Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
7
Replies

Storm-control cisco 3845

Go to solution
Juan Barco
Level 1
Level 1

‎06-24-2014 12:49 PM - edited ‎03-04-2019 11:13 PM

Hi,

 

First of all, sorry for my english. I have been attacked to one of my public ip. I was wondering how to fix it, and I found when I am been attacked, then numer of pps in my interface goes up to 800 kpps. I was searching an I found "storm control" function. I have a Cisco 3845, can you tell me what I can do to avoid attacks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP
In response to Juan Barco

‎06-26-2014 02:05 AM

Hello

Then I suggest you either attached a fw between you router and the internet or apply some IOS security.

 

Basic stuff to assign:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out

no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
login block-for 10 attempts 2 within 5

 


all FastEthernet/gig ints
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled


all Serial interfaces
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply

and then maybe use a simple CBAC inspection
----------------------------------------------------------------

R1
ip inspect name ios_fw TCP
ip inspect name ios_fw UDP
ip inspect name ios_fw ICMP

access-list permit 100 deny ip any any

int fax/x (WAN facing interface)
ip inspect ios_fw out
ip access-group 100 in

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul driver
VIP
VIP

‎06-25-2014 04:06 AM

Hello

Storm control wont stop you from being  attacked - Its an access-port feature that helps your lan from being overwhelmed when its flooded with excessive broadcast/multcast/unicast traffic - This lan storm can be negated by applying thresholds on this traffic so when the specified threshold is reached the port can be shutdown or create a snmp trap message.

Do you know what kind of traffic is causing this utilization?
Do you have any router security applied or a FW between your router and the internet?
 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Juan Barco
Level 1
Level 1
In response to paul driver

‎06-25-2014 03:15 PM

Hi,

 

I know the ports on my sever under attack. I don't have any security applied on my router.

 

 

Thanks

0 Helpful

Go to solution
sotiris_pafitis
Level 1
Level 1
In response to Juan Barco

‎06-25-2014 11:05 PM

HI milo,

So you need to add your network some access lists and inspection rules. 

 

Thanks. 

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Juan Barco

‎06-26-2014 02:05 AM

Hello

Then I suggest you either attached a fw between you router and the internet or apply some IOS security.

 

Basic stuff to assign:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out

no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
login block-for 10 attempts 2 within 5

 


all FastEthernet/gig ints
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled


all Serial interfaces
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply

and then maybe use a simple CBAC inspection
----------------------------------------------------------------

R1
ip inspect name ios_fw TCP
ip inspect name ios_fw UDP
ip inspect name ios_fw ICMP

access-list permit 100 deny ip any any

int fax/x (WAN facing interface)
ip inspect ios_fw out
ip access-group 100 in

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Juan Barco
Level 1
Level 1
In response to paul driver

‎06-26-2014 06:28 AM

Hi,

 

 

I will try this, thanks a lot.

0 Helpful

Go to solution
sotiris_pafitis
Level 1
Level 1

‎06-25-2014 07:10 AM

Hello,

 

How do you know you are under attack ? And what kind of attack ?

 

Thanks

0 Helpful

Go to solution
Juan Barco
Level 1
Level 1
In response to sotiris_pafitis

‎06-25-2014 03:14 PM

Hi,

 

 

 

I have this tool called arbor. It shows me an strange traffic from one IP, the traffic it's like 300 Mbps, nothing normal. Arbor show me the ports 53 and 113 of my server are the ones under attack.

 

 

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card