edited 03-11-2019 02:05 AM
Earlier this week our ISP shut us down for a while. They claimed that a DOS attack had come from within our network. I run Symantec Corp AV on all computers and everything is up to date. The majority of users are not administrators on the local machine. As a result of the incident, I have turned on logging and am using Kiwi Syslog Daemon to receive the data.
Anyhow, is there a way with the PIX501 to detect an outbound DOS attack? I have searched the net and the PIX configuration and command manuals. I really haven't found anything that suggests the PIX501 is capable of detecting such an occurrence. Does anyone have any thoughts on this issue? Thank you.
Solved! Go to Solution.
12-08-2006 02:18 AM
YOu don't have to specify that static route. PIX will automatically handle it.
You need to do it only, for example if your Inside interface is connected to a L3 device like L3 switch or router that host the 192.168.21.0/24. Meaning that your inside interface is running on differen t subnet.
Static route is needed tell PIX that to reach that segemnt, you need to route or ask the L3 device that has that segment.
HTH
AK
12-07-2006 08:17 PM
What you can do is to implement RFC2827 on your Internet router's (apply ACL on serial link facing ISP) or alternatively on PIX's Outside interface.
Router is more recommended as ot will be the device to filter inbound/outbound traffic.
Detecting DOS attack using PIX501 is very limited. It normally taken care by IPS/IDS/router (using CAR/rate limit & RFC2827). But you can configure RFC2827 to always deny it.
Minimum Action (more can be done with different devices/methods):
- Permit your Public IP Range to go out to serial interface to ISP
- Deny other public IPs to go out to serial interface to ISP
a. On PIX,
- Enable anti spoofing using "ip verify reverse-path" on Outside interface.
Firewall(config)# ip verify reverse-path interface outside
b. On your router (RFC2827), create and apply ACL to the serial interface facing ISP:
Example, if your Public IP Range assigned by ISP is 100.100.100.0/24, you need to permit only this Public IP going out from your network. Deny others.
On ISP end (pre-arrange with them), they will deny your own Public IP range from going back to your own network from ISP end.
- Your internet router (facing ISP):
!
interface serial0/0
ip add xx.xx.xx.2 255.255.255.252
ip access-group 100 out
!
access-list 100 permit ip 100.100.100.0 0.0.0.255 any ---> permit your public IP going out to ISP/internet
access-list 100 deny ip any any --> deny other Public IPs from going out/originating from your network
!
http://www.ietf.org/rfc/rfc2827.txt
HTH
AK
12-07-2006 08:19 PM
Also, if required, enable PIX's anti spoofing on Inside interface as well.
Firewall(config)# ip verify reverse-path interface inside
12-08-2006 01:21 AM
Thank you for the reply AK. My search of the manuals did not include the keyword "spoof". I might have been been lost even if I had done so! There is no router, only the PIX501 connected to the cable modem. The commands presently include the following:
ip address outside xxx.xxx.xxx.xx6 255.255.255.224
ip address inside 192.168.21.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx5 1
I plan to add the following commands per your recommendation:
ip verify reverse-path interface outside
ip verify reverse-path interface inside
My only question now is do I need to issue a route command on the inside interface? If so, would the following be correct given the above information:
route inside 192.168.21.0 255.255.255.0 192.168.21.1 1
Can you verify?
And many thanks for the link to the Cisco SAFE Blueprint. There is much to be learned from that document!
12-08-2006 02:18 AM
YOu don't have to specify that static route. PIX will automatically handle it.
You need to do it only, for example if your Inside interface is connected to a L3 device like L3 switch or router that host the 192.168.21.0/24. Meaning that your inside interface is running on differen t subnet.
Static route is needed tell PIX that to reach that segemnt, you need to route or ask the L3 device that has that segment.
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide