Under attack! Need help with IPS 1

[BarrySDCA]

Some guy is coming to our site and demanding a payoff or he will DDoS us. We didn't pay him and he did what he said he was going to do. I expect another attack at any time.

The flood was only 10Mb, but our cisco was not tuned as good as it could be. I think with the better config, I will be able to simply absorb it using TCP intercept and IPS.

I found a good attack signature that I would like to use IPS for, to keep the packet from the web servers completely.

I am trying to setup the cisco IPS on the front facing interface of a
3845 router. Every time I enable the IPS, no packets are allowed to
pass through the router. w/out IPS, everything works fine (except
there is no IPS). The moment I enable it, nothing can get through.

I have:


ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips name sdm_ips_rule_IPS list IPS


.
.
interface GigabitEthernet0/0
ip address 127.2.2.3 255.255.255.248 <--- edited for the example
ip access-group gigabitethernet0/0_in in
ip access-group sdm_gigabitethernet0/0_out out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip ips sdm_ips_rule_IPS in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type sfp
no mop enabled
crypto map SDM_CMAP_1
crypto ipsec df-bit clear


.
.
.
.
ip access-list extended IPS
remark SDM_ACL Category=1
permit tcp any host 125.2.4.2 eq www <--- just a test host on our
network.

http://www packets

are being blocked


If I change the ACL to deny, then everything passes just fine. It's
only when I change the ACL to send packets through the IPS that it
stops cold.


Does anyone have an idea what the problem might be?


thank you,


Barry

 

[burtsbees]

Just a SYN flood? Add the word "established" at the end of your acl's
Also, was the attacker using a proxy? If not (DUMB!), then get his IP address and block the range...

Burt

 

[BarrySDCA]

It was multiple hits to our web server. I need to get IPS working so I can make a filter from the unique signature that I found.

When I try and reach the test server with IPS enabled, the counters show 1 open session but it never becomes established.

any ideas?

thank you

 

[burtsbees]

Post a scrubbed config.

Burt

 

[BarrySDCA]

Here is the config. If I try and access

http://223.223.223.194

from my ip in the ACL, then sh ip ips stat reflects a 1/2 open connection that never becomes established.

If anythigng else pops up at you which I can do better to reduce impact from the attack, I am all ears.

thank you!

!This is the running config of the router: 222.222.222.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C3845
!
boot-start-marker
boot system flash:/c3845-advipservicesk9-mz.124-19.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging rate-limit 1000
no logging console
no logging monitor
enable secret 5 ..........
!
no aaa new-model
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
ip tcp synwait-time 5
ip tcp intercept list TCPINTERCEPT
ip tcp intercept one-minute high 1000
!
!
!
no ip bootp server
ip domain name ourdomain.com
ip name-server 222.222.222.7
ip name-server 222.222.222.11
ip name-server 222.222.222.12
ip name-server 222.222.222.6
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips notify SDEE
ip ips name sdm_ips_rule_IPS list IPS
ip reflexive-list timeout 120
!
voice-card 0
no dspfarm
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 225.225.225.225 255.255.255.248
ip access-group gigabitethernet0/0_in in
ip access-group sdm_gigabitethernet0/0_out out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip ips sdm_ips_rule_IPS in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type sfp
negotiation auto
no mop enabled
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
interface GigabitEthernet0/1/0
ip address 223.223.223.1 255.255.255.0 secondary
ip address 222.222.222.1 255.255.255.0
ip access-group inboundfilters in
ip access-group gigabitethernet0/1/0_out out
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
negotiation auto
no mop enabled
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 232.123.124.25
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended IPS
remark SDM_ACL Category=1
permit tcp host 68.102.12.53 host 223.223.223.194 eq www <--- my test IP to this host/www
deny ip any any
ip access-list extended IPS_RETURN
remark SDM_ACL Category=1
permit tcp host 223.223.223.194 eq

