cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1041
Views
0
Helpful
1
Replies

Protecting against DDOS attacks

theitmedic
Level 1
Level 1

 

I have a Cisco 2901 router configured to allow access to a DVR device using NAT and ACLs from the Internet. I can't lock down the ACLs to a source IP due the customer's DRV app needing to access the DVR from anywhere out on the Internet. I see port scans happening from various suspicious locations scanning the routers IP, which is hidden, for port 7000. They can't gain access to the DRV device but is there a way to deny port scans from getting to port 7000? Is there something to deny based on scan frequency or possibly seeing no connection establishment to DVR device and then deny source IP? 

 

interface GigabitEthernet0/0
description Internet Outside GigabitEthernet0/0
ip address x.x.x.x 255.255.255.252
ip access-group 190 in

 

interface GigabitEthernet0/1
description DVR Device
ip address 192.168.4.1 255.255.255.0
ip access-group 104 in

 

ip nat inside source static tcp 192.168.4.2 35000 interface GigabitEthernet0/0 7000

ip nat inside source route-map NAT_MAP_1 interface GigabitEthernet0/0 overload

 

oute-map NAT_MAP_1 permit 1
match ip address 100


access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 deny ip any any

 

access-list 104 remark ------ DVR Device IN Rules ------
access-list 104 permit tcp host 192.168.4.2 any eq www
access-list 104 permit udp host 192.168.4.2 any eq domain
access-list 104 permit tcp host 192.168.4.2 eq 35000 any
access-list 104 deny ip any any log

 

access-list 190 permit tcp any any eq 7000 log

access-list 190 deny ip any any

 

Thanks

 

GW

1 Accepted Solution

Accepted Solutions

kubn2
Level 1
Level 1

Hi,

 

If you have statefull firewall than nothing bad should happen since outside cannot initiate connection to you. If you still don't like that someone scanning you can explicitly block him with extended ACL. 

You can also try implement IP Session Filtering (Reflexive ACL): https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html

View solution in original post

1 Reply 1

kubn2
Level 1
Level 1

Hi,

 

If you have statefull firewall than nothing bad should happen since outside cannot initiate connection to you. If you still don't like that someone scanning you can explicitly block him with extended ACL. 

You can also try implement IP Session Filtering (Reflexive ACL): https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-cfg-ip-filter.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: