在边界路由器上的ACL过滤

　　一、过滤Bogons网段

　　bogon网段不会出现在Internet上. 包括下列地址：

　　RFC 1918定义的私有地址

　　Loopback 口地址(127.0.0.0/8).

　　IANA 保留的地址.

　　多播地址 (224.0.0.0/4).

　　学术研究用地址 (240.0.0.0/4).

　　DHCP 本地私有地址 (169.254.0.0/16). This is what your PC uses if it cannot find a DHCP server from which to acquire its addressing information.

　　这些地址不在互联网上的路由表中出现，黑客经常使用这些地址用来发起DOS攻击，或是IP欺骗等

　　你可以使用下面的方法来堵塞这些地址：

　　ACL filtering

　　BGP prefix filtering

　　Black hole routing

　　Route policy filtering with route maps

　　这里讨论的是ACL的包过滤护：

　　例子：在Internet的进口处启用ACL过滤Bogons

　　试验拓扑：

　　

　　Router(config)# ip access-list extended ingress-filterRouter(config-ext-nacl)# remark Unassigned IANA addresses //IANA未分配的地址Router(config-ext-nacl)# deny ip 1.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 2.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 5.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 7.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 23.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 27.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 31.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 36.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 37.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 39.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 41.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 42.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 49.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 50.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 58.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 59.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 60.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 70.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 71.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 72.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 73.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 74.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 75.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 76.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 77.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 78.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 79.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 83.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 84.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 85.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 86.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 87.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 88.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 89.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 90.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 91.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 92.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 93.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 94.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 95.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 96.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 97.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 98.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 99.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 100.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 101.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 102.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 103.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 104.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 105.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 106.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 107.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 108.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 109.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 110.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 111.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 112.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 113.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 114.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 115.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 116.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 117.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 118.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 119.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 120.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 121.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 122.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 123.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 124.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 125.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 126.0.0.0 0.255.255.255 any Router(config-ext-nacl)# deny ip 197.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 201.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# remark RFC 1918 private addresses //RFC1918定义的私有地址Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 anyRouter(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 anyRouter(config-ext-nacl)# remark Other bogons //其他bogons地址Router(config-ext-nacl)# deny ip 224.0.0.0 15.255.255.255 any //组播地址Router(config-ext-nacl)# deny ip 240.0.0.0 15.255.255.255 any //学术研究地址Router(config-ext-nacl)# deny ip 0.0.0.0 0.255.255.255 anyRouter(config-ext-nacl)# deny ip 169.254.0.0 0.0.255.255 any //DHCP 本地私有地址Router(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any //测试地址Router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any //回环口地址Router(config-ext-nacl)# remark Internal networks //内部网段的地址Router(config-ext-nacl)# deny ip 200.1.1.0 0.0.0.255 any //内部服务器网段的地址Router(config-ext-nacl)# remark Allow Internet to specific servicesRouter(config-ext-nacl)# remark permit Router(config-ext-nacl)# deny ip any anyRouter(config-ext-nacl)# exitRouter(config)# interface ethernet1Router(config-if)# ip access-group ingress-filter in 在WAN口的IN方向上应用注意：这里过滤内部服务器网段的地址很容易被人忽视，用来阻止外部网段使用相同的内部地址，通常可以用来实施DDoS攻击。例子：在Internet的出口处启用ACL，只允许合法的地址出去：Router(config)# ip access-list extended egress-filter Router(config-ext-nacl)# permit ip 200.1.1.0 0.0.0.255 any Router(config-ext-nacl)# deny ip any any Router(config-ext-nacl)# exit Router(config)# interface ethernet1Router(config-if)# ip access-group egress-filter out注意：这里应用的是在WAN口的OUT方向，则只需要使用可路由的公网地址，如果应用在内口的IN方向，还应该考虑私有地址的NAT问题。同事也能在私网的OUT方向上过滤内网发送到外网的Bogon地址，防止内网的机器被黑客控制，使用Bogon地址来攻击ISP 今天有人给我留言说这种方法已经过时了，由于现在的Internet接入可能是通过BGP与对端进行连接的，我们可以在BGP上对进站条目进行过滤掉Bogons网段，下面我贴一下他的BGP配置模板IOS AssumptionsIOS 12.0.X or higher.Understanding of BGP and the Cisco IOS.This template is used by a non-transit network.The local ASN is 111, the remote ASNs are 222 and 333.The local netblock is 1.88.0.0/19.The router has already been secured. For details on a secure IOS configuration template, please consult my Secure IOS Template.This template was crafted for a network that would be dual-homed and BGP peered to two Tier One ISPs.The IP address of the router used in this template is 172.17.70.1.

