Archive

Archive for the ‘Network Security’ Category

Mitigating Source Specific DoS Attack Using Remotely Triggered BlackHole

January 28, 2011 Leave a comment

Remotely Triggered Black Hole method usualy used to dealing with the DDoS Attack that have specific destination. When we combine it with the Unicast Reverse Path Forwarding (RPF) feature, we can drop every DoS attack based on the source IP.

Here are the lab scenario to simulate that method (we are using Cisco routers):

To simulate the attacker, we are using loopback interface on router INET. INET has 2 connection to the AS 65000 (The Service Provider). In this scenario, we are prefering GW1 as the primary path for outgoing traffic to the Service Provider Network. Here are the relevant configuration from INET:

hostname INET
!
interface Loopback0
ip address 100.100.1.1 255.255.255.0
no ip directed-broadcast
!
interface Loopback1
ip address 200.200.1.1 255.255.255.0
no ip directed-broadcast
!
interface FastEthernet1/0
ip address 172.16.0.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
interface FastEthernet1/1
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
duplex full
speed 100
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
network 100.100.1.0 mask 255.255.255.0
network 200.200.1.0
neighbor 172.16.0.2 remote-as 65000
neighbor 172.16.0.2 weight 65535
neighbor 172.16.1.2 remote-as 65000
neighbor 172.16.1.2 weight 32768
no auto-summary

For the Service Provider network, we are using 4 router, they are GW1, GW2, RR and PE-1. RR act as Route-Reflector for all the rest routers and as the trigger router. They use OSPF for IGP and BGP AS 65000. We are using BGP too to triggered router GW1 and GW2 to blackholing the attacker traffic.

Here are the relevant configuration for all of Service Provider routers:

hostname GW1
!
ip cef
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
!
interface FastEthernet1/0
ip address 172.16.0.2 255.255.255.0
!
interface FastEthernet1/1
ip address 10.1.1.2 255.255.255.0
ip ospf priority 0
!
router ospf 1
router-id 1.1.1.2
log-adjacency-changes
network 1.1.1.2 0.0.0.0 area 0
network 10.1.1.2 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.2
bgp log-neighbor-changes
redistribute connected route-map TO-INET
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 172.16.0.1 remote-as 65002
no auto-summary
!
access-list 1 permit 172.16.0.0
!
route-map TO-INET permit 10
match ip address 1

hostname GW2
ip cef
interface Loopback0
ip address 1.1.1.3 255.255.255.255
!
interface FastEthernet1/0
ip address 172.16.1.2 255.255.255.0
!
interface FastEthernet1/1
ip address 10.1.1.3 255.255.255.0
ip ospf priority 50
!
router ospf 1
router-id 1.1.1.3
log-adjacency-changes
network 1.1.1.3 0.0.0.0 area 0
network 10.1.1.3 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.3
bgp log-neighbor-changes
redistribute connected route-map INET-EDGE
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 172.16.1.1 remote-as 65002
no auto-summary
!
access-list 1 permit 172.16.1.0
!
route-map INET-EDGE permit 10
match ip address 1

hostname PE-1
!
interface Loopback0
ip address 1.1.1.4 255.255.255.255
!
interface FastEthernet1/0
ip address 10.1.1.4 255.255.255.0
ip ospf priority 0
!
interface FastEthernet1/1
ip address 192.168.0.2 255.255.255.0
!
router ospf 1
router-id 1.1.1.4
log-adjacency-changes
network 1.1.1.4 0.0.0.0 area 0
network 10.1.1.4 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.4
bgp log-neighbor-changes
redistribute connected route-map TO-CE1
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 update-source Loopback0
neighbor 192.168.0.1 remote-as 65001
neighbor 192.168.0.1 default-originate
no auto-summary
!
access-list 1 permit 192.168.0.0
route-map TO-CE1 permit 10
match ip address 1

hostname RR
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
ip ospf priority 100
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.1.1.1 0.0.0.0 area 0
!
router bgp 65000
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 65000
neighbor 1.1.1.2 update-source Loopback0
neighbor 1.1.1.2 route-reflector-client
neighbor 1.1.1.2 send-community both
neighbor 1.1.1.3 remote-as 65000
neighbor 1.1.1.3 update-source Loopback0
neighbor 1.1.1.3 route-reflector-client
neighbor 1.1.1.3 send-community both
neighbor 1.1.1.4 remote-as 65000
neighbor 1.1.1.4 update-source Loopback0
neighbor 1.1.1.4 route-reflector-client
neighbor 1.1.1.4 send-community both
no auto-summary

And to simulate the Victim Network, we are using loopback interface on CE-1. Here are it relevant configuration:

hostname CE-1
!
interface Loopback0
ip address 9.9.9.9 255.255.255.0
!
interface Loopback1
ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet1/0
ip address 192.168.0.1 255.255.255.0
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 8.8.8.0 mask 255.255.255.0
network 9.9.9.0 mask 255.255.255.0
neighbor 192.168.0.2 remote-as 65000
no auto-summary

In our scenario, host 100.100.1.1/32 is the DoS source.

After all BGP speaker in the Service Provider network have form adjancency, now on the GW1 and GW2 we create the IP next-hop for every DoS source, so we can manipulate it and forward it to dropped at Null interface. Usualy we use the non-allocated IP Address, for example 192.0.2.0/24 (Test-Net).

GW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW1(config)#ip route 192.0.2.1 255.255.255.255 Null0 tag 101
GW1(config)#route-map TEST-NET permit 10
GW1(config-route-map)#match tag 101
GW1(config-route-map)#set community no-export
GW1(config-route-map)#router bgp 65000
GW1(config-router)#redistribute static route-map TEST-NET
GW1(config-router)#^Z

GW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW2(config)#ip route 192.0.2.1 255.255.255.255 Null0 tag 101
GW2(config)#route-map TEST-NET permit 10
GW2(config-route-map)#match tag 101
GW2(config-route-map)#set community no-export
GW2(config-route-map)#router bgp 65000
GW2(config-router)#redistribute static route-map TEST-NET
GW2(config-router)#^Z


RR#sh ip bgp 192.0.2.1
BGP routing table entry for 192.0.2.1/32, version 37
Paths: (2 available, best #1, not advertised to EBGP peer)
Flag: 0x880
Advertised to update-groups:
1
Local, (Received from a RR-client)
1.1.1.2 (metric 2) from 1.1.1.2 (1.1.1.2)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Community: no-export
Local, (Received from a RR-client)
1.1.1.3 (metric 2) from 1.1.1.3 (1.1.1.3)
Origin incomplete, metric 0, localpref 100, valid, internal
Community: no-export

Note that we attached community no-export to the 192.0.2.1/32 route, in order to prevent the Service Provider routers advertise it to neighbor AS.

After that, still in GW1 and GW2, we add Unicast RPF feature in the edge interfaces. In this scenario, we use “ip verify unicast source reachable-via any” command, in order to detect the incoming traffic based on the source Address, and because we have 2 gateway router (so the incoming and outgoing traffic can be assymetric or not must using the same edge interface).

GW1(config)#int f1/0
GW1(config-if)#ip verify unicast source reachable-via any
GW1(config-if)#^Z

GW1(config)#int f1/0
GW1(config-if)#ip verify unicast source reachable-via any
GW1(config-if)#^Z

Now, we prepare the blackhole trigger configuration at RR. We must add community no-export to for the manipulated route.

RR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RR(config)#route-map TRIGGER permit 10
RR(config-route-map)#match tag 99
RR(config-route-map)#set community no-export
RR(config-route-map)#set ip next-hop 192.0.2.1
RR(config-route-map)#router bgp 65000
RR(config-router)#redistribute static route-map TRIGGER
RR(config-router)#^Z

Note that we are using 192.0.2.1/32 as the ip next-hop of the DoS source.

Now, lets we try to send the packets to the host 9.9.9.9 from host 100.100.1.1.

INET#ping
Protocol [ip]:
Target IP address: 9.9.9.9
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 100.100.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

GW1#sh ip bgp
BGP table version is 27, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i8.8.8.0/24 192.168.0.1 0 100 0 65001 i
*>i9.9.9.0/24 192.168.0.1 0 100 0 65001 i
*> 100.100.1.0/24 172.16.0.1 0 0 65002 i
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 1.1.1.3 0 100 0 ?
*> 192.0.2.1/32 0.0.0.0 0 32768 ?
*>i192.168.0.0 1.1.1.4 0 100 0 ?
*> 200.200.1.0 172.16.0.1 0 0 65002 i

GW1#sh ip bgp 100.100.1.1
BGP routing table entry for 100.100.1.0/24, version 17
Paths: (1 available, best #1)
Advertised to update-groups:
2
65002
172.16.0.1 from 172.16.0.1 (200.200.1.1)
Origin IGP, metric 0, localpref 100, valid, external, best
GW1#
GW1#sh ip route 100.100.1.1
Routing entry for 100.100.1.0/24
Known via “bgp 65000”, distance 20, metric 0
Tag 65002, type external
Last update from 172.16.0.1 04:16:53 ago
Routing Descriptor Blocks:
* 172.16.0.1, from 172.16.0.1, 04:16:53 ago
Route metric is 0, traffic share count is 1
AS Hops 1, BGP network version 0
Route tag 65002
GW1#debug ip packet 123
IP packet debugging is on for access list 123
01:13:34: IP: tableid=0, s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9 (FastEtherne
t1/1), routed via FIB
01:13:34: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9 (FastEthernet1/1), g=10
.1.1.4, len 100, forward

Now, let we assume that host 100.100.1.1 has send the DoS attack to the whatever host at the AS-65000 customer network. So, we want to drop every traffic that coming from host 100.100.1.1.

In RR (that act as a Black Hole Trigger router), we add the static IP route for 100.100.1.1/32 using tag 99, then RR will send the route via BGP with IP next-hop 192.0.2.1/32 that reside in the router GW1 and GW2.

RR#conf t
Enter configuration commands, one per line. End with CNTL/Z.
RR(config)#ip route 100.100.1.1 255.255.255.255 null0 tag 99
RR(config)#^Z
RR#

GW1#sh ip bgp
BGP table version is 26, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete

Network Next Hop Metric LocPrf Weight Path
*>i8.8.8.0/24 192.168.0.1 0 100 0 65001 i
*>i9.9.9.0/24 192.168.0.1 0 100 0 65001 i
*> 100.100.1.0/24 172.16.0.1 0 0 65002 i
*>i100.100.1.1/32 192.0.2.1 0 100 0 ?
*> 172.16.0.0/24 0.0.0.0 0 32768 ?
*>i172.16.1.0/24 1.1.1.3 0 100 0 ?
*> 192.0.2.1/32 0.0.0.0 0 32768 ?
*>i192.168.0.0 1.1.1.4 0 100 0 ?
*> 200.200.1.0 172.16.0.1 0 0 65002 i
GW1#
GW1#sh ip bgp 100.100.1.1
BGP routing table entry for 100.100.1.1/32, version 33
Paths: (1 available, best #1, not advertised to EBGP peer)
Not advertised to any peer
Local
192.0.2.1 from 1.1.1.1 (1.1.1.1)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Community: no-export
GW1#sh ip route 100.100.1.1
Routing entry for 100.100.1.1/32
Known via “bgp 65000”, distance 200, metric 0, type internal
Last update from 192.0.2.1 03:09:15 ago
Routing Descriptor Blocks:
* 192.0.2.1, from 1.1.1.1, 03:09:15 ago
Route metric is 0, traffic share count is 1
AS Hops 0, BGP network version 0

GW1#sh ip route 192.0.2.1
Routing entry for 192.0.2.1/32
Known via “static”, distance 1, metric 0 (connected)
Tag 101
Redistributing via bgp 65000
Advertised by bgp 65000 route-map TEST-NET
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Route tag 101

INET#ping
Protocol [ip]:
Target IP address: 9.9.9.9
Repeat count [5]: 10000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 100.100.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
…………

GW1#debug ip packet 123
IP packet debugging is on for access list 123
GW1#
01:09:09: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9, len 100, unicast rpf failed
01:09:11: IP: s=100.100.1.1 (FastEthernet1/0), d=9.9.9.9, len 100, unicast rpf failed

In the gateway router (in this case is GW1 because it is prefered by INET router), the incoming source ip packet is checked by Unicast RPF feature. It is check the reverse path/route to the source IP (in this case is 100.100.1.1/32) in the routing table. Because in the routing table the next-hop of the 100.100.1.1/32 is null0 interface, then the packet is dropped.

So, after the Blackhole route triggered, the DoS traffic is dropped in the gateway router before reach the customer. It is more effective than using Access-List method that more CPU extensive.

