Cover V09, I03


Router-Based Network Defense

Gilbert Held

While growing up in Brooklyn, I often heard the expression “da bums” used to refer to the love-hate relationship between the Brooklyn Dodgers and their fans. More recently, I've heard that expression used to refer to computer crackers. Once isolated incidents, these stories of problems caused by crackers now appear on the evening news. Because only a fraction of these problems are actually reported, the threat to organizational networks connected to the Internet may be much greater than we realize, and sales of hardware and software products developed to enhance security now represent a rapid growth industry.


All connections of private networks to the public Internet are based on the use of routers, therefore this communications product is your first line of network defense. As such, anything you can do to use a router to protect your organizational network from attack enhances your level of security. Routers support packet filtering so you have the ability to enable or disable the flow of packets based upon the contents of certain fields within a packet. Although a router is not a substitute for a firewall, when a router is used correctly, you can substantially reduce a variety of threats to computers on your network. The use of a router's access list capability is the topic of this article.

In this article, I will focus on the use of router access lists to minimize or prevent certain types of network attacks. Because routers manufactured by Cisco Systems provide a majority of the connections to the Internet, my examples are based on their access list features. However, other vendors may provide equivalent products.

There are several types of attacks that crackers appear to enjoy. Those attacks include attaching a virus to an email, saturation pinging, and denial of service attacks, in which a server is flooded with half-open TCP connection requests. Although a router does not have the capability to perform virus checking, the creator of a virus typically has one characteristic in common with people who perform denial of service attacks -- the desire to hide their source address. In doing so, they typically disguise the source address by using some common methods that, if you plan accordingly, can prevent many attacks. This method requires the inclusion of source address filtering statements in your router's access control list.

Source Address Filtering

Two types of addresses are commonly used by crackers as a spoofing mechanism to disguise their source address. The first type of address commonly used is a host address on the network of the target under attack. The second type of address represents an RFC 1918 address. In this section, I will discuss the use of both types of addresses and how you can use an access list as a barrier to prevent these attacks.

The use of a source address representing a host on the network is a common hacker ploy. Fortunately, this attack method is easy to stop, and the access list statement used to do so will not interfere with legitimate traffic. Packets arriving at your router's serial port should never have a source address corresponding to a host on your network. If we assume your organization's network address is, then the access list statement required to filter all packets with a source address denoting a host on that network would be as follows:

access-list 101 deny ip any

In my previous article on router access lists (“Router Access Lists”, Sys Admin, November 1999), I explained that the dotted-decimal number represents a Cisco router access list wildcard-mask. The wildcard-mask is the reverse of a subnet mask, with 0 bits used to represent a match condition and 1 bits used to represent a “don't care” condition. Because the network address represents a Class C address, the value of 255 in the wildcard-mask results in a match if any host address on the network is encountered.

The number 101 in the statement represents an extended IP access list number, and the keyword “any” references any destination address. Thus, the preceding extended access list statement will result in any IP packet containing a source address that corresponds to an address on our organization's network being routed to the great bit bucket in the sky.

A second, commonly spoofed series of source addresses to block are RFC 1918 addresses. RFC 1918, “Address Allocation for Private Internets”, was issued in February, 1996. In this RFC, three blocks of the IPv4 address space were reserved for private Internets. Those blocks of IP address space are:    -	(10/8 prefix)  -	(176.16/12 prefix) -	(192.168/16 prefix)

Any organization can use RFC 1918 addresses without coordination with the Internet Assigned Numbers Authority (IANA) or an Internet registry. However, because such addresses are for private use, their use as a destination for routing via the Internet (where unique addresses are required) could have unexpected results. Due to this, RFC 1918 addresses cannot have IP connectivity to any host outside the enterprise.

One popular and legitimate use of RFC 1918 addresses is for organizations with more employees accessing the Internet than valid IP addresses. For example, consider an organization with 300 employees that periodically surf the Web, but which was assigned only one Class C IP address. Because a Class C IP address has 254 usable host addresses, it is possible to use a router with network address translation capability to map RFC 1918 addresses assigned to stations behind the router to valid Class C addresses. The use of RFC 1918 addresses can serve a valid purpose but, when used as a source address within a packet, the only intention is to hide the packet's origin.

