Tuesday, August 7, 2012

2) Inappropriate IP addresses
  • By using Inappropriate IP addresses, some of
    • the attackers remain hidden & with help of other hosts to create a distributed denial-of-service(DDoS) attack.
  • Best Layer-3 security practice is use of ACL to filter packets containing ip address which are not appropriate.
  • Router should also filter packets that are bogus or inappropriate.
    • ex, a packet should never have a broadcast or multicast source ip address in normal use.
  • Router should never receive a packet from an ISP with that Packet's source ip address being a private network per RFC 1918.
  • Additionally the same router should not receive packets sourced from IP addresses in ranges currently unallocated by IANA.
  • These types of ip addresses are frequently called bogons (unallocated ip addresses ranges of IANA).
  • Filter these bogons by
    • Creating an ACL to match these bogon ip addresses (regularly updated based on changes in IANA's assigned prefixes).
    • Use freeware called the Router Audit Tool(RAT) that makes recommendations for router security, including bogon ACLs.
    • Also use the Cisco IOS AutoSecure feature.
      • It automatically configures ACLs to prevent the use of such  bogus ip addressess
at No comments:
Subscribe to: Posts (Atom)