Feedback
Contents
- IP Source Tracker
- Finding Feature Information
- Restrictions for IP Source Tracker
- Information About IP Source Tracker
- Identifying and Tracking Denial of Service Attacks
- Using IP Source Tracker
- IP Source Tracker Hardware Support
- How to Configure IP Source Tracker
- Configuring IP Source Tracking
- What to Do Next
- Verifying IP Source Tracking
- Configuration Examples for IP Source Tracker
- Configuring IP Source Tracking Example
- Verifying Source Interface Statistics for All Tracked IP Addresses Example
- Verifying a Flow Statistic Summary for All Tracked IP Addresses Example
- Verifying Detailed Flow Statistics Collected by a Line Card Example
- Verifying Flow Statistics Exported from Line Cards and Port Adapters Example
- Additional References
- Feature Information for IP Source Tracker
IP Source Tracker
The IP Source Tracker feature tracks information in the following ways:
- Gathers information about the traffic that is flowing to a host that is suspected of being under attack.
- Generates all the necessary information in an easy-to-use format to track the network entry point of a DoS attack.
- Tracks Multiple IPs at the same time.
- Tracks DoS attacks across the entire network.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for IP Source Tracker
Packets Can Be Dropped for Routers
IP source tracking is designed to track attacks against hosts. Packets can be dropped if the line card or port adapter CPU is overwhelmed. Therefore, when used to track an attack against a router, IP source tracking can drop control packets, such as Border Gateway Protocol (BGP) updates.
Engine 0 and 1 Performances Affected on Cisco 12000 Series
There is no performance impact for packets destined to nontracked IP addresses on Engine 2 and Engine 4 line cards because the IP source tracker affects only tracked destinations. Engine 0 and Engine 1 performances are affected because on these engines all packets are switched by the CPU.
 Note | On Cisco 7500 series routers, there is no performance impact on destinations that are not tracked. |
Information About IP Source Tracker
Identifying and Tracking Denial of Service Attacks
One of the many challenges faced by customers today is the tracking and blocking denial-of-service (DoS) attacks. Counteracting a DoS attack involves intrusion detection, source tracking, and blocking. This functionality addresses the need for source tracking.
To trace attacks, NetFlow and access control lists (ACLs) have been used. To block attacks, committed access rate (CAR) and ACLs have been used. Support for these features on the Cisco 12000 series Internet router has depended on the type of line card used. Support for these features on the Cisco 7500 series routers depends upon the type of port adapter used. There is, therefore, a need to develop a way to receive information that both traces the source of an attack and is supported on all line cards and port adapters.
Normally, when you identify the host that is subject to a DoS attack, you must determine the network ingress point to effectively block the attack. This process starts at the router closest to the host.
For example, in the figure below, you would start at Router A and try to determine the next upstream router to examine. Traditionally, you would apply an output ACL to the interface connecting to the host to log packets that match the ACL. The logging information is dumped to the router console or system log. You then have to analyze this information, and possibly go through several ACLs in succession to identify the input interface for the attack. In this case the information points back to Router B.
You then repeat this process on Router B, which leads back to Router C, an ingress point into the network. At this point you can use ACLs or CAR to block the attack. This procedure can require applying several ACLs that generate an excessive amount of output to analyze, making this procedure cumbersome and error prone.
Using IP Source Tracker
IP source tracker provides an easier, more scalable alternative to output ACLs for tracking DoS attacks, and it works as follows:
- After you identify the destination being attacked, enable tracking for the destination address on the whole router by entering the ip source-track command.
- Each line card creates a special Cisco Express Forwarding (CEF) entry for the destination address being tracked. For line cards or port adapters that use specialized Application-Specific Integrated Circuit (ASICs) for packet switching, the CEF entry is used to punt packets to the line card's or port adapter's CPU.
- Each line card CPU collects information about the traffic flow to the tracked destination.
- The data generated is periodically exported to the router. To display a summary of the flow information, enter the show ip source-track summary command. To display more detailed information for each input interface, enter the show ip source-track command.
- Statistics provide a breakdown of the traffic to each tracked IP address. This breakdown allows you to determine which upstream router to analyze next. You can shut down the IP source tracker on the current router by entering the no ip source-track command, and reopen it on the upstream router.
- Repeat Step 1 to Step 5 until you identify the source of the attack.
- Apply CAR or ACLs to limit or stop the attack.
How to Configure IP Source Tracker
Configuring IP Source Tracking
DETAILED STEPS
What to Do Next
After you have configured source tracking on your network device, you can verify your configuration and source tracking statistics, such as traffic flow. To complete this task, see the following section "Verifying IP Source Tracking."
