Network Attack Protection on MS-MPC and MS-MIC
Understanding IDS on an MS-MPC
- Intrusion Detection Services
- Benefits
- Session Limits
- Suspicious Packet Patterns
- Header Anomaly Attacks
Intrusion Detection Services
Intrusion detection services (IDS) rules on an MS-MPC give you a way to identify and drop traffic that is part of a network attack.
IDS rules provide a more granular level of filtering than firewall filters and policers, which can stop illegal TCP flags and other bad flag combinations, and can enforce general rate limiting (see the Routing Policies, Firewall Filters, and Traffic Policers User Guide). You can use firewall filters and policers along with IDS to reduce the traffic that needs to be processed by an IDS rule.
In an IDS rule, you can specify:
Limits on the sessions that originate from individual sources or that terminate at individual destinations. This protects against network probing and flooding attacks.
Types of suspicious packets to drop.
To protect against header anomaly attacks, a header integrity check is automatically performed if you configure an IDS rule, stateful firewall rule, or a NAT rule and apply it to the service set. You can also explicitly configure a header integrity check for the service set if you do not assign the service set an IDS rule, stateful firewall rule, or a NAT rule.
Benefits
Provides protection against several types of network attacks.
Session Limits
You can use IDS rules to set session limits for traffic from an individual source or to an individual destination. This protects against network probing and flooding attacks. Traffic that exceeds the session limits is dropped. You can specify session limits either for traffic with a particular IP protocol, such as ICMP, or for traffic in general.
You decide whether the limits apply to individual addresses or to an aggregation of traffic from individual subnets of a particular prefix length. For example, if you aggregate limits for IPv4 subnets with a prefix length of 24, traffic from 192.0.2.2 and 192.0.2.3 is counted against the limits for the 192.0.2.0/24 subnet.
Some common network probing and flooding attacks that session limits protect against include:
ICMP Address Sweep | The attacker sends ICMP request probes (pings) to multiple targets. If a target machine replies, the attacker receives the IP address of the target. |
ICMP Flood | The attacker floods a target machine by sending a large number of ICMP packets from one or more source IP addresses. The target machine uses up its resources as it attempts to process those ICMP packets, and can no longer process valid traffic. |
TCP Port Scan | The attacker sends TCP SYN packets from one source to multiple destination ports of the target machine. If the target replies with a SYN-ACK from one or more destination ports, the attacker learns which ports are open on the target. |
TCP SYN Flood | The attacker floods a target machine by sending a large number of TCP SYN packets from one or more source IP addresses. The attacker might use real source IP addresses, which results in a completed TCP connection, or might use fake source IP addresses, resulting in the TCP connection not being completed. The target creates states for all the completed and uncompleted TCP connections. The target uses up its resources as it attempts to manage the connection states, and can no longer process valid traffic. |
UDP Flood | The attacker floods a target machine by sending a large number of UDP packets from one or more source IP addresses. The target machine uses up its resources as it attempts to process those UDP packets, and can no longer process valid traffic. |
Session limits for traffic from a source or to a destination include:
maximum number of concurrent sessions
maximum number of packets per second
maximum number of connections per second
IDS also installs a dynamic filter on the PFEs of line cards for suspicious activity when the following conditions occur:
Either the packets per second or the number of connections per second for an individual source or destination address (not for a subnet) exceeds four times the session limit in the IDS rule. This session limit is the general source or destination limit for the IDS rule, not the limit specified for a particular protocol.
The services card CPU utilization percentage exceeds a configured value (default value is 90 percent).
The dynamic filter drops the suspicious traffic at the PFE, and the traffic is not sent to the MS-MPC to be processed by the IDS rule. When the packet or connection rate no longer exceeds four times the limit in the IDS rule, the dynamic filter is removed.
Suspicious Packet Patterns
You can use IDS rules to identify and drop traffic with a suspicious packet pattern. This protects against attackers that craft unusual packets to launch denial-of-service attacks.