Advertisements

Dual Hub Dual DMVPN

January 21, 2011 1 comment

The scenario is to provide redundant DMVPN connection for the spokes.
We using two tunnel on every spokes.

Dual Hub Dual DMVPN

HUB1:

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSF esp-3des esp-sha-hmac
!
crypto ipsec profile PROFILE
set transform-set TRANSF
!
interface FastEthernet1/0
ip address 100.100.1.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/1
ip address 10.10.1.1 255.255.255.0
duplex full
speed 100
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
ip nhrp authentication NHRPAUTH
ip nhrp map multicast dynamic
ip nhrp network-id 100
no ip split-horizon eigrp 10
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PROFILE
!
router eigrp 10
network 10.10.1.1 0.0.0.0
network 172.16.0.1 0.0.0.0
network 192.168.1.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.1.1 0.0.0.0 area 0
!

HUB2:
crypto isakmp policy 200
hash md5
authentication pre-share
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set DM2TRANS esp-des esp-md5-hmac
!
crypto ipsec profile DM2PRF
set transform-set DM2TRANS
!
interface Tunnel0
ip address 172.16.100.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 10
ip nhrp authentication DM2NHRP
ip nhrp map multicast dynamic
ip nhrp network-id 2011
no ip split-horizon eigrp 1
no ip split-horizon eigrp 10
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2011
tunnel protection ipsec profile DM2PRF
!
interface Loopback0
ip address 192.168.0.1 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 100.100.0.1 255.255.255.0
duplex full
speed 100
!
interface FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 10
network 172.16.100.1 0.0.0.0
network 192.168.0.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.0.1 0.0.0.0 area 0
!

SPOKE1:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFFORM esp-3des esp-sha-hmac
crypto ipsec transform-set DM2TRANSFORM esp-des esp-md5-hmac
!
crypto ipsec profile DM2PROFILE
set transform-set DM2TRANSFORM
!
crypto ipsec profile PROFILE
set transform-set TRANSFFORM
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip nhrp authentication NHRPAUTH
ip nhrp map 172.16.0.1 100.100.1.1
ip nhrp map multicast 100.100.1.1
ip nhrp network-id 100
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile PROFILE
!
interface Tunnel1
ip address 172.16.100.2 255.255.255.0
no ip redirects
ip nhrp authentication DM2NHRP
ip nhrp map 172.16.100.1 100.100.0.1
ip nhrp map multicast 100.100.0.1
ip nhrp network-id 2011
ip nhrp nhs 172.16.100.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2011
tunnel protection ipsec profile DM2PROFILE
!
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface FastEthernet1/0
ip address 100.100.2.1 255.255.255.0
duplex full
speed 100
!
router eigrp 10
network 172.16.0.2 0.0.0.0
network 172.16.100.2 0.0.0.0
network 192.168.2.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.2.1 0.0.0.0 area 0
!

SPOKE2:
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 200
hash md5
authentication pre-share
crypto isakmp key ISAKMPKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSF esp-3des esp-sha-hmac
crypto ipsec transform-set DMV2 esp-des esp-md5-hmac
!
crypto ipsec profile DMV2PROF
set transform-set DMV2
!
crypto ipsec profile IPSECPRF
set transform-set TRANSF
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip nhrp authentication NHRPAUTH
ip nhrp map multicast 100.100.1.1
ip nhrp map 172.16.0.1 100.100.1.1
ip nhrp network-id 100
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 12345
tunnel protection ipsec profile IPSECPRF
!
interface Tunnel100
ip address 172.16.100.3 255.255.255.0
no ip redirects
ip nhrp authentication DM2NHRP
ip nhrp map 172.16.100.1 100.100.0.1
ip nhrp map multicast 100.100.0.1
ip nhrp network-id 2011
ip nhrp nhs 172.16.100.1
tunnel source FastEthernet1/0
tunnel mode gre multipoint
tunnel key 2011
tunnel protection ipsec profile DMV2PROF
!
interface Loopback0
ip address 192.168.3.1 255.255.255.255
!
interface FastEthernet1/0
ip address 100.100.3.1 255.255.255.0
duplex full
speed 100
!
router eigrp 10
network 172.16.0.3 0.0.0.0
network 172.16.100.3 0.0.0.0
network 192.168.3.1 0.0.0.0
no auto-summary
!
router ospf 1
log-adjacency-changes
network 100.100.3.1 0.0.0.0 area 0
!

