Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX & DoS

Hi,

Currently i'm having trouble with this type of thing, my customer complaint that the PIX doesn't stop the threat, they have set emb_limit, max_conn, ip verify. And also when show ip audit count, large icmp is very high, is this a good news because pix can deny it, or bad news because it can't stop the attack. Any suggestion what is the good config to stop this, they using pix506e 6.3(5) , thank you very much :)

6 REPLIES
Gold

Re: PIX & DoS

Its not possible to stop traffic arriving to PIX. This must be done on device(s) in fronf of pix

..PIX can only deny this traffic (stop passing to inside)

We had similar issue and we asked ISP to block this unwanted traffic.. Provider could also implement some ICMP rate-limiting solution or some IPS solution

M.

Re: PIX & DoS

If the amount of garbage directed/filtered by PIX is huge, and while waiting for the ISP to respond, create (or add) an ACL denying all ICMP but permit tcp/udp, and apply it on the router Fastethernet interface facing your PIX's outside interface.

Alternate option is to create rate-limit and apply it on serial interface facing internet/ISP.

The following config example is quiet similar to your scenario:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008019c6e7.html

This will stop the attack while getting ISP to make their move (sometimes too slow...)

HTH

AK

New Member

Re: PIX & DoS

Thanks, how bout if i filter rfc1918, 2827, i'm digging cisco's website and found this url

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

I think this also can be done with PIX, another thing is, is it possible to stop arp attack with pix 6.3(5) , as fas as i know this function only available with pix v7.0 +

Thank you.

Re: PIX & DoS

RFC 1918 is for you to deny private IP Address (192.168.x.x, 172.16.x.x, 10.x.x.x) on from hitting you back (coming from) from outside, i,e router.

RFC2827 is for you to deny your own Public IP range from coming into your network from ISP. It should only go out from your network to ISP. Other unknown Public IP from your network towards ISP also block. But they're allowed to come in from ISP to your network.

*ISP to do the same from their end

You can apply RFC 1918 on PIX, while RFC2827 on router (serial intf facing ISP/WAN).

In 6.3(5), ARP attack looks difficult to deny.

In log, you probably will see:

PIX-4-405001: Received ARP {request | response} collision from

IP_address/mac_address on interface interface_name

If your PIX meet PIX7.0 (or latest) requirements (and $$), maybe you should upgrade it.

HTH

AK

New Member

Re: PIX & DoS

Man.. why a lot of collisions & deferred on pix outside interface, is this normal?

pix# sh int

interface ethernet0 "outside" is up, line protocol is up

Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx

IP address x.x.x.150, subnet mask 255.255.255.240

MTU 1500 bytes, BW 10000 Kbit half duplex

49806084 packets input, 1900966895 bytes, 0 no buffer

Received 28525 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

74851548 packets output, 665950688 bytes, 0 underruns

0 output errors, 1566555 collisions, 0 interface resets

0 babbles, 0 late collisions, 412197 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/23)

output queue (curr/max blocks): hardware (0/128) software (0/1)

interface ethernet1 "inside" is up, line protocol is up

Hardware is i82559 ethernet, address is xxxx.xxxx.xxxx

IP address 192.168.x.x, subnet mask 255.255.255.0

MTU 1500 bytes, BW 100000 Kbit full duplex

74215126 packets input, 638648644 bytes, 0 no buffer

Received 135138 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

48419528 packets output, 1787016600 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/28)

output queue (curr/max blocks): hardware (2/66) software (0/1)

New Member

Re: PIX & DoS

Ohhh man... i find this

http://www.securiteam.com/securitynews/5AP032AI0A.html

and its related to this

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_security_notice09186a0080624a37.html

and how do i download the software 6.3(5.106). because i dont have the access to that area. Any one.. please give me the software... mail to tony.g@wtexcellence.com.my

Please help, i'm in big trouble, thank you very much

237
Views
0
Helpful
6
Replies
CreatePlease to create content