　　IOS Template

　　The actual commands are in BOLD text so that they stand out from the comment blocks.

　　! Our ASN is 111

　　router bgp 111

　　!

　　! Don't wait for the IGP to catch up.

　　no synchronization

　　!

　　! Be a little more forgiving of an occasional missed keepalive.

　　no bgp fast-external-fallover

　　!

　　! Track and punt, via syslog, all interesting observations about our

　　! neighbors.

　　bgp log-neighbor-changes

　　!

　　! Announce our netblock(s) in a manner that does not increase CPU

　　! utilization. Redistributing from an IGP is dangerous as it increases

　　! the likelihood of flapping and instability. Redistributing static is

　　! more stable, but requires the CPU to peruse the routing table at a set

　　! interval to capture any changes. The network statement, combined with

　　! a null route, is the least expensive (in terms of CPU utilization) and

　　! most reliable (in terms of stability) option.

　　network 1.88.0.0 mask 255.255.224.0

　　!

　　! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 333.

　　neighbor 10.10.5.1 remote-as 333

　　!

　　! Set for soft reconfiguration, thus preventing a complete withdrawal

　　! of all announced prefixes when clear ip bgp x.x.x.x is typed.

　　neighbor 10.10.5.1 soft-reconfiguration inbound

　　!

　　! Type in a description for future reference. Not everyone memorizes

　　! ASNs. :-)

　　neighbor 10.10.5.1 description eBGP with ISP333

　　!

　　! Set up a password for authentication.

　　neighbor 10.10.5.1 password bgpwith333

　　!

　　! Hard-set for version 4. Disabled BGP version negotiation, thus

　　! bringing the peering session on-line more quickly.

　　neighbor 10.10.5.1 version 4

　　!

　　! Block any inbound announcments that include bogon networks. A prefix

　　! list is used because it is:

　　! 1) Easier on the CPU than ACLs, and

　　! 2) Easier to modify.

　　! See the actual bogons prefix-list below.

　　neighbor 10.10.5.1 prefix-list bogons in

　　!

　　! Announce only those networks we specifically list. This also prevents

　　! the network from becoming a transit provider. An added bit of protection

　　! and good netizenship. See the announce prefix-list below.

　　neighbor 10.10.5.1 prefix-list announce out

　　!

　　! Prevent a mistake or mishap by our peer (or someone with whom our peer

　　! has a peering agreement) from causing router meltdown by filling the

　　! routing and BGP tables. This is a hard limit. At 75% of this limit,

　　! the IOS will issue log messages warning that the neighbor is approaching

　　! the limit. All log messages should be sent to a remote syslog host.

　　! The warning water mark can be modified by placing a value after the

　　! maximum prefix value, e.g. maximum-prefix 250000 50. This will set the

　　! IOS to issue warning messages when the neighbor reaches 50% of the limit.

　　! Note that this number may need to be adjusted upward in the future to

　　! account for growth in the Internet routing table.

　　neighbor 10.10.5.1 maximum-prefix 250000

　　!

　　! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 222.

　　neighbor 10.10.10.1 remote-as 222

　　neighbor 10.10.10.1 soft-reconfiguration inbound

　　neighbor 10.10.10.1 description eBGP with ISP222

　　neighbor 10.10.10.1 password bgpwith222

　　neighbor 10.10.10.1 version 4

　　neighbor 10.10.10.1 prefix-list bogons in

　　neighbor 10.10.10.1 prefix-list announce out

　　neighbor 10.10.10.1 maximum-prefix 250000

　　!

　　! This is our iBGP peer, 172.17.70.2.

　　neighbor 172.17.70.2 remote-as 111

　　!

　　neighbor 172.17.70.2 soft-reconfiguration inbound

　　!

　　! Again, a handy description.

　　neighbor 172.17.70.2 description iBGP with our other router

　　!

　　neighbor 172.17.70.2 password bgpwith111

　　! Use the loopback interface for iBGP announcements. This increases the

　　! stability of iBGP.

　　neighbor 172.17.70.2 update-source Loopback0

　　neighbor 172.17.70.2 version 4

　　neighbor 172.17.70.2 next-hop-self

　　neighbor 172.17.70.2 prefix-list bogons in

　　neighbor 172.17.70.2 maximum-prefix 250000

　　!

　　! Do not automatically summarize our announcements.

　　no auto-summary

　　! If we have multiple links on the same router to the same AS, we like to

　　! put them to good use. Load balance, per destination, with maximum-paths.

　　! The limit is six. For our example, we will assume two equal size pipes

　　! to the same AS.

　　maximum-paths 2

　　!

　　! Now add our null route and the loopback/iBGP route. Remember to add

　　! more specific non-null routes so that the packets travel to their

　　! intended destination!

　　ip route 1.88.0.0 255.255.224.0 Null0

　　ip route 1.88.50.0 255.255.255.0 192.168.50.5

　　ip route 1.88.55.0 255.255.255.0 192.168.50.8

　　ip route 1.88.75.128 255.255.255.128 192.168.50.10

　　ip route 172.17.70.2 255.255.255.255 192.168.50.2

　　!

　　! We protect TCP port 179 (BGP port) from miscreants by limiting

　　! access. Allow our peers to connect and log all other attempts.

　　! Remember to apply this ACL to the interfaces of the router or

　　! add it to existing ACLs.

　　! Please note that ACL 185 would block ALL traffic as written. This

　　! is designed to focus only on protecting BGP. You MUST modify ACL

　　! 185 to fit your environment and approved traffic patterns.

　　access-list 185 permit tcp host 10.10.5.1 host 10.10.5.2 eq 179

　　access-list 185 permit tcp host 10.10.5.1 eq bgp host 10.10.5.2

　　access-list 185 permit tcp host 10.10.10.1 host 10.10.10.2 eq 179

　　access-list 185 permit tcp host 10.10.10.1 eq bgp host 10.10.10.2

　　access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179

　　access-list 185 permit tcp host 172.17.70.2 eq bgp host 172.17.70.1

　　access-list 185 deny tcp any any eq 179 log-input

　　!

　　! The announce prefix list prevents us from announcing anything beyond

　　! our aggregated netblock(s).

　　ip prefix-list announce description Our allowed routing announcements

　　ip prefix-list announce seq 5 permit 1.88.0.0/19

　　ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32

　　!

　　! The bogons prefix list prevents the acceptance of obviously bogus

　　! routing updates. This can be modified to fit local requirements.

　　! While aggregation is possible - certainly desirable - IANA tends

　　! to allocate netblocks on a /8 boundary. For this reason, I have

　　! listed the bogons largely as /8 netblocks. This will make changes

　　! to the bogons prefix-list easier to accomplish and less intrusive.

　　! I have listed more specific netblocks when documentation, such as

　　! RFC1918, is more granular.

　　! Please see the IANA IPv4 netblock assignment document at the

　　! following URL:

　　! http://www.iana.org/assignments/ipv4-address-space

　　ip prefix-list bogons description Bogon networks we won't accept.