Ok. Now we estimate that the configuration running well. The two DMVPN cloud is establish. And we choose the HUB1 as the primary HUB. So we must make route selection. In this case we using EIGRP as the IGP for the DMVPN.

By default, every spokes will have 2 equal routes to the every loopback interfaces of the other spokes. Because we already choose Hub1 as the primary, so we give the lower delay for the Hub1 tunnel interface. Every spokes will prefer the DMVPN1 Tunnel (which connected to the Hub1) as the primary path to the loopback networks behind the other spokes.

HUB1:
interface Tunnel0
delay 49999
!

SPOKE2#sh ip route eigrp
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.1.0 [90/297246976] via 172.16.0.1, 00:01:26, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:01:26, Tunnel100
192.168.1.0/32 is subnetted, 1 subnets
D 192.168.1.1 [90/297372416] via 172.16.0.1, 00:01:26, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172160] via 172.16.0.2, 00:01:26, Tunnel0

Below is the DMVPN relevant condition of the Spoke2:

SPOKE2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1, Tunnel0 created 02:45:34, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.1.1
172.16.100.1/32 via 172.16.100.1, Tunnel100 created 02:45:32, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.0.1

SPOKE2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.1.1 100.100.3.1 QM_IDLE 1014 0 ACTIVE
100.100.3.1 100.100.0.1 QM_IDLE 1016 0 ACTIVE

SPOKE2#ping 192.168.2.1 sou 192.168.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 244/398/756 ms
SPOKE2#

SPOKE2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.2.1 100.100.3.1 QM_IDLE 1017 0 ACTIVE
100.100.1.1 100.100.3.1 QM_IDLE 1014 0 ACTIVE
100.100.3.1 100.100.0.1 QM_IDLE 1016 0 ACTIVE

IPv6 Crypto ISAKMP SA

SPOKE2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1, Tunnel0 created 02:46:32, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.1.1
172.16.0.2/32 via 172.16.0.2, Tunnel0 created 00:00:13, expire 01:55:58
Type: dynamic, Flags: router
NBMA address: 100.100.2.1
172.16.100.1/32 via 172.16.100.1, Tunnel100 created 02:46:30, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.0.1
SPOKE2#
SPOKE2#

SPOKE2#sh ip route eigrp
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.1.0 [90/297246976] via 172.16.0.1, 00:03:12, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:03:19, Tunnel100
192.168.1.0/32 is subnetted, 1 subnets
D 192.168.1.1 [90/297372416] via 172.16.0.1, 00:03:13, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172160] via 172.16.0.2, 00:02:33, Tunnel0
SPOKE2#

Now, we try to shutdown the WAN interface of the HUB1, so the DMVPN2 will active and HUB2 will acting as the active hub.

We use ping tool to measure the transition time from DMVPN1 to the DMVPN2:

SPOKE2#ping 192.168.2.1 rep 100000 sou 192.168.3.1

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!!

Let’s we switch to the HUB1:

HUB1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HUB1(config)#int f1/0
HUB1(config-if)#shut
*Jan 20 17:21:49.963: %OSPF-5-ADJCHG: Process 1, Nbr 100.100.3.2 on FastEthernet
1/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Jan 20 17:21:51.955: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state
to administratively down
*Jan 20 17:21:51.959: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa1/0 Physical Port Administrative State Down
*Jan 20 17:21:52.959: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
*Jan 20 17:21:54.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Jan 20 17:21:54.663: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.0.2 (Tunnel0) is down: interface down
*Jan 20 17:21:54.695: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.0.3 (Tunnel0) is down: interface down

We switch back to the Spoke2 to check the transition time from the DMVPN1 to DMVPN2:

SPOKE2#ping 192.168.2.1 rep 100000 sou 192.168.3.1

Type escape sequence to abort.
Sending 100000, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!…..!!
*Jan 20 13:01:40.183: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 172.16.0.1 (Tunnel0) is down: holding time expired!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 96 percent (141/146), round-trip min/avg/max = 224/589/1104 ms

After the transition, now we check the DMVPN relevant condition on the Spoke2:

SPOKE2#sh ip nhrp
172.16.0.1/32 via 172.16.0.1, Tunnel0 created 02:48:15, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.1.1
172.16.0.2/32 via 172.16.0.2, Tunnel0 created 00:01:57, expire 01:54:15
Type: dynamic, Flags: router
NBMA address: 100.100.2.1
172.16.100.1/32 via 172.16.100.1, Tunnel100 created 02:48:14, never expire
Type: static, Flags: authoritative used
NBMA address: 100.100.0.1

SPOKE2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.2.1 100.100.3.1 QM_IDLE 1017 0 ACTIVE
100.100.1.1 100.100.3.1 MM_NO_STATE 0 0 ACTIVE
100.100.1.1 100.100.3.1 MM_NO_STATE 1014 0 ACTIVE (deleted)
100.100.3.1 100.100.0.1 QM_IDLE 1016 0 ACTIVE

SPOKE2#sh ip route eigrp
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:05:01, Tunnel100
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172416] via 172.16.100.2, 00:00:48, Tunnel100

Now we see that Spoke2 using DMVPN2 where the Hub2 act as the primary Hub to connect to the loopback interfaces behind the Spoke1:

SPOKE2#ping 192.168.2.1 sou 192.168.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 372/436/516 ms

Ok. Now the DMVPN2 used by every Spokes router to connect each other.

Now we try to switch back the DMVPN1 as the primary connection by activate the WAN interface of the Hub1. Then we can see that the spokes using DMVPN1 again as the primary connection:

SPOKE2#sh ip route eigrp
10.0.0.0/24 is subnetted, 1 subnets
D 10.10.1.0 [90/297246976] via 172.16.0.1, 00:00:30, Tunnel0
192.168.0.0/32 is subnetted, 1 subnets
D 192.168.0.1 [90/297372416] via 172.16.100.1, 00:00:30, Tunnel100
192.168.1.0/32 is subnetted, 1 subnets
D 192.168.1.1 [90/297372416] via 172.16.0.1, 00:00:30, Tunnel0
192.168.2.0/32 is subnetted, 1 subnets
D 192.168.2.1 [90/310172160] via 172.16.0.2, 00:00:30, Tunnel0

Blocking TeamViewer Connection Using Cisco ASA Firewall

January 13, 2011 3 comments

TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall.

Similiar like YahooMessenger, TV provide every client with the PIN and password. Everyone who want to access the other TV client need to know the PIN and password of the opposite PC. And every party that want to make connection must be connected to the TV server (servers domain is *.teamviewer.com and/or *.dyngate.com) usualy using TCP port 80.

PC that running TV is potentialy act as a backdoor in the enterprise network. Yes, to make remote connection we need to know the PIN and password, but using Social Engineering technique, untrusted person can gained it.

Because TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com

So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):

regex TV-RGX “\.teamviewer\.com”
regex DG-RGX “\.dyngate\.com”

class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX

policy-map type inspect dns TV-PLC
parameters
message-length maximum 512
match domain-name regex class TV-CLS
drop

policy-map global_policy
class inspection_default
inspect dns TV-PLC

service-policy global_policy global

Securing MP-EBGP VPNv4 for Inter-AS MPLS VPN

February 21, 2009 4 comments

1. Securing Inter-AS interfaces

  • Permit only BGP traffic because the other traffic that traverse between ASBRs is IP Labelled traffic.
  • Apply inbound and outbound. Logging the denied traffic for further investigation

interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
ip access-group ASBR-IN in
ip access-group ASBR-OUT out
!
ip access-list extended ASBR-IN
permit tcp any any eq bgp
permit tcp any eq bgp any
deny ip any any log
!
ip access-list extended ASBR-OUT
permit tcp any eq bgp any
permit tcp any any eq bgp
deny ip any any log
!

  • See the example of IPv4 and IP Labelled traffic that traverse beetwen ASBR routers below. Note that IPv4 is only BGP communication, and the remaining traffic is telnet or icmp traffic that has been labelled.

interas-mpls-ethereal

2. Securing MP-EBGP Peering Session

  • Use BGP MD5 Authentication to ensure that the BGP peer is the legitimate neighbor.

neighbor 172.16.0.1 password 7 011A08105E19071C

  • Use BGP TTL-Security with number of hop is 1. The BGP peering session between ASBRs usually using the back-to-back interface.

neighbor 172.16.0.1 ttl-security hops 1

  • Both ASBR did not communicating ini IPv4 (except BGP communication), so we must turn-off the IPv4 BGP Address-family

no bgp default ipv4-unicast

  • Use BGP Dampening to secure the ASBR CPU from frequently flapped routes

bgp dampening

  • Filter the Route-Target. Only allows Route-Target that need to extend across the AS. Disable BGP default RT filter to allow VPNv4 routes installed in the BGP VPNv4 table even the Route-Target is not configured on the ASBR.

