How to monior UDP attack

Unanswered Question
Jun 8th, 2007

I work in a ISP .Recently we have experienced a udp atack originating from four Ip (last time)with destination one of the Ip of our domain.I have seen this by analysing the traffic of one switch port with Ethereal.Exist any mode or config on the router 7500 or 7200 to inform me by email for this type of

traffic (type audit ,inspect) ??

Ilir

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
swaroop.potdar Fri, 06/08/2007 - 14:56

1a) You can try reading this doc on CBAC and configure UDP generic inspection for anomalies.

This will generate a log when there is an anomaly and also create a audit trail.

Here is the reference link for CBAC. This will need FW feature set in the IOS.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/ch05/schcbac.htm

1b) Or else you can also try using an extended access-list to permit udp any any destination port echo and source port echo with log-input. And apply this access list towards the edge of your network on the ingress. This will also gerenate a log message when breached.

2) For generating a email or any other co-related action you can reaserch some free 3rd party syslog tools which help you create events with filters such as on which logs you want a co-related action like email/sms etc.

As a router wont be able to send a email.

HTH-Cheers,

Swaroop

ilircisco Mon, 06/11/2007 - 02:45

Hi Swaroop

Thank you for your response.For thre moment I'am using smtp network monitor to see in certain moments the traffic of my international interfaces in packet per second.Thia via email.

For the CBAC I'am not sure it serve for me or not.I have tried : ip inspect name udp alert on.But the other option is time-out and I don't know to use or not.I'am interesting to receive log in the moment for example 3000 udp packet per second.

regards

Ilir

swaroop.potdar Mon, 06/11/2007 - 05:00

Ilir, I believe its not possible to use the routers to generate a log when a certain number of packets are received per second.

As specified before you may want to try the accesslist example, modyfying it as per the actual behaviour of these dos attacks and do a permit with log-input or deny with same.

Or you may just want to police this certain kind of traffic with known behaviour at your edge.

As a suggestion, if this Dos attack problem is fairly frequently happening and you have quite a lot of sensitive setup, then you may consider implementing a parallell setup of Anonaly Detectors and Guards. They will help you verify if any traffic exceeds a certain threshold/baseline, whether its legitimate or illlegtimate traffic. If its legitimate ones it will go back to your network, it not it will be dropped. And for every illegitimate traffic they generate logs as well. but thats definately an investment, whcih will depend on what and how much is being protected.

HTH-Cheers,

Swaroop

Actions

This Discussion