Stopping a router attack

[Eric Yellin]

I have a 1601 router running version 11.1.

We have been experiencing what seems like an attack of some sort. The
incoming packets are taking up the full 128k Frame Relay line for 24
hours. They normally take up only 50%.

I am looking for 2 things at this point:
1. A way to detect who's attacking
2. A good packet blocking strategy.

I don't have a firewall. I setup a basic access list but this seems to
have no effect on the attackers. I figure that if they are attacking my
router from a real IP I can just block them however I don't know who
they are.

Thanks,

Eric

[Fergie]

Read http://www.cisco.com/warp/public/707/21.html for some info and links to
other sources of info....

"Eric Yellin" <Er...@migvan.co.il> wrote in message
news:3A628E1E...@migvan.co.il...

[Jo Soap]

Do a search on IOS firewall feature set.
This is firewall software within ios you can use and configure to
detect intrusion and attacks.Also the IDS system on the firewall feature
set.
Have a look on cisco's website.Depending on what version of IOS you are
running.You might need to upgrade to the version that has the firewall
feature.

Good luck

Taigon
CCNA,CCNP

Fergie <fer...@buck.house.com> wrote in message
news:U0y86.3315$65.2...@newsfeeds.bigpond.com...

[jos van der Klooster]

I doubt if this would help you. Firewall feature sets protect you against
"uninvited guests" entering your network, but I understand this is not the
case. Someone was utilizing your access-line with some kind of data stream.
When ever your router is on-line, data will cross the line to your
router.you can block everything, but the data still crossed the line.
Blocking an IP address is never a solution. A hacker can think of ten ways
to get around this. If he is a real enemy, he is probably using a false
source IP address anyway.
I'm afraid there's not much you can do against these attackers (but if you
find him, you know were to stick his router/PC/anything....)

By the way... Are you sure it isn't a (very big) download from someone in
your organisation? (like a movie or something)

"Jo Soap" <1...@pnp.co.za> wrote in message
news:93uhvb$18rp$1...@nnrp01.ops.uunet.co.za...

[David Schwartz]

jos van der Klooster wrote:

> I doubt if this would help you. Firewall feature sets protect you against
> "uninvited guests" entering your network, but I understand this is not the
> case. Someone was utilizing your access-line with some kind of data stream.
> When ever your router is on-line, data will cross the line to your
> router.you can block everything, but the data still crossed the line.
> Blocking an IP address is never a solution. A hacker can think of ten ways
> to get around this. If he is a real enemy, he is probably using a false
> source IP address anyway.
> I'm afraid there's not much you can do against these attackers (but if you
> find him, you know were to stick his router/PC/anything....)

I think your comments fail to take something very important into
account. Some types of floods rely upon secondary effects to do most of
their work. For example, suppose I know of an IP address that's behind a
firewall that returns ICMP 'adminsitratively prohibited' packets when
you send TCP packets to it. I could flood you with spoofed TCP SYNs with
this source address. When your machines reply with a RST, they get back
an ICMP error from the machine with the spoofed source. Thus half the
flood is being caused by your response to the other half of the flood.

In this case, filtering this particular IP address will help you three
ways:

1) It stops you from flooding the other victim.

2) It stops your outbound bandwidth from being wasted by the attack.

3) It stops half the inbound flood, the half your own outbound traffic
was causing.

Your comments are grossly oversimplified and contain numerous unstated
assumptions.

DS