Router BGP 100
no bgp default route-target filter
!
address-family vpnv4
neighbor 172.16.0.2 route-map ASBR in
exit address-family
!
route-map ASBR permit 10
match extcommunity 101
!
ip extcommunity-list 101 permit RT:200:123+
ip extcommunity-list 101 permit RT:200:222+

  • Set the BGP maximum-prefix filter.

neighbor 172.16.0.2 maximum-prefix 100 80

3. General Router Security

  • AAA Authentication
  • SSH Access for Management
  • Access-Class for Line VTY access
  • Read-Only SNMP with ACL
  • using NTP and disabling ntp on not appropriate interfaces
  • Enable CoPP if necessary
  • Specific and strict ACL for inter-AS interface
  • Enable Security Services
  1. Service Password-Encryption
  2. Service Timestamp for Debug and Logging
  3. Logging buffered
  • Disable small Services
  1. Disable udp-small-services (echo, discard)
  2. Disable tcp-small-service
  3. Disable finger-service
  4. Disable pad-service
  5. Disable unused bootp service
  6. Disable cdp
  7. Disable icmp unreachables on all interfaces including null0
  8. Disable ip source-route options
  9. Disable proxy-arp per interfaces
  10. Disable directed-broadcast per interfaces
  11. Disable icmp mask-reply per interfaces
  12. Disable http-service
  13. Disable ident-service

Securing MPLS LDP

November 25, 2008 Leave a comment

To secure LDP communication between LSRs peer (PE to P), we can use MD5 authentication. Below is the simple configuration for MPLS LDP authentication:

Router(config)#mpls ldp neighbor direct_peer_ip password p@55w0rd

Verification:

Router#sh mpls ldp nei peer_ip_address detail
Peer LDP Ident: peer_ip_address:0; Local LDP Ident local_ip_address:0
TCP connection: peer_ip_address.12780 – local_ip_address.646; MD5 on
Password: not required, neighbor, in use
State: Oper; Msgs sent/rcvd: 3/4; Downstream; Last TIB rev sent 0
Up time: 00:00:55; UID: 4; Peer Id 0;
LDP discovery sources:

ldp-md51

Controlling TCP-Half (Embryonic) Connection on Cisco PIX Firewall

June 6, 2008 Leave a comment

One solution to prevent or minimizing the risk of DoS/DDoS (Dsitributed Denial of Service) attack is to limit the tcp-half connection from outside to the inside or DMZ network (Usually every administrator of networks, put the public servers (web, ftp, mail servers, etc.) in the DMZ network).

TCP half connection is the TCP connection that not yet completed. One of the DoS/DDoS attack method is to flood the target with the TCP Syn packet. The objective of this attack is to fulfill the TCP connection slots of the target, so the legitimate traffic will not occur.

If your network use Cisco PIX Firewall, you can minimize the risk of this attack with controlling the TCP-Half (Embryonic) connection, with add an option in your Static NAT configuration like an example below:

static (dmz,outside) 123.1.2.3 192.168.100.12 netmask 255.255.255.255 tcp 0 1000

1000 is the limit of the TCP-Half connection that can occur between the outside network and the server in the DMZ network (192.168.100.12 is the local and 123.1.2.3 is the global IP Address).

At least there are two things that will happen for this scenario:

  • If until the tcp half-closed time reach the timeout value and the ACK signal is never come, then the TCP half-connection will drop by PIX Firewall. You can set the TCP Half Connection timeout with the command: ” timeout half-closed hh[:mm[:ss]] “. The default time is 10 minutes.

  • If the TCP Syn packet that coming from the outside network was spoofed active IP Address, then the real appliance that used the spoofed IP Address will send the TCP RST packet to the PIX Firewall, so the TCP half connection will be dropped.
Categories: Network Security Tags: , , ,