CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources]

Tebyan

نسخه متنی -صفحه : 290/ 137
نمايش فراداده

  • Using the ISP Router in Small Networks

    The primary purpose of the ISP router is to provide connectivity from the small network to a provider's network. The ISP router also provides mitigation against DDoS attacks and IP address spoofing attacks.

    Distributed Denial of Service Attacks

    DDoS mitigation can be provided at the egress of the ISP router through the use of rate limiting of nonessential traffic that exceeds prespecified thresholds. Obviously, the criteria used to identify nonessential traffic are critical because the flow of production traffic could be affected. To implement rate limiting, committed access rate (CAR) filtering can be used by following these steps:

    Step 1.

    Define an ACL to select nonessential traffic:

    access-list 100 permit non-essential-traffic_criteria1 any
access-list 100 permit non-essential-traffic-criteria2 any

    Step 2.

    Apply the rate-limit command to the interface:

    [View full width]
    rate-limit input access-group rate-limit 100 8000 1500 20000 
conform-action drop
 exceed-action drop

    To prevent TCP SYN-flooding attacks, another form of a DoS attack, a feature called TCP intercept can be implemented by following these steps:

    Step 1.

    Define an ACL to select the host(s) or network to be protected. In this example, only the destination is being specified.

    access-list 105 permit tcp any host-or-network-to-protect

    Step 2.

    Apply the tcp intercept command:

    ip tcp intercept list 105

    IP Spoofing Attacks

    IP spoofing mitigation can be provided at the egress of the ISP router through the use of RFC 1918 and RFC 2827 filtering. The implementation of these filters is described in the sections that follow.

    RFC 1918 Filtering

    RFC 1918 filtering prevents source address spoofing of the private address ranges, as shown in the following sample configuration:

    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip any any

    This ACL is then applied to the ingress interface of the ISP router by using the command ip access-group 101 in.

    RFC 2827 Filtering

    With RFC 2827 filtering at the ingress point of the ISP network, any traffic with a source address that is not part of the organization's public address space is filtered out by using

    access-list 102 permit ip valid-public-source-address(es) any

    This ACL is then applied to the ingress interface of the ISP router by using the command ip access-group 102 in.

    The next section looks at the implementation requirements that need to be applied when a Cisco IOS Firewall router is used in the small network.