Lab : Security Network - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Lab : Security Network

Description:

router(config)#aaa authentication login default local ... router(config)#access-list 98 permit 202.44.204.44 ... Stager. http://software.uninett.no/stager/ hping2 ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 22
Provided by: tecunCi
Category:
Tags: lab | network | security | stager

less

Transcript and Presenter's Notes

Title: Lab : Security Network


1
Lab Security Network
2
victim
10.223.0.5/30
10.222.0.5/30
10.224.0.2
10.222.0.6/30
10.223.0.6/30
10.222.0.2
10.223.0.2
10.224.0.1
Attacker
10.221.0.1
3
Router Configuration
Image Source www.cisco.com
4
CLI of Router
  • ISP4conf t
  • ISP4(config)
  • ISP4(config)int f0/0
  • ISP4(config-if)exit
  • ISP4(config)router bgp 3836
  • ISP4(config-router)

5
Cisco router basic security
  • router(config)service password-encryption
  • router(config)aaa new-model
  • router(config)aaa authentication login default
    local
  • router(config)aaa authorization exec default
    local
  • router(config)access-list 98 permit
    202.44.204.44
  • router(config)access-list 98 permit 203.185.97.6
  • router(config)access-list 98 permit
    203.185.129.136
  • router(config)access-list 98 deny any
  • router(config)line vty 0 4
  • router(config-line)access-class 98 in
  • router(config-line)transport input telnet ssh

6
What's happening with my CPU usage?
  • TOPAZsh proc cpu
  • CPU utilization for five seconds 0/0 one
    minute 1 five minutes 1
  • TOPAZsh proc mem
  • Processor Pool Total 394187132 Used 45674076
    Free 348513056
  • I/O Pool Total 37748224 Used 13550480
    Free 24197744

7
Detection of Attack
  • Observe the ping result is running to/from your
    server. Are all response successful ?
  • (You should see pings failing or not ?)?
  • Look at the CPU
  • Determine what interface the attack is coming
    from
  • Enable netflow on the interface
  • Configure uRPF on the interface

8
Sample of look at CPU usage
  • Serversh proc cpu e 0.00
  • CPU utilization for five seconds 96/31 one
    minute 97 five
  • minutes 94
  • PID Runtime(ms) Invoked uSecs 5Sec 1Min
    5Min TTY Process
  • 4 83232 23771 3501 4.00 4.77
    4.50 0 IP SNMP
  • 33 46908 128040 366 0.39 0.60 0.62
    0 Net Background
  • 83 815180 141219 5772 58.95 58.20 56.42 0
    IP Input
  • 165 3172 23769 133 0.07 0.17
    0.17 0 PDU DISPATCHER
  • 197 12520 23769 526 0.39 0.56 0.52
    0 SNMP ENGINE
  • 207 18112 83201 217 0.95 0.74 0.69
    0 NTP
  • Notice that the total process CPU usage is high
    and the IP Input,
  • SNMP and NTP processes are high

9
Netflow Version 5
Image Source www.cisco.com
10
Netflow Version 9
Image Source www.cisco.com
11
Enableing Netflow 1
  • routerconf t
  • router(config)ip cef
  • router(config)int g0/0
  • router(config-if)ip route-cache flow
  • router(config-if)end
  • routersh ip cache flow
  • router(config)ip flow-export source
    GigabitEthernet0/0
  • router(config)ip flow-export version 9

Cisco Box
To collector
12
Enableing Netflow 2
  • router(config)ip flow-export destination
    203.185.97.2 2055
  • router(config)ip flow-export destination
    203.185.67.241 9995
  • router(config)ip flow-cache timeout active 1

13
Collector Netflow Monitor
  • http//203.185.97.2/nfw

14
Collector Nfdump
15
Collector Nfsen
  • http//203.185.67.241/nfsen/nfsen.php
  • Source http//nfsen.sourceforge.net

16
NetFlowMore Information
  • Cisco NetFlow home
  • http//www.cisco.com/warp/public/732/Tech/
    np/NetFlow/
  • Linux NetFlow reports HOWTO
  • http//www.linuxgeek.org/NetFlow-howto.php
  • Arbor Networks Peakflow SP and Peakflow/X
  • http//www.arbornetworks.com
  • Q1 Labs Q1Radar
  • http//www.q1labs.com
  • Narus InSight Manager
  • http//www.narus.com
  • Lancope StealthWatch Xe
  • http//www.lancope.com
  • nfdump and nfsen
  • http//nfdump.sourceforge.net
  • http//nfsen.sourceforge.net
  • Stager
  • http//software.uninett.no/stager/

17
hping2
  • a command-line oriented TCP/IP packet
    assembler/analyzer
  • Command line of hping2 in the lab
  • hping2 -2 --rand-source 203.185.97.97 -p 139 -i
    u1
  • hping2 192.168.16.2 -2 -p 161 -d 256 -f
    --rand-source -i u1
  • Stop hping2!
  • ps aux grep hping2
  • Kill id process of hping2
  • For more information http//www.hping.org/

18
  • SNMPCPU Thresholding Example
  • Router(config) snmp-server enable traps cpu
    threshold
  • Router(config) snmp-server host 192.168.0.1
    traps public cpu
  • Router(config) process cpu threshold type total
    rising 80 interval 5 falling 20 interval 5
  • Router(config) process cpu statistics limit
    entrypercentage 40 size 300

19
Mitigateing/Droping the attack by uRPF
  • Use uRPF to drop attack packets
  • Drop attack packets at the ingress point into our
    network
  • Configure uRFP on the FastEthernet 1/0 interface
    on the routers as follows
  • interface FastEthernet 1/0
  • ip verify unicast source reachable-via rx

20
Blackhole
  • BGP Sent172.16.61.1 Next-Hop 192.0.2.1
  • Static Route in Edge Router192.0.2.1 Null0
  • 172.16.61.1 192.0.2.1 Null0
  • Next-Hop of 172.16.61.1
  • Is Now Equal to Null0

21
QA
  • What feature do you use to identify the attack?
  • What feature do you use to drop the attack
    packets?
Write a Comment
User Comments (0)
About PowerShow.com