Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking transmission from a specific attacker

 

Introduction:

This document introduces an easy method to block communication from an attacker with a known address in the event of a network attack, by analyzing the packet capture and logs.

Core Issue:

 

There is a need to block communication from an attacker in the event of a network attack.

Resolution:

 

For ASA, use the shun command.Running this command not only prevents communication from the relevant address from creating a new connection, but also discards packets using the existing connection.

 

shun source_ip [dest_ip source_port dest_port [protocol]] [vlan vlan_id]
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1525925

 

ciscoasa(config)# shun 192.168.89.1
Shun 192.168.89.1 added in context: single_vf
%ASA-4-401002: Shun added: 192.168.89.1 0.0.0.0 0 0
Shun 192.168.89.1 successful

 

To check the database of hosts registered by shun, use the following command:
ciscoasa(config)# show shun
shun (outside) 192.168.89.1 0.0.0.0 0 0 0

 

Below are the messages displayed when the packets are discarded by shun.

 

%ASA-4-401004: Shunned packet: 192.168.89.1 ==> 192.168.89.100 on interface outside
%ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.89.1 on interface outside

 

To delete addresses registered by shun, use the following command:
ciscoasa(config)# clear shun
%ASA-4-401001: Shuns cleared

 

Note that because shun was not originally intended for permanent effects, the addresses registered by shun are not saved in the settings, and are deleted when you restart ASA.

 

To block communication from a specific attacker using IOS, use Unicast RPF (Unicast Reverse Path Forwarding) in strict mode together with the static route pointing to the null 0 interface.Originally, RPF was a function for checking whether packets were coming from the expected next-hop by looking up the routing table.When you enable Unicast RPF in strict mode, if the route output interface for the source address of a packet received by the router is the null 0 interface, the packet will be discarded.For details of Unicast RPF, refer to the following document:

 

Understanding Unicast Reverse Path Forwarding

 

Configuration example:

 

Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip address 192.168.89.38 255.255.255.0
Router(config-if)# ip verify unicast source reachable-via rx
Router(config-if)# exit
Router(config)# do ping 192.168.89.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.89.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Router(config)#
Router(config)# ip route 192.168.89.1 255.255.255.255 null0
Router(config)#
Router(config)#do ping 192.168.89.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.89.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router(config)#

 

Unlike shun in ASA, this configuration will be saved in the settings and retained after restart.

 

Related Information

Original Document: Cisco Support Community Japan DOC-12355

Author: Zhao Qin

Posted on July 30, 2010

https://supportforums.cisco.com/docs/DOC-12355

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 02:36 PM
Updated by:
 
Labels (1)
Contributors