You can also create access list statements to prevent RFC 1918 address spoofing. The following three access list statements could be included in an extended IP access list applied to a router's serial port in the inbound direction to prevent RFC 1918 address spoofing:

access-list 101 deny ip any
access-list 101 deny ip any
access-list 101 deny ip any

The ping Attack

One fad at university computer laboratories is for a hacker to use a series of stations for the ping utility with its -t option to query a common host. The ping -t option, under each version of Microsoft Windows that includes a built-in TCP/IP protocol stack, causes the computer to issue a continuous series of pings until interrupted. With a little ingenuity, the cracker can open the MS-DOS prompt on each workstation connected to the network, issue a ping with the -t option to the IP address of the target, and minimize the window onto the task bar. Within a few minutes, several dozen workstations in a classroom can be continuously pinging a common address, both interfering with productivity, as well as increasing network traffic.

Fortunately, through the use of Cisco extended IP access lists, you can use ICMP filtering to prevent pings from flowing onto your network. To allow users on your internal network to ping extended hosts, you could simply bar echo-requests in the inbound direction. To do so, enter the following statement into your router access list that would be applied to the serial port in the inbound direction:

access-list 101 deny icmp any any echo-request

Note that the prior access list statement specifies the use of the ICMP protocol and uses the keyword “any” for both source and destination addresses. The keyword “echo-request” results in the access list statement sending all pings originating on the untrusted side of the router into oblivion.

Statement Placement

In the world of Cisco access lists, the location of statements in the list is very important. Because you should immediately prevent packets with commonly used spoofed IP addresses from entering your network, anti-spoofing statements should be placed at the top of your access list that is applied to the router's serial port connection to the Internet, in the inbound direction.

Assuming your router's serial port 0 is connected to the Internet, your access list to prevent spoofing, and the appropriate Cisco IOS commands to apply the access list, are as follows:

interface serial 0
ip access-group 101 in
access-list 101 deny icmp any any echo-reply
access-list 101 deny ip any
access list 101 deny ip any
access-list 101 deny ip any
access-list 101 deny ip any

IP-Directed Broadcasts

Routers, although not part of an access list, include a command to disable IP-directed broadcasts. In the past, directed broadcasts were used in one of the most popular denial of service attacks ever created. The “Smurf” attack, named after the original attacking program, transmitted thousands of ICMP echo-request packets to the directed broadcast address of the attacked hosts network. Because an IP broadcast address, such as, is translated into a layer 2 broadcast frame (for example FF:FF:FF:FF:FF:FF for Ethernet), each echo-request packet will illicit a response from each host on the target network. To hide the identity of the attacker and to further victimize the unwilling party, the source address of the ping is altered to represent a secondary victim's network. Because each echo-request is multiplied by the number of hosts on the initial target network, both the original destination and the spoofed source network are denied service. Fortunately, it is a relatively simple procedure to disable IP-directed broadcasts. To do so, enter the following command for each router interface:

no ip-directed broadcasts

Now that I've described defenses for commonly spoofed IP addresses and the command to counter directed broadcasts, I will conclude this article by discussing the prevention of a common denial of service attack called “SYN flooding”. In a Cisco router environment, TCP intercept (which was introduced in IOS Version 11.3), provides a mechanism to prevent SYN flooding.

TCP Intercept

Appreciation of TCP intercept requires an understanding of SYN flooding. SYN flooding represents an attack based upon the three-way TCP handshake. To review, the first packet in the TCP three-way handshake sets the SYN bit. When the destination receives the first packet requesting a service, it responds with a packet setting the SYN and ACK bits, sets a timer, and waits for an ACK from the originator of the conversation. If the originator of the request never responds to the host, the destination host times out the connection. However, while the host is waiting for the transaction to complete itself, this half-open connection consumes resources on the host. If thousands of bogus packets with phony IP addresses and their SYN bit set reach the host, its available resources will be rapidly consumed. This results in denial of service (DoS) to legitimate users and results in SYN flooding being considered a DoS attack.