　　ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32

　　ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32

　　ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32

　　ip prefix-list bogons seq 20 deny 5.0.0.0/8 le 32

　　ip prefix-list bogons seq 30 deny 10.0.0.0/8 le 32

　　ip prefix-list bogons seq 32 deny 14.0.0.0/8 le 32

　　ip prefix-list bogons seq 35 deny 23.0.0.0/8 le 32

　　ip prefix-list bogons seq 40 deny 27.0.0.0/8 le 32

　　ip prefix-list bogons seq 45 deny 31.0.0.0/8 le 32

　　ip prefix-list bogons seq 50 deny 36.0.0.0/8 le 32

　　ip prefix-list bogons seq 55 deny 37.0.0.0/8 le 32

　　ip prefix-list bogons seq 60 deny 39.0.0.0/8 le 32

　　ip prefix-list bogons seq 70 deny 42.0.0.0/8 le 32

　　ip prefix-list bogons seq 75 deny 46.0.0.0/8 le 32

　　ip prefix-list bogons seq 80 deny 49.0.0.0/8 le 32

　　ip prefix-list bogons seq 85 deny 50.0.0.0/8 le 32

　　ip prefix-list bogons seq 255 deny 100.0.0.0/8 le 32

　　ip prefix-list bogons seq 260 deny 101.0.0.0/8 le 32

　　ip prefix-list bogons seq 265 deny 102.0.0.0/8 le 32

　　ip prefix-list bogons seq 270 deny 103.0.0.0/8 le 32

　　ip prefix-list bogons seq 275 deny 104.0.0.0/8 le 32

　　ip prefix-list bogons seq 280 deny 105.0.0.0/8 le 32

　　ip prefix-list bogons seq 285 deny 106.0.0.0/8 le 32

　　ip prefix-list bogons seq 290 deny 107.0.0.0/8 le 32

　　ip prefix-list bogons seq 295 deny 108.0.0.0/8 le 32

　　ip prefix-list bogons seq 300 deny 109.0.0.0/8 le 32

　　ip prefix-list bogons seq 390 deny 127.0.0.0/8 le 32

　　ip prefix-list bogons seq 395 deny 169.254.0.0/16 le 32

　　ip prefix-list bogons seq 400 deny 172.16.0.0/12 le 32

　　ip prefix-list bogons seq 415 deny 175.0.0.0/8 le 32

　　ip prefix-list bogons seq 420 deny 176.0.0.0/8 le 32

　　ip prefix-list bogons seq 425 deny 177.0.0.0/8 le 32

　　ip prefix-list bogons seq 430 deny 178.0.0.0/8 le 32

　　ip prefix-list bogons seq 435 deny 179.0.0.0/8 le 32

　　ip prefix-list bogons seq 440 deny 180.0.0.0/8 le 32

　　ip prefix-list bogons seq 445 deny 181.0.0.0/8 le 32

　　ip prefix-list bogons seq 450 deny 182.0.0.0/8 le 32

　　ip prefix-list bogons seq 455 deny 183.0.0.0/8 le 32

　　ip prefix-list bogons seq 460 deny 184.0.0.0/8 le 32

　　ip prefix-list bogons seq 465 deny 185.0.0.0/8 le 32

　　ip prefix-list bogons seq 490 deny 192.0.2.0/24 le 32

　　ip prefix-list bogons seq 500 deny 192.168.0.0/16 le 32

　　ip prefix-list bogons seq 512 deny 198.18.0.0/15 le 32

　　ip prefix-list bogons seq 515 deny 223.0.0.0/8 le 32

　　ip prefix-list bogons seq 520 deny 224.0.0.0/3 le 32

　　! Allow all prefixes up to /27. Your mileage may vary,

　　! so adjust this to fit your specific requirements.

　　ip prefix-list bogons seq 525 permit 0.0.0.0/0 le 27

　　二、防止TCP SYN洪水攻击

　　TCP SYN 洪水攻击是DoS攻击的一种，黑客通常用真实地址或者假冒的源地址发送TCP SYN报文到服务器，使服务器挂起所有的TCP请求，耗尽服务器的资源

　　

　　试验拓扑：

　　

　　Router(config)# ip access-list extended tcp-syn-flood

　　Router(config -ext-nacl)# permit tcp any 200.1.1.0 0.0.0.255 established //允许内部发起的TCP连接

　　Router(config -ext-nacl)# permit tcp any host 200.1.1.11 eq 25 //只允许Internet发送到内部的SMTP的TCP SYN请求

　　<--output omitted-->

　　Router(config -ext-nacl)# deny ip any any

　　Router(config -ext-nacl)# exit

　　Router(config)# interface ethernet1

　　Router(config -if)# ip access-group tcp-syn-flood in

　　注意：这种ACL不能很好的防止TCP SYN洪水攻击，只能用来限制TCP SYN洪水攻击的范围，这里如果黑客使用TCP端口25作为TCP SYN攻击端口就没有办法了

　　三、过滤smurf-fraggle攻击

　　First, the hacker puts a directed broadcast into the destination field of the IP packet header. Directed broadcasts, unlike local broadcasts, are routable. Depending on the user's device, a directed broadcast can be either the first or the last address in a network or subnet. Typically, it is the last address. For example, with network 192.168.1.0/24,the directed broadcast address could be 192.168.1.0 or 192.168.1.255. Second, instead of using his own address as

　　the source address of the packet, the hacker replaces it with the address of the device that he wants to attack. If the destination network or networks do not filter the directed broadcast, all the destinations on the segment of the directed broadcast respond with an echo reply to the source address in the packet (the victim).

　　Figure 7-6 illustrates the process of a Smurf attack. In this example, the hacker wants to attack the internal server (200.1.2.1). The attacker then finds a network that allows directed broadcasts into the network. This could be the same network (not likely) or another network connected to the Internet (most likely). The hacker then sends an ICMP echo with a destination-directed broadcast to the segment that will initiate the attack and puts a source address in the packet header of the actual victim (200.1.2.1). When the destinations on 200.1.1.0/24 receive the echo-directed broadcast, each device responds to the source address with an echo reply. These devices commonly are called reflectors because they are being used to reflect the attack to the actual victim. In this example, only three user devices—200.1.1.1, 200.1.1.2, and 200.1.1.3—send an echo reply to 200.1.2.1.