Dynamically dealing with an attack (access-list)

Hi,

As long as the attacker uses a dynamic ip address, you have to block each new one. A good thing to do, is to try blocking subnets not single ips. For instance, if the ISP provides the attacker an ip from the range

72.0.206.0/24, you should block that range. Not 72.0.206.240/32 itself. When the ip moves to another range, you should block that range too. Of course you should be very careful using the proper subnet mask. You shouldn't block 72.0.0.0/8, because you might have problems accessing needed resources.

What I would do if I were you is create a new ACL

router(config)# access-list 101 deny ip 72.0.206.0 0.0.0.255 any router(config)# access-list 101 permit ip any any

and then use a new ip access-group on the proper outside interface, like

router(config-if)# ip access-group 101 in

In case the attacker changes ip, I would disable ip access-group 101, save the ACL 101 on a text file and delete it afterwards. Then I would add the new ip range to the ACL 101 on the text file and paste it on the router. Then I would enable ip access-group 101 on the proper outside interface of the router. I would definitely keep the text file in order to add each attacker's ip. And finally, if you think your company is threatened by that person, you should contact his/her ISP.

Good luck,

Giorgos

I've found that when I block an IP while he is attempting to login many times, the pubescent hacker just moves on to some other target and all is quiet for a long time until some other hackers starts to test my IP.

Since I have no need, nor intention to record those IPs or grow a list to include every attack I've ever had, my goal is to re-use an existing access-list entry.

Is it more efficient to re-use an entry in a multi-entry access list which contains all rules for that interface, or is it more efficient to have 2 separate access lists (with second one containing only that sporadic entry) attached to the interface ?

So, are you trying to say that you have to let him login and then take some action?

Attacks shouldn't exist on a daily basis. If you have to deal with this kind of attacks all the time, you have a critical security issue.

In that case, the second option is surely more efficient. Besides, you can't use more that one ACLs per interface, per direction. What I'm trying to say is you shouldn't delete the ACL entry when the attacker changes ip. You should leave it in case he uses it again. Otherwise you have to add and delete entries all the time.

No. Sometines a console constantly rings, and I see someone trying a password dictionary attack on a system. So I check which IP this attack is coming from and program the router to stop him. The system has already blocked that user through intrusion detection, so blocking the IP at the router is more of a "conveniemnce" which stops the constant flow of alarms and gets the attacker to move on to attack someone else.

OK, but why don't you just have a word with his ISP? Running whois ip, provides interesting info. I can see why, but sometimes it worth the trouble.

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, snipped-for-privacy@gmail.com chose the tried and tested strategy of:

Presumably you have nothing connected to the internet then.

So, you're saying brute-force and dictionary attacks on a daily basis is normal on a single network?

In my several years experience with Internet facing firewall's logs scanning attacks are seen on daily basis and it's completely "normal" unfortunately. Brute force attacks also are seen frequently...Let say you have some server/router with ssh enabled from the Internet. It's expected that when someone detects ssh to try to brute force it...Probably the master work of some poor script kiddy;), but you never know... So, my advice is to never allow any kind of console/authentication from unknown IPs from internet. You can hardly prevent port scanning, maybe just making it hard and slow with IPS, but you can and you should definitely prevent authentication attacks. Even if unsuccessful they can result in DoS by eventually locking down your accounts;)

Igor

Meanwhile, at the comp.dcom.sys.cisco Job Justification Hearings, snipped-for-privacy@gmail.com chose the tried and tested strategy of:

What is 'normal'? What is a single network? For yesterday:

# grep "Invalid user" /var/log/auth.log.0 | awk '{ print $10 }' | sort | uniq - c | sort -rn | head 4474 82.143.224.114 128 200.78.235.21 4 78.43.153.131 4 194.76.253.121 3 91.187.45.168 3 85.222.104.77 3 82.160.33.7 3 81.199.47.9 3 217.194.133.206 3 213.246.205.150

This pattern is repeated with different services on different servers, all over the internet. So I would say that whilst attacks shouldn't exist on a daily basis, they do. It's just part of the normal background noise of the internet.

Our MPLS-VPN network is based on a central site with more than 150 sites connected to it. We don't have that number of attacks. That's the reason I was so curious. I believe it depends on the type of each company.