http://www host

68.102.12.53
deny ip any any
ip access-list extended TCPINTERCEPT
remark SDM_ACL Category=1
remark 222.222.222.0
permit ip any 222.222.222.0 0.0.0.255
remark 222.222.222.0
permit ip any 223.223.223.0 0.0.0.255
deny ip any any
ip access-list extended gigabitethernet0/0_in
remark SDM_ACL Category=17
permit udp any host 232.123.124.26 eq non500-isakmp
permit udp any host 232.123.124.26 eq isakmp
permit esp any host 232.123.124.26
permit ahp any host 232.123.124.26
remark NET BIOS
deny tcp any any eq 137
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark DNS-NS1-TCP
permit tcp any host 222.222.222.6 eq domain
remark DNS-NS1-UDP
permit udp any host 222.222.222.6 eq domain
remark DNS-NS2-TCP
permit tcp any host 222.222.222.7 eq domain
remark DNS-NS2-UDP
permit udp any host 222.222.222.7 eq domain
remark DNS-NS3-TCP
permit tcp any host 222.222.222.11 eq domain
remark DNS-NS3-UDP
permit udp any host 222.222.222.11 eq domain
remark DNS-NS4-TCP
permit tcp any host 222.222.222.12 eq domain
remark DNS-NS4-UDP
permit udp any host 222.222.222.12 eq domain
remark all / ftp, ftp-data
permit tcp any any eq ftp
remark ALL / www
permit tcp any any eq www
remark all / https
permit tcp any any eq 443
remark plesk- / https
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded log
permit icmp any any unreachable log
evaluate tcptraffic
evaluate udptraffic
permit udp any host 223.223.223.181 eq 8861
deny ip any any log
ip access-list extended gigabitethernet0/1/0_out
remark SDM_ACL Category=1
remark ftp
permit tcp any any eq ftp
permit ip any any
ip access-list extended inboundfilters
remark permit from expect ips only
permit tcp 222.222.222.0 0.0.0.255 eq

http://www any

permit tcp 222.222.222.0 0.0.0.255 eq 443 any
permit tcp 223.223.223.0 0.0.0.255 eq