Suspicious packet patterns and attacks that you can specify in an IDS rule are:
ICMP fragmentation attack | The attacker sends the target ICMP packets that are IP fragments. These are considered suspicious packets because ICMP packets are usually short. When the target receives these packets, the results can range from processing packets incorrectly to crashing the entire system. |
ICMP large packet attack | The attacker sends the target ICMP frames with an IP length greater than 1024 bytes. These are considered suspicious packets because most ICMP messages are small. |
ICMP Ping of death attack | The attacker sends the target ICMP ping packets whose IP datagram length (ip_len) exceeds the maximum legal length (65,535 bytes) for IP packets, and the packet is fragmented. When the target attempts to reassemble the IP packets, a buffer overflow might occur, resulting in a system crashing, freezing, and restarting. |
IP Bad option attack | The attacker sends the target packets with incorrectly formatted IPv4 options or IPv6 extension headers. This can cause unpredictable issues, depending on the IP stack implementation of routers and the target. |
IPv4 options | Attackers can maliciously use IPv4 options for denial-of-service attacks. |
IPv6 extension headers | Attackers can maliciously use extension headers for denial-of-service attacks or to bypass filters. |
IP teardrop attack | The attacker sends the target fragmented IP packets that overlap. The target machine uses up its resources as it attempts to reassemble the packets, and can no longer process valid traffic. |
IP unknown protocol attack | The attacker sends the target packets with protocol numbers greater than 137 for IPv4 and 139 for IPv6. An unknown protocol might be malicious. |
Land attack | The attacker sends the target spoofed SYN packets that contain the target’s IP address as both the destination and the source IP address. The target uses up its resources as it repeatedly replies to itself. In another variation of the land attack, the SYN packets also contain the same source and destination ports. |
SYN fragment attack | The attacker sends the target SYN packet fragments. The target caches SYN fragments, waiting for the remaining fragments to arrive so it can reassemble them and complete the connection. A flood of SYN fragments eventually fills the host’s memory buffer, preventing valid traffic connections. |
TCP FIN No ACK attack | The attacker sends the target TCP packets that have the FIN bit set but have the ACK bit unset. This can allow the attacker to identify the operating system of the target or to identify open ports on the target. |
TCP no flag attack | The attacker sends the target TCP packets containing no flags. This can cause unpredictable behavior on the target, depending on its TCP stack implementation. |
TCP SYN FIN attack | The attacker sends the target TCP packets that have both the SYN and the FIN bits set. This can cause unpredictable behavior on the target, depending on its TCP stack implementation. |
TCP WinNuke attack | The attacker sends a TCP segment with the urgent (URG) flag set and destined for port 139 of a target running Windows. This might cause the target machine to crash. |
Header Anomaly Attacks
To protect against header anomaly attacks, a header integrity check is automatically performed if you configure an IDS rule, a stateful firewall rule, or a NAT rule and apply it to the service set. You can also explicitly configure a header integrity check for the service set if you do not assign the service set an IDS rule, stateful firewall rule, or a NAT rule.
The header integrity check provides protection against the following header anomaly attacks:
ICMP Ping of death attack | The attacker sends the target ICMP ping packets whose IP datagram length (ip_len) exceeds the maximum legal length (65,535 bytes) for IP packets, and the packet is fragmented. When the target attempts to reassemble the IP packets, a buffer overflow might occur, resulting in a system crashing, freezing, and restarting. |
IP unknown protocol attack | The attacker sends the target packets with protocol numbers greater than 137 for IPv4 and 139 for IPv6. An unknown protocol might be malicious. |
TCP no flag attack | The attacker sends the target TCP packets containing no flags. This can cause unpredictable behavior on the target, depending on its TCP stack implementation. |
TCP SYN FIN attack | The attacker sends the target TCP packets that have both the SYN and the FIN bits set. This can cause unpredictable behavior on the target, depending on its TCP stack implementation. |
TCP FIN No ACK attack | The attacker sends the target TCP packets that have the FIN bit set but have the ACK bit unset. This can allow the attacker to identify the operating system of the target or to identify open ports on the target. |
Configuring Protection Against Network Attacks on an MS-MPC
This topic includes the following tasks, which describe how to protect against network attacks when using an MS-MPC:
- Configuring Protection Against Network Probing, Network Flooding, and Suspicious Pattern Attacks
- Configuring Protection Against Header Anomaly Attacks
Configuring Protection Against Network Probing, Network Flooding, and Suspicious Pattern Attacks
You configure protection against network probing attacks, network flooding attacks, and suspicious pattern attacks by configuring an intrusion detection service (IDS) rule, and then applying that rule to a service set that is on an MS-MPC. Only the first term of an IDS rule is used, and only the first IDS input rule and the first IDS output rule for a service set are used.
