Syn Attack on Cisco 7206

CSCO11177789 · ‎11-20-2012

Hi;

We're performing penetration test on our environment. Topology like;

ISP (BGP routing) ------ 7206 (BGP routing)------- Firewall -------- DMZ ----Servers

7206 informations : c7200p-advipservicesk9-mz.124-15.T5.bin and using G2 processor on it. It's also 1 Gb RAM (400mb of it using by BGP routes)

During test, we simulated ICMP attack, syn flood, http attack etc.

Except SYN attack, router has only high cpu usage during tests and no interruptions. But during Syn flood attack routers gone in 4-5 seconds. Console was freezen. After attack when we control parameters, it seems there is no high cpu usage issue. we think its related connection table or memory.

For testing we implemet rate-limit on external interface but didnt work.

So what we supposed to do on router to prevent syn attack ?

Best regards

Umut

Raju Sekharan · ‎11-20-2012

Hi Umut,

Were you sending TCP SYN attack to router or servers behind the DMZ?

If it was targetting servers, then it is mostly to do with your config on the 7200

Do you have any configs like " ip tcp intercept" or "ip tcp adjust-mss" on your configs

Thank you

Raju

CSCO11177789 · ‎11-20-2012

Hi;

We sending attack servers behind DMZ.

Second answer is no. We dont have any config like "ip tcp intercept".

Best regards

Raju Sekharan · ‎11-20-2012

Hi

This hs to be considered ad just transit traffic by 7200 and get cef switched unless there is some config on 7200 causing some packets to get process switched

Thank you

Raju

CSCO11177789 · ‎11-20-2012

Hi;

What do you suggest ? On 7206, we have IPS redundancy with two 100 mbit internet connection.

How can i configure and which parameters should we use ?

Best regards

Umut

Raju Sekharan · ‎11-20-2012

Hi

If you have not configured anything specific, 7200 will cosndier TCP SYN pacekts same as any normal traffic

Have you configured any security features on the 7200?

Thank you

Raju

CSCO11177789 · ‎11-20-2012

Hi;

Classic security features;

- no ip redirect

- no service tcp-small-servers,

- no service udp-small-servers

- no service finger

- no ip proxy-arp

some acls on external interface like;

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.0.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny tcp any host xxxx eq echo

access-list 101 deny tcp any host xxxx eq discard

access-list 101 deny tcp any host xxxx eq daytime

access-list 101 deny tcp any host xxxx eq chargen

access-list 101 deny tcp any host xxxx eq telnet

access-list 101 deny tcp any host xxxx eq finger

access-list 101 permit ip any any

Raju Sekharan · ‎11-20-2012

The above configs, shouldn't cause TCP SYN packets to go to CPU

If the router uptime is only few days, Show interface stat output will tell you if any of the interface was processing high number of process swithced traffic

Thank you

Raju

Mohamed Sobair · ‎11-20-2012

Hello,

For Traffic transiting the router to the servers, those traffic are forwarded through the Data-Plane , these traffic is not destined to the router and would therfore not impact it directly its CPU or Memory. for Syn Attack destined to the Servers, You may look at (IP Tcp intercept) Security feature.

If your Router got impacted by these traffic, that means its destined to the Router (The Router's Control-Plane) and therfore impacted its functionality and brought it down or higher its CPU. For Such type of Traffic, I would recommend Looking at (Control Plane Protection) to limit the type of traffic at the router's ingress queue.

Look at the below example:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

Regards,

Mohamed