01-01-2005 10:05 AM - edited 03-02-2019 08:51 PM
How can i log if im getting DDOS attacks.....i tried logging command but seem to only log internal to outside...am i doing something wrong?
Thanks
01-01-2005 02:50 PM
Hello,
can you post what you have configured so far ? What are you logging ?
Regards,
GP
01-01-2005 04:39 PM
here is what i have......
Syslog logging: enabled (0 messages dropped, 41 messages rate-limited, 0 flushes
, 0 overruns, xml disabled)
Console logging: level debugging, 25601 messages logged, xml disabled
Monitor logging: level warnings, 0 messages logged, xml disabled
Buffer logging: disabled, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 25649 message lines logged
Logging to 10.10.10.66, 25649 message lines logged, xml disabled
01-01-2005 05:04 PM
here is total config.........
Current configuration : 3742 bytes
!
! Last configuration change at 06:02:08 est Sun Jan 2 2005
! NVRAM config last updated at 06:02:09 est Sun Jan 2 2005
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 1720_FW
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 informational
logging monitor warnings
enable secret xxxx
enable password xxxx
!
memory-size iomem 20
clock timezone est 5
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip dhcp pool dhcppool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.200
lease 7
!
no ip bootp server
ip cef
!
!
!
!
interface Loopback0
ip address 10.10.20.1 255.255.255.0
!
interface Ethernet0
ip address dhcp
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
ip nat translation timeout 60
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21
ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20
ip nat inside source static tcp 10.10.10.60 3389 interface Ethernet0 3389
ip nat inside source static tcp 10.10.10.60 1494 interface Ethernet0 1494
ip classless
no ip http server
!
!
ip access-list extended internet-in
logging source-interface Ethernet0
logging 10.10.10.66
access-list 1 permit 10.0.0.0 0.255.255.255 log
access-list 100 permit tcp any host 10.10.10.60 range 13010 13015 log
access-list 100 permit tcp any host 10.10.10.60 eq 3389 log
access-list 100 permit tcp any any eq ftp log
access-list 100 permit tcp any eq ftp-data any gt 1023 log
access-list 100 permit tcp any eq ftp any gt 1023 log
access-list 100 permit tcp any any established log
access-list 100 permit tcp any any log
access-list 100 permit ip any any log
access-list 100 permit icmp any any net-unreachable
access-list 100 permit icmp any any host-unreachable
access-list 100 permit icmp any any port-unreachable
access-list 100 permit icmp any any parameter-problem
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any administratively-prohibited
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit tcp any host 10.10.10.60 eq 1494
access-list 101 permit ip any any log
access-list 101 permit tcp any any log
access-list 101 permit tcp any any established log
access-list 101 permit icmp any any net-unreachable
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any port-unreachable
access-list 101 permit icmp any any parameter-problem
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any ttl-exceeded
access-list 101 deny ip 0.0.0.0 255.255.0.0 any
no cdp run
banner motd ^CC
****************************
* WARNING *
****************************
!
line con 0
line aux 0
line vty 0 3
access-class 1 in
password 7 1508
login
telnet refuse-negotiations
line vty 4
access-class 1 in
password 7
login
telnet refuse-negotiations
!
1720_FW#
01-01-2005 06:52 PM
Thanks for posting the config. It may be helpful.
But first I think we need to be more clear about what you are asking. I think I gather from the original post that you are concerned about Denial of Service attacks. But I am not sure what your question is, or what it is that you are trying to accomplish. If you clarify that it will be a start toward solving your issue.
If you are concerned about Denial of Service attacks I would suggest that you would probably be better protected if you used reflexive access lists. And would be better protected against DOS by using IDS rather than router access lists.
I do have a couple of observations about the access list in your configuration. Access list 100 is logging all traffic through the interface. If you want to identify traffic (and especially if you want to be able to identify DOS) logging it is one way to accomplish it. But I suggest that you think about the load it will generate in your network to send all of these to your logging server, the load on the server, and the effort it will take to look through these log records when you need to investigate anything. Secondly none of the access list statements dealing with ICMP will have any effect because part way into the list you have an permit ip any any log and all traffic will be permitted by this and not be evaluated by the ICMP conditions in the access list. Also I find it a bit strange to have an access list of multiple statements which permits everything. Most access lists dency some traffic.
HTH
Rick
01-01-2005 08:34 PM
ok..im trying to clean up my access list. With my access list i dont understand why i have to permit ip any any to get out....why is this..here is what i have now for ACL
access-list 1 permit 10.0.0.0 0.255.255.255 log
access-list 100 permit tcp any host 10.10.10.60 range 13010 13015 log
access-list 100 permit tcp any host 10.10.10.60 eq 3389 log
access-list 100 permit tcp any host 10.10.10.60 eq 1494
access-list 100 permit tcp any any eq ftp
access-list 100 permit ip any any
access-list 101 permit tcp any any established log
access-list 101 permit ip any any
for some reason i have to have ip any any to get out...what am i missing i dont want to permit ip any from outside in..thanks for your help
01-02-2005 01:43 AM
Hello,
from the config you posted it is not clear how your traffic is being routed; are you using a routing protocol or static routes ?
In order to find out what traffic is being blocked, you could change the statement ´permit ip any any´ to ´deny ip any any log´ and log the output to the console, this should tell you which traffic you need to allow...
Regards,
GP
01-02-2005 08:20 AM
ok...i figured it out...thanks for your help....i have a another problem what is the easiest way to map multiple ports to a client i need all of these open, i dont think i have dmz on this....any ideas or do i have to open each port and map each nat port?
UDP:
3500
3658
6779
45000
45001
55301 - 08
tcp:
80
443
6668
40000
40100 -102
42000
51012 -51020
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide