Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using 1750 for a "Black Hole" router to detect port scanning

Can someone get me an example configuration on how to configura a 1750 router to basically be a "Black Hole' router. When I attended a Cisco security seminar they mentioned using a router to detect port scans within my network by configuring the router to advertise routes. Then when someone port scans all hosts on the network, then the router will pick up the scans and route them to a non-existant network and alert me when this happens.

2 REPLIES

Re: Using 1750 for a "Black Hole" router to detect port scanning

Not 100% sure I understand the details of your question/your network. For example are the routes you advertise real or a black hole.

For non-existing networks: Create a static route(s) for the black hole networks that you want to advertise. Point the statics to null0 and redistribute those routes into your routing protocol. The tricky part is the alerts. One option would be to apply an acl on your interface permiting that network and add the keyword "log" on it so that it will send it to your syslog server. Have the syslog server grab those strings that match and either just log it or page/smtp you.

For example:

ip route x.x.x.x 255.255.255.0 null0

!

access-list 101 permit any x.x.x.x 0.0.0.255 log

!

int s0

ip access-group 101 in

!

router bgp x

redistribute static

!

logging z.z.z.z

For existing/real networks, I think your best choice is an IDS that will detect the port scan, and tell the router to shun the scan. Danger is attacker can deny of service your network by using various source IPs that you end up blocking (ie block real users from accessing your network). Another choice would be to use an acl and only allow established traffic back ("est" keyword), and use the acl to log all denies. As the port scan starts the connections, it would get denied and logged.

If I misunderstood let me know.

Hope it helps.

Steve

New Member

Re: Using 1750 for a "Black Hole" router to detect port scanning

Thanks. That is what I needed to know. Basically say you have a class C which comprises of 10.1.1.x and you would like to watch for portscans. When someone launches a scan to 10.1.2.x or 10.x.x.x you will see that in the log. This is basically a PMIDS.

293
Views
0
Helpful
2
Replies
CreatePlease login to create content