Recently, a number of DoS attacks against business, government, and educational Web sites have been reported. Each of these attacks exploited the manner by which TCP handshaking occurs as a mechanism to consume all available resources on the target host. Although the previously described anti-IP spoofed address statements will block SYN attacks if the attacker uses your network address or RFC 1918 addresses, let's suppose the cracker is a bit more innovative and randomly generates IP source addresses. In this situation, the previously described anti-spoofing statements would not bar the attack. Thus, with IOS version 11.3, you could turn to TCP intercept.

TCP intercept operates by intercepting and validating TCP connection requests. This feature works in two modes -- intercept and watch. In intercept mode, the router intercepts inbound TCP synchronization requests and establishes a connection with the client on the server's behalf, and with the server on the client's behalf. If both connections are successful, the router transparently merges the two. To prevent its own resources from being consumed by the attacker, the router has a series of aggressive thresholds that, by default, limit the number of potential connections based upon total incomplete connections or connections occurring per one-minute period. In its watch mode, the router passively watches half-open connections and will actively close connections on the server after a configurable length of time.

Enabling TCP Intercept

There are two steps in enabling TCP intercept on a Cisco router. First, configure either a standard or extended IP access list statement that permits the host's IP addresses you want to protect. The format of that access list statement is shown below:

access-list list# permit tcp any destination destination-wildcard

The second step is to enable TCP intercept. To do so, use the IP TCP intercept command, whose format is shown below:

ip tcp intercept list access-list#

Because the default mode of TCP intercept is its intercept mode, a third statement will be necessary to set the router to watch mode. In the default intercept mode, the router responds to incoming SYN requests on the server's behalf with a SYN-ACK, and waits for the ACK from the client. If an ACK is received, the original SYN packet is sent to the server, and the router completes the three-way handshake with the server on behalf of the originating client.

In watch mode, the router enables SYN requests through to the server. If the session fails to establish itself in 30 seconds (the default), the router sends an RST to the server to clear the connection. The amount of time the router waits is configurable. You can set the tcp intercept mode with the mode command. The format of that command is:

ip tcp intercept mode [intercept/watch]

Aggressive Thresholds

A router has a series of aggressive thresholds, each of which has a predefined default value to prevent router resources from being consumed as it protects a network from SYN flooding. When an aggressive threshold is exceeded, the router performs either two (intercept mode) or three (watch mode) functions. Those functions are:

1. Each new connection causes the oldest connection to be deleted.

2. The initial retransmission timeout is reduced by half to 0.5 seconds.

3. If in watch mode, the timeout is reduced by half to 15 seconds.

There are four TCP intercept commands you can use to set aggressive thresholds. Those commands with their default values are shown below:

ip tcp intercept max-incomplete low number 900
ip tcp intercept max-incomplete high number 1100
ip tcp intercept one-minute low number 900
ip tcp intercept one-minute high number 1100

Two factors govern router aggressive behavior. If either max-incomplete or one-minute values are exceeded, aggressive behavior occurs until both values fall below their threshold mark.

Including TCP intercept in an access list is a relatively simple process. To do so, enter the ip tcp intercept command that references the appropriate access list, and include an access list statement with the address you want to protect. For example, assuming the Web server has the IP address, you would use the following statements:

ip tcp intercept list 101
access-list 101 permit tcp any host


Communications can be viewed as the glue that holds a modern society together. It is therefore important to take preventative measures to limit disruptions to your network. Although you can expect other methods to be used against your network, implementing the protection measures mentioned in this article is a good starting point for securing your network. As the Boy Scout motto says, “Be prepared”.

About the Author

Gilbert Held is an award-winning author and internationally-known lecturer. Gil is the author of over 40 books and 300 technical articles. Some of Gil's recent titles include Voice over Data Networks 2ed. and Cisco Security Architecture (co-authored with Kent Hundley), both published by McGraw-Hill, and LAN Performance 3ed., Understanding Data Communications 2ed., and Internetworking LANs and WANs 2ed., published by John Wiley & Sons. Gil can be reached via email at: