We're performing penetration test on our environment. Topology like;
ISP (BGP routing) ------ 7206 (BGP routing)------- Firewall -------- DMZ ----Servers
7206 informations : c7200p-advipservicesk9-mz.124-15.T5.bin and using G2 processor on it. It's also 1 Gb RAM (400mb of it using by BGP routes)
During test, we simulated ICMP attack, syn flood, http attack etc.
Except SYN attack, router has only high cpu usage during tests and no interruptions. But during Syn flood attack routers gone in 4-5 seconds. Console was freezen. After attack when we control parameters, it seems there is no high cpu usage issue. we think its related connection table or memory.
For testing we implemet rate-limit on external interface but didnt work.
So what we supposed to do on router to prevent syn attack ?
Were you sending TCP SYN attack to router or servers behind the DMZ?
If it was targetting servers, then it is mostly to do with your config on the 7200
Do you have any configs like " ip tcp intercept" or "ip tcp adjust-mss" on your configs
This hs to be considered ad just transit traffic by 7200 and get cef switched unless there is some config on 7200 causing some packets to get process switched
What do you suggest ? On 7206, we have IPS redundancy with two 100 mbit internet connection.
How can i configure and which parameters should we use ?
If you have not configured anything specific, 7200 will cosndier TCP SYN pacekts same as any normal traffic
Have you configured any security features on the 7200?
Classic security features;
- no ip redirect
- no service tcp-small-servers,
- no service udp-small-servers
- no service finger
- no ip proxy-arp
some acls on external interface like;
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.0.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny tcp any host xxxx eq echo
access-list 101 deny tcp any host xxxx eq discard
access-list 101 deny tcp any host xxxx eq daytime
access-list 101 deny tcp any host xxxx eq chargen
access-list 101 deny tcp any host xxxx eq telnet
access-list 101 deny tcp any host xxxx eq finger
access-list 101 permit ip any any
The above configs, shouldn't cause TCP SYN packets to go to CPU
If the router uptime is only few days, Show interface stat output will tell you if any of the interface was processing high number of process swithced traffic
For Traffic transiting the router to the servers, those traffic are forwarded through the Data-Plane , these traffic is not destined to the router and would therfore not impact it directly its CPU or Memory. for Syn Attack destined to the Servers, You may look at (IP Tcp intercept) Security feature.
If your Router got impacted by these traffic, that means its destined to the Router (The Router's Control-Plane) and therfore impacted its functionality and brought it down or higher its CPU. For Such type of Traffic, I would recommend Looking at (Control Plane Protection) to limit the type of traffic at the router's ingress queue.
Look at the below example: