The following tables provide extensive lists of all the options you can implement to give you more granular control if you use the eqoption in the TCPvariable of this command.
Table 1.16Options When Using the eq Switch with the TCP Variable
Keyword Port Protocol
<0-65535>
Bgp 179 Border Gateway Protocol
Chargen 19 Character generator
Cmd 514 Remote commands
Daytime 13 Daytime
www.syngress.com Table 1.15Continued
Keyword Description
Continued
Discard 9 Discard
Domain 53 Domain Name System
Echo 7 Ping
Exec 512 Exec
Finger 79 Finger
ftp 21 File Transfer Protocol
ftp-data 20 File Transfer Protocol data connections
Gopher 70 Gopher
Hostname 101 Hostname server
Ident 113 Indent Protocol
Irc 194 Internet Relay Chats
Klogin 543 Kerberos login
Kshell 544 Kerberos shell
Login 513 Rlogin
Lpd 515 Print service
nntp 119 Network News Transport Protocol
pop3 110 Post Office Protocol 3
Smtp 25 Simple Mail Transfer Protocol
telnet 23 Telnet
Time 37 Time
www 80 World Wide Web
The following options are available if the UDP keyword is used within the access list 100-199 command (Table 1.17).
Table 1.17UDP Options in Extended Access Control Lists
Keyword Port Protocol
<0-65535>
Biff 512 Biff Mail Notification Bootpc 68 Bootstrap protocol client Bootps 67 Bootstrap protocol server
Discard 9 Discard
Table 1.16Continued
Keyword Port Protocol
Continued
Dnsix 195 DNSIX security protocol auditing
Domain 53 Domain Name System
Echo 7 Ping
Mobile-ip 434 Mobile IP registration Nameserver 42 IEN116 name service Netbios-dgm 138 NetBIOS datagram service Netbios-ns 137 NetBIOS name service
Ntp 123 Network Time Protocol
Rip 520 Routing Information Protocol
Snmp 161 Simple Network Management Protocol Snmptrap 162 Simple Network Management Protocol traps Sunrpc 111 Sun remote-procedure call
Syslog 514 System log
Tacacs 49 TAC Access Control System
Talk 517 Talk
Tftp 69 Trivial File Transfer Protocol
Time 37 Time
Who 513 Who service
Xdmcp 177 X Display Manager Control Protocol
Configuration Examples
It is apparent after reviewing Tables 1.16 and 1.17 that extended Access Control Lists can be very granular and give very specific control over a variety of network traffic. However, in implementing this level of control, you must consider that the additional processor load will increase the possibility of network slowdown.You must be selective when implementing extended Access Control Lists.
The following entry is an example of an extended ACL that denies and logs all TCP traffic on port 80 that is destined for the 10.10.0.0 network, then permits everything else:
Router1(config)#access-list 101 deny tcp any 10.10.0.0 0.0.255.255 eq www log
Router1config#access-list 101 permit ip any any
www.syngress.com
Table 1.17UDP Options in Extended Access Control Lists
Keyword Port Protocol
To apply this control to a specific interface, you would go into the related interface configuration mode and use the access-group command. For example, to apply the above example to all inbound packets on Serial interface 1, you would use the following set of commands.
Router1(config)#interface serial 1
Router1(config-if)#ip access-group 101 in
The following example would deny Telnet traffic destined for a router with an address of 200.125.12.1.The extra option of logging is enabled to make it easier to track which users are trying to complete this action.
Router1(config)# #access-list 110 deny 23 any host 200.125.12.1 log Router1(config)# #access-list 110 permit ip any any
Router1(config)#interface serial 1 Router1(config-if)#ip access-group 110
NOTE
The “out” keyword is not required, since that is the default it is included here for clarity.
This example shows that port 23 is denied access to the TCP/IP address 200.125.12.1, and any traffic matching this criteria will be logged. Applying this list to the Serial 1 interface with the outoption will stop any traffic from going out this interface.
Extended ACLs can also be useful tools when trying to prevent malicious denial of service (DoS) attacks against your network. If, using network sniffing or some other means, the type of attack can be identified by what port it is
attacking, it makes implementing extended ACLs considerably easier. At the end of this section on DoS attacksis a “catch-all” statement that makes this task a bit easier.
It is important to understand what a DoS attack is before we attempt to min-imize its impact. A DoS attack is an attack on a network that monopolizes the network and server resources so that no other host can participate on the net-work, or, if they do, the network or service becomes very slow.
There are three general types of DoS attacks : Smurf, SYN floods, and Fraggle. A Smurf attack happens when the attacker uses a flood of ICMP packets
to tie up the servers and the network. A SYN flood uses TCP connection requests to monopolize the network.The Fraggle attack uses a flood of broad-casts, like a Smurf attack, but it uses UDP echo requests instead of ICMP echo requests. Extended ACLs can both track and deny each of these attacks.
The following example would enable you to track a Smurf attack if you believed one was occurring on your network.
Router1(config)#access-list 102 permit icmp any any echo-reply Router1(config)#access-list 102 permit ip any any
Router1(config)#interface serial 1
Router1(config-if)#ip access-group 102 in
Once the extended ACL has been applied to the serial interface, the show access-listcommand enables you to see if an attack is occurring.This would be evident if there were an outstanding number of matches on this access list.
To gather more information on this attack, you can alter the access list to log the matches.The following command enables you to see the source address.
Router1(config)#interface serial 1
Router1(config-if)#no ip access-group 102 in Router1(config-if)#exit
Router1(config)#no access-list 102 permit icmp any any echo-reply Router1(config)#access-list 102 permit icmp any any echo-reply log Router1(config)#interface serial 1
Router1(config-if)#ip access-group 102 in
Only pings were allowed in the above example. It was shown as a general
“how to,” and is not intended to be complete due to the access list denying all other traffic from entering the serial interface. Obviously, you would want to make this list more robust in a production network. Applying a new access-group command will overwrite the existing access-group command, but for the sake of clarity we first removed the existing access group and extended ACL. Once that taks has been completed, we created the new Extended ACL and then re-applied it to the serial interface.Your system will begin logging each match, which you will be able to view with the show logcommand. After finding the network address from which this attack is originating, you can look up the administrator in the appropriate “who is” database on the Internet and contact them to help you stop the attacks. It is important to remember that the source address of a DoS attack is usually also a victim, because the real attacker will usually hide his identity behind this victim’s address.
www.syngress.com
You would use the same technique in tracking the other two kinds of DoS attacks.The only difference in implementation is that in a Fraggle attack you would track UDP echo requests, and in a SYN flood you would track TCP establish connection requests. Many network engineers implement “catch-all”
ACLs as a first line warning system to help minimize DoS attacks.The following is an example of a “catch-all” ACL configuration.
Router1(config)#access-list 101 permit icmp any any echo-reply Router1(config)#access-list 101 permit udp any any eq echo Router1(config)#access-list 101 permit udp any eq echo any Router1(config)#access-list 101 permit tcp any any established Router1(config)#access-list 101 permit ip any any
Router1(config)#interface serial 1
Router1(config-if)#ip access-group 101 in
This configuration would be used if a suspected DoS attack were occurring on your network. During the attack, if a show access-list command were issued, it would show the matches per list.This would indicate what kind of DoS attack was occurring by showing the matches for certain types of traffic. For instance, it there were a disproportional amount of established TCP connection requests occurring, that would indicate that the network was under a DoS SYN flood attack.