http://www any

remark permit from expect ips only
permit tcp 223.223.223.0 0.0.0.255 eq 443 any
permit tcp 222.222.222.0 0.0.0.255 any reflect tcptraffic
permit tcp 223.223.223.0 0.0.0.255 any reflect tcptraffic
permit gre any any
permit esp any any
permit ahp any any
permit udp 222.222.222.0 0.0.0.255 eq domain any
permit udp 223.223.223.0 0.0.0.255 eq domain any
permit udp 222.222.222.0 0.0.0.255 any reflect udptraffic
permit udp 223.223.223.0 0.0.0.255 any reflect udptraffic
permit icmp 222.222.222.0 0.0.0.255 any
permit icmp 223.223.223.0 0.0.0.255 any
ip access-list extended sdm_gigabitethernet0/0_out
remark SDM_ACL Category=1
remark permit from 222.222.222.x
permit ip 222.222.222.0 0.0.0.255 any
remark permit from 222.222.222.x
permit ip 223.223.223.0 0.0.0.255 any
remark permit from 222.222.222.x
permit icmp 222.222.222.0 0.0.0.255 any
remark permit from 222.222.222.x
permit icmp 223.223.223.0 0.0.0.255 any
remark permit from 232.123.124.26
permit ip host 232.123.124.26 any
remark deny the rest
deny ip any any
ip access-list extended sdm_gigabitethernet0/1_in_100
remark auto generated by SDM firewall configuration
remark SDM_ACL Category=1
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 222.222.222.0 0.0.0.255 any
permit ip any 222.222.222.0 0.0.0.255
permit ip any 223.223.223.0 0.0.0.255
ip access-list extended sdm_gigabitethernet0/1_out_100
remark SDM_ACL Category=1
remark permit all from 222.222.222.x
permit ip 222.222.222.0 0.0.0.255 any
remark permit from interface
permit ip host 72.14.150.142 any
remark deny the rest
deny ip any any log
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
remark 207
permit icmp any 222.222.222.0 0.0.0.255
remark 207
permit ip any 222.222.222.0 0.0.0.255
remark deny all
permit ip any any
ip access-list extended sdm_vlan1_out
remark SDM_ACL Category=1
permit icmp 222.222.222.0 0.0.0.255 any
permit icmp 223.223.223.0 0.0.0.255 any
remark ns1
permit ip host 222.222.222.6 any
remark ns2
permit ip host 222.222.222.7 any
remark ns3
permit ip host 222.222.222.11 any
remark ns4
permit ip host 222.222.222.12 any
deny ip any any
!
logging trap debugging
logging 222.222.222.70
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 222.222.222.244
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 208.158.39.198
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 222.222.222.198
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 222.222.222.198
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 222.222.222.0 0.0.0.255 10.5.1.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 232.123.124.26 eq non500-isakmp
access-list 101 permit udp any host 232.123.124.26 eq isakmp
access-list 101 permit esp any host 232.123.124.26
access-list 101 permit ahp any host 232.123.124.26
access-list 101 remark NET BIOS
access-list 101 deny tcp any any eq 137
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 remark router www
access-list 101 deny tcp any host 222.222.222.1 eq www
access-list 101 remark router www
access-list 101 deny tcp any host 222.222.222.1 eq telnet log
access-list 101 remark router telnet
access-list 101 deny tcp any host 223.223.223.1 eq telnet log
access-list 101 remark router www
access-list 101 deny tcp any host 222.222.222.1 eq 443
access-list 101 remark router www
access-list 101 deny tcp any host 223.223.223.1 eq www
access-list 101 remark router www
access-list 101 deny tcp any host 223.223.223.1 eq 443
access-list 101 deny ip 222.222.222.0 0.0.0.255 any log
access-list 101 deny ip 223.223.223.0 0.0.0.255 any log
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 222.222.222.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 103 remark southland electric in
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule h7b
access-list 103 permit ip host 222.222.222.26 10.61.0.0 0.0.0.255
access-list 103 remark IPSec Rule h7b
access-list 103 permit ip host 223.223.223.38 10.61.0.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip host 222.222.222.26 10.61.0.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 permit ip host 223.223.223.38 10.61.0.0 0.0.0.255
snmp-server community xxx RO
snmp-server host 222.222.222.30 xxx
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179924
ntp source GigabitEthernet0/1/0
ntp update-calendar
ntp server 222.222.222.1 key 0 prefer
ntp peer 204.34.198.40 prefer
ntp peer 204.34.198.41
!
end

 

[burtsbees]

Well, for tcp intercept, the default mode I believe is "watch". Fine tune tcp intercept---the one thousand connections before clamping in one minute is good. I would also do this...
ip tcp intercept mode intercept
ip tcp intercept drop-mode oldest
ip tcp intercept max-incomplete low 750
ip tcp intercept max-incomplete high 1250
and set a connection timeout, as well as fin-reset parameters.
I would also use the "established" keywords at the end of some acls...for example...
access-list 119 permit tcp any any established
That way, only tcp connections established from the inside will be allowed to pass.

Burt

 

[BarrySDCA]

thank you. I did not realize tcp intercept default was watch mode. I will definitely make these changes.

any idea why IPS is not passing packets from my machine to the test

http://www host?

when I apply the IPS to the interface, the syslog reflects they are all loaded fine.

stumped...

thank you,

 

[burtsbees]

Not good with IPS...

http://www.cisco.com/en/US/prod/col...6/ps6634/prod_white_paper0900aecd805c4ea8.pdf

Burt

 

[BarrySDCA]

If anyone runs into this same problem, it was tcpintercept was still enabled. it's not compatible with IPS.