Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Storm-control cisco 3845

Hi,

 

First of all, sorry for my english. I have been attacked to one of my public ip. I was wondering how to fix it, and I found when I am been attacked, then numer of pps in my interface goes up to 800 kpps. I was searching an I found "storm control" function. I have a Cisco 3845, can you tell me what I can do to avoid attacks.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

HelloThen I suggest you

Hello

Then I suggest you either attached a fw between you router and the internet or apply some IOS security.

 

Basic stuff to assign:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out

no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
login block-for 10 attempts 2 within 5

 


all FastEthernet/gig ints
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled


all Serial interfaces
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply

and then maybe use a simple CBAC inspection
----------------------------------------------------------------

R1
ip inspect name ios_fw TCP
ip inspect name ios_fw UDP
ip inspect name ios_fw ICMP

access-list permit 100 deny ip any any

int fax/x (WAN facing interface)
ip inspect ios_fw out
ip access-group 100 in

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
7 REPLIES

HelloStorm control wont stop

Hello

Storm control wont stop you from being  attacked - Its an access-port feature that helps your lan from being overwhelmed when its flooded with excessive broadcast/multcast/unicast traffic - This lan storm can be negated by applying thresholds on this traffic so when the specified threshold is reached the port can be shutdown or create a snmp trap message.

Do you know what kind of traffic is causing this utilization?
Do you have any router security applied or a FW between your router and the internet?
 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi, I know the ports on my

Hi,

 

I know the ports on my sever under attack. I don't have any security applied on my router.

 

 

Thanks

New Member

HI milo,So you need to add

HI milo,

So you need to add your network some access lists and inspection rules. 

 

Thanks. 

HelloThen I suggest you

Hello

Then I suggest you either attached a fw between you router and the internet or apply some IOS security.

 

Basic stuff to assign:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out

no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
login block-for 10 attempts 2 within 5

 


all FastEthernet/gig ints
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled


all Serial interfaces
-------------------------
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply

and then maybe use a simple CBAC inspection
----------------------------------------------------------------

R1
ip inspect name ios_fw TCP
ip inspect name ios_fw UDP
ip inspect name ios_fw ICMP

access-list permit 100 deny ip any any

int fax/x (WAN facing interface)
ip inspect ios_fw out
ip access-group 100 in

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi,  I will try this, thanks

Hi,

 

 

I will try this, thanks a lot.

New Member

Hello, How do you know you

Hello,

 

How do you know you are under attack ? And what kind of attack ?

 

Thanks

New Member

Hi,   I have this tool called

Hi,

 

 

 

I have this tool called arbor. It shows me an strange traffic from one IP, the traffic it's like 300 Mbps, nothing normal. Arbor show me the ports 53 and 113 of my server are the ones under attack.

 

 

thanks

96
Views
0
Helpful
7
Replies
CreatePlease to create content