cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
69
Views
0
Helpful
0
Replies
Beginner

AAA attacks

I manage an equipment demo network accessed via the old Cisco VPN Client.  Last night the router seems to have become the subject of attacks that overload the remote access in such a ways as to deny legitimate remote access.  No unauthorised remote logins have occurred but the continued connections are a DoS.

Using the command show aaa user all show dozens of connections like this:

Unique id 67 is currently in use.
Accounting:
  log=0x18001
  Events recorded :
    CALL START
    INTERIM START
    INTERIM STOP
  update method(s) :
    NONE
  update interval = 0
  Outstanding Stop Records : 0
  Dynamic attribute list:
    66534E00 0 00000001 connect-progress(36) 4 No Progress
    66534E14 0 00000001 pre-session-time(254) 4 19965(4DFD)
    66534E28 0 00000001 elapsed_time(324) 4 0(0)
    66534E3C 0 00000001 pre-bytes-in(250) 4 0(0)
    66534E50 0 00000001 pre-bytes-out(251) 4 0(0)
    66534E64 0 00000001 pre-paks-in(252) 4 0(0)
    66534E78 0 00000001 pre-paks-out(253) 4 0(0)
  No data for type EXEC
  No data for type CONN
  NET: Username=(n/a)
    Session Id=00000040 Unique Id=00000043
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
    66534E00 0 00000001 start_time(327) 4 Dec 16 2016 14:54:43
    66534E14 0 00000001 session-id(322) 4 64(40)
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  No data for type CALL
  No data for type VPDN-TUNNEL
  No data for type VPDN-TUNNEL-LINK
  No data for type 11
  No data for type IPSEC-TUNNEL
  No data for type 13
  No data for type RESOURCE
Debg: No data available
Radi: No data available
Interface:
  TTY Num = -1
  Stop Received = 0
  Byte/Packet Counts till Call Start:
    Start Bytes In = 0             Start Bytes Out = 0
    Start Paks  In = 0             Start Paks  Out = 0
  Byte/Packet Counts till Service Up:
    Pre Bytes In = 0             Pre Bytes Out = 0
    Pre Paks  In = 0             Pre Paks  Out = 0
  Cumulative Byte/Packet Counts :
    Bytes In = 0             Bytes Out = 0
    Paks  In = 0             Paks  Out = 0
  StartTime = 14:54:43 UTC Dec 16 2016
  Component = VPN_IPSEC
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
  Unique Id = 00000043
  Session Id = 00000040
  Attribute List:
    66534E00 0 00000001 port-type(162) 4 Virtual Terminal
    66534E14 0 00000009 interface(158) 13 W.X.Y.Z
PerU: No data available
Service Profile: No Service Profile data.

Where W.X.Y.Z is the IP address of the attacker.

I've added a temporary ACL on the class A subnet from where the attacks originate to the public interface of the router but it has no effect:

interface FastEthernet0/1
 description Outside interface
 ip address .... ....
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip nat outside

access-list 101 remark temporary attack block attack
access-list 101 deny   ip W.0.0.0 0.255.255.255 any
access-list 101 permit ip any any

The relevant local AAA config is:

aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common

!

username ABCD secret 5 ....

I' m struggling to get my head around what's happening, probably not helped by the fact this all occurred at midnight.

Ideas appreciated!