Verifying IP Source Tracking
To verify the status of source tracking, such as packet processing and traffic flow information, perform the following steps.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
show
ip
source-track
[ip-address] [summary |
cache
Example: Router# show ip source-track summary |
Displays traffic flow statistics for tracked IP host addresses | ||
Step 3 |
show
ip
source-track
export
flows
Example: Router# show ip source-track export flows |
Displays the last 10 packet flows that were exported from the line card to the route processor.
|
Example
The following example, which is sample output from the show ip source-track summary command, shows how to verify that IP source tracking is enabled for one or more hosts:
Router# show ip source-track summary
Address Bytes Pkts Bytes/s Pkts/s
10.0.0.1 119G 1194M 443535 4432
192.168.1.1 119G 1194M 443535 4432
192.168.42.42 119G 1194M 443535 4432
The following example, which is sample output from the show ip source-track summary command, shows how to verify that no traffic has yet to be received for the destination hosts that are being tracked:
Router# show ip source-track summary
Address Bytes Pkts Bytes/s Pkts/s
10.0.0.1 0 0 0 0
192.168.1.1 0 0 0 0
192.168.42.42 0 0 0 0
The following example, which is sample output from the show ip source-trackcommand, shows how to verify that IP source tracking is processing packets to the hosts and exporting statistics from the line card or port adapter to the GRP and RSP:
Router# show ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s
10.0.0.1 PO0/0 119G 1194M 513009 5127
192.168.1.1 PO0/0 119G 1194M 513009 5127
192.168.42.42 PO0/0 119G 1194M 513009 5127
Configuration Examples for IP Source Tracker
- Configuring IP Source Tracking Example
- Verifying Source Interface Statistics for All Tracked IP Addresses Example
- Verifying a Flow Statistic Summary for All Tracked IP Addresses Example
- Verifying Detailed Flow Statistics Collected by a Line Card Example
- Verifying Flow Statistics Exported from Line Cards and Port Adapters Example
Configuring IP Source Tracking Example
The following example shows how to configure IP source tracking on all line cards and port adapters in the router. In this example, each line card or port adapter collects traffic flow data to host address 100.10.0.1 for 2 minutes before creating an internal system log entry; packet and flow information recorded in the system log is exported for viewing to the route processor or switch processor every 60 seconds.
Router# configure interface Router(config)# ip source-track 100.10.0.1 Router(config)# ip source-track syslog-interval 2 Router(config)# ip source-track export-interval 60
Verifying Source Interface Statistics for All Tracked IP Addresses Example
The following example displays a summary of the traffic flow statistics that are collected on each source interface for tracked host addresses.
Router# show ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s
10.0.0.1 PO2/0 0 0 0 0
192.168.9.9 PO1/2 131M 511M 1538 6
192.168.9.9 PO2/0 144G 3134M 6619923 143909
Verifying a Flow Statistic Summary for All Tracked IP Addresses Example
The following example displays a summary of traffic flow statistics for all hosts that are being tracked; it shows that no traffic has yet been received.
Router# show ip source-track summary
Address Bytes Pkts Bytes/s Pkts/s
10.0.0.1 0 0 0 0
100.10.1.1 131M 511M 1538 6
192.168.9.9 146G 3178M 6711866 145908
Verifying Detailed Flow Statistics Collected by a Line Card Example
The following example displays traffic flow information that is collected on line card 0 for all tracked hosts.
Router# exec slot 0 show ip source-track cache
========= Line Card (Slot 0) =======
IP packet size distribution (7169M total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 0.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 13291 added
198735 ager polls, 0 flow alloc failures
Active flows timeout in 0 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
PO0/0 101.1.1.0 Null 100.1.1.1 06 00 00 55K
0000 /0 0 0000 /0 0 0.0.0.0 100 10.1
Verifying Flow Statistics Exported from Line Cards and Port Adapters Example
The following example displays packet flow information that is exported from line cards and port adapters to the GRP and the RSP:
Router# show ip source-track export flows
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
PO0/0 101.1.1.0 Null 100.1.1.1 06 0000 0000 88K
PO0/0 101.1.1.0 Null 100.1.1.3 06 0000 0000 88K
PO0/0 101.1.1.0 Null 100.1.1.2 06 0000 0000 88K
Additional References
MIBs
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for IP Source Tracker
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for IP Source Tracker |
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IP Source Tracker |
12.0(21)S 12.0(22)S 12.0(26)S 12.3(7)T 12.2(25)S |
The IP Source Tracker feature allows information to be gathered about the traffic that is flowing to a host that is suspected of being under attack. This feature was introduced in Release 12.0(21)S on the Cisco 12000 series. This feature was implemented in Release 12.0(22)S on the Cisco 7500 series. This feature was implemented in Release 12.0(26)S on the Cisco 12000 series IP Service Engine (ISE) line cards. This feature was integrated into Cisco IOS Release 12.3(7)T. This feature was integrated into