Save $400 on 4-6 day Courses at SANS Cyber Defense Initiative 2017. Ends Tomorrow!

DoS Step-by-Step: Cabletron Anti-Spoof Egress Filtering

Revision: 1.3 - Date: 2000/03/23 02:56:55 GMT

In order to help prevent your network(s) from being used in Spoofed Denial of Service (DoS) Attacks, the following access list should be in place on your routers. The access list needs to be placed outbound on the Interface that connects to the ISP.

acl egress-filter permit ip (customer network/netmask) any

(note: there is an implicit "deny ip any" at the end of each IP ACL)

This access list would prevent packets being sent from a customer network with any IP address other than their network.

For customers that have more than one connection to the internet, this would be applied outbound on any interface connected to the Internet.

Place the ACL on interfaces toward the internet. In the following example the link to the internet is "link-to-isp" on port se.2.1.

external-gw# ip show interfaces brief

   Interface    Status Oper. Status Address
   ---------    ------ ------------ -------
 1 lo0          up     up 
 2 internal     up     up 
 3 link-to-isp  up     up 
 4 external-gw#

  Broadcast      Vlan/Port
  ---------      ---------
1  SYS_L3_internal/et.3.1
2 SYS_L3_link-to-isp/se.2.1

The network is We want to create an access list that will permit traffic from any host within the network and drop all other traffic.

First you want to make sure the access-list we will be using is not already being used:

external-gw# acl show aclname egress-filter
%ACL-E-BADACLNAME, Unknown or invalid ACL name: egress-filter

If there was an access list it would have shown up here. Now we want to make sure that the serial interface does not have an access-list applied outbound.

external-gw# acl show interface link-to-isp
%ACL-I-NOACL, No ACL applied to interface link-to-isp.

You should see the line "%ACL-I-NOACL, No ACL applied to interface link-to-isp." If not, you already have an outbound access list, and you will need to see your firewall administer for help. If you do not have an existing outbound access list, then you can now create acl egress-filter and apply it outbound on the interface connected to the ISP (in this example it is "link-to-isp" on port se.2.1).

external-gw# configure
external-gw(config)# acl egress-filter permit
     ip any
external-gw(config)# acl egress-filter apply
     interface link-to-isp output logging deny-only
external-gw(config)# save active
external-gw(config)# save startup
Are you sure you want to overwrite the Startup
     configuration [no]? y
%CONFIG-I-SAVED, configuration saved to Startup
external-gw(config)# ^Z

The "logging deny-only" at the end of the apply statement in the acl command, will log any packet that is sent with a source address other than the ones permitted by the previous statement.

After the access list is applied to the interface, the command "acl show aclname <list>" will display counters for each access expression. Confirm that the counter for the expression to pass your address block is incrementing.

If it is necessary to remove the access list due to an error, negate the "acl egress-filter apply" command to remove it and confirm with "acl show aclname egress-filter".

Never change the access lists on the router interface you are using to configure the router. Either remove the acl first, or configure the router via the serial console interface. If you do not remove the acl from the interface first, you will cause a momentary outage while installing the new access list and may disable all traffic through the interface if you make an error.