Configuring protection against network probing, network flooding, and suspicious pattern attacks includes:
- Configuring IDS Rule Name and Direction
- Configuring Session Limits for Subnets
- Configuring Session Limits Independent of the Protocol
- Configuring ICMP Address Sweep Protection
- Configuring TCP Port Scanner Protection
- Configuring ICMP Flooding Protection
- Configuring UDP Flooding Protection
- Configuring TCP SYN Flooding Protection
- Configuring ICMP Fragmentation Protection
- Configuring ICMP Large Packet Protection
- Configuring IP Bad Options Protection
- Configuring Land Attack Protection
- Configuring TCP SYN Fragment Protection
- Configuring WinNuke Protection
- Configuring the Service Set
Configuring IDS Rule Name and Direction
For each IDS rule, you must configure a name and the direction of traffic to which it is applied.
To configure the IDS rule name and direction:
Configuring Session Limits for Subnets
If you want to apply session limits to an aggregation of all attacks to or from individual destination or source subnets rather than for individual addresses, configure aggregation.
To configure subnet aggregation:
Configuring Session Limits Independent of the Protocol
If you want to configure session limits for traffic to an individual destination or from an individual source independent of the protocol, then perform one or more of the following tasks:
Configuring ICMP Address Sweep Protection
To configure protection against ICMP address sweeps, configure any combination of the maximum allowed ICMP concurrent sessions, packets per second, and connections per second for a source:
Configuring TCP Port Scanner Protection
To configure protection against TCP port scanner attacks, configure any combination of the maximum allowed TCP concurrent sessions and connections per second for a source or destination:
Configuring ICMP Flooding Protection
To configure protection against ICMP flooding attacks, configure any combination of the maximum allowed ICMP concurrent sessions, packets per second, and number of connections per second for a destination:
Configuring UDP Flooding Protection
To configure protection against UDP flooding attacks, configure any combination of the maximum allowed UDP concurrent sessions, packets per second, and connections per second for a destination:
Configuring TCP SYN Flooding Protection
To configure protection against TCP SYN flooding attacks, configure any combination of the maximum allowed TCP concurrent sessions, packets per second, and connections per second for a source or destination. You can also configure the closing of unestablished TCP connections after a timeout:
Configuring ICMP Fragmentation Protection
To protect against ICMP fragmentation attacks:
Configure the identification and dropping of ICMP packets that are IP fragments.
[edit services ids rule rule-name term term-name then] user@host# set icmp-fragment-check
Configuring ICMP Large Packet Protection
To protect against ICMP large packet attacks:
Configure the identification and dropping of ICMP packets that are larger than 1024 bytes.
[edit services ids rule rule-name term term-name then] user@host# set icmp-large-packet-check
Configuring IP Bad Options Protection
To protect against bad IPv4 options or IPv6 extension header attacks:
Configuring Land Attack Protection
To protect against land attacks:
Configure the identification and dropping of SYN packets that have the same source and destination IP address or the same source and destination IP address and port.
[edit services ids rule rule-name term term-name then] user@host# set land-attack-check (ip-only | ip-port)
To specify that the packets have the same source and destination IP address, use the
ip-only
option; to specify that the packets have the same source and destination IP address and port, use theip-port
option.
Configuring TCP SYN Fragment Protection
To protect against TCP SYN fragment attacks:
Configure the identification and dropping of TCP SYN packets that are IP fragments:
[edit services ids rule rule-name term term-name then] user@host# set tcp-syn-fragment-check
Configuring WinNuke Protection
To protect against WinNuke attacks:
Configure the identification and dropping of TCP segments that are destined for port 139 and have the urgent (URG) flag set.
[edit services ids rule rule-name term term-name then] user@host# set tcp-winnuke-check
Configuring the Service Set
To apply the IDS rule actions to a service set:
Configuring Protection Against Header Anomaly Attacks
Protect against header anomaly attacks by using either of the following methods to enable a header integrity check, which drops any packets with header anomalies:
Configuring Logging of Network Attack Protection Packet Drops on an MS-MPC
To configure the logging of packet drops resulting from header integrity, suspicious packet pattern, and session limit checks performed by an MS-MPC: