Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
9
Helpful
4
Replies

PIX501 - Preventing Outbound DOS Attack

Go to solution
evitalcom
Level 1
Level 1

‎12-07-2006 07:23 PM - edited ‎03-11-2019 02:05 AM

Earlier this week our ISP shut us down for a while. They claimed that a DOS attack had come from within our network. I run Symantec Corp AV on all computers and everything is up to date. The majority of users are not administrators on the local machine. As a result of the incident, I have turned on logging and am using Kiwi Syslog Daemon to receive the data.

Anyhow, is there a way with the PIX501 to detect an outbound DOS attack? I have searched the net and the PIX configuration and command manuals. I really haven't found anything that suggests the PIX501 is capable of detecting such an occurrence. Does anyone have any thoughts on this issue? Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7
In response to evitalcom

‎12-08-2006 02:18 AM

YOu don't have to specify that static route. PIX will automatically handle it.

You need to do it only, for example if your Inside interface is connected to a L3 device like L3 switch or router that host the 192.168.21.0/24. Meaning that your inside interface is running on differen t subnet.

Static route is needed tell PIX that to reach that segemnt, you need to route or ask the L3 device that has that segment.

HTH

AK

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a.kiprawih
Level 7
Level 7

‎12-07-2006 08:17 PM

What you can do is to implement RFC2827 on your Internet router's (apply ACL on serial link facing ISP) or alternatively on PIX's Outside interface.

Router is more recommended as ot will be the device to filter inbound/outbound traffic.

Detecting DOS attack using PIX501 is very limited. It normally taken care by IPS/IDS/router (using CAR/rate limit & RFC2827). But you can configure RFC2827 to always deny it.

Minimum Action (more can be done with different devices/methods):

- Permit your Public IP Range to go out to serial interface to ISP

- Deny other public IPs to go out to serial interface to ISP

a. On PIX,

- Enable anti spoofing using "ip verify reverse-path" on Outside interface.

Firewall(config)# ip verify reverse-path interface outside

b. On your router (RFC2827), create and apply ACL to the serial interface facing ISP:

Example, if your Public IP Range assigned by ISP is 100.100.100.0/24, you need to permit only this Public IP going out from your network. Deny others.

On ISP end (pre-arrange with them), they will deny your own Public IP range from going back to your own network from ISP end.

- Your internet router (facing ISP):

!

interface serial0/0

ip add xx.xx.xx.2 255.255.255.252

ip access-group 100 out

!

access-list 100 permit ip 100.100.100.0 0.0.0.255 any ---> permit your public IP going out to ISP/internet

access-list 100 deny ip any any --> deny other Public IPs from going out/originating from your network

!

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00804cc4fa.shtml

http://www.ietf.org/rfc/rfc2827.txt

HTH

AK

Go to solution
a.kiprawih
Level 7
Level 7
In response to a.kiprawih

‎12-07-2006 08:19 PM

Also, if required, enable PIX's anti spoofing on Inside interface as well.

Firewall(config)# ip verify reverse-path interface inside

Go to solution
evitalcom
Level 1
Level 1
In response to a.kiprawih

‎12-08-2006 01:21 AM

Thank you for the reply AK. My search of the manuals did not include the keyword "spoof". I might have been been lost even if I had done so! There is no router, only the PIX501 connected to the cable modem. The commands presently include the following:

ip address outside xxx.xxx.xxx.xx6 255.255.255.224

ip address inside 192.168.21.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx5 1

I plan to add the following commands per your recommendation:

ip verify reverse-path interface outside

ip verify reverse-path interface inside

My only question now is do I need to issue a route command on the inside interface? If so, would the following be correct given the above information:

route inside 192.168.21.0 255.255.255.0 192.168.21.1 1

Can you verify?

And many thanks for the link to the Cisco SAFE Blueprint. There is much to be learned from that document!

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7
In response to evitalcom

‎12-08-2006 02:18 AM

YOu don't have to specify that static route. PIX will automatically handle it.

You need to do it only, for example if your Inside interface is connected to a L3 device like L3 switch or router that host the 192.168.21.0/24. Meaning that your inside interface is running on differen t subnet.

Static route is needed tell PIX that to reach that segemnt, you need to route or ask the L3 device that has that segment.

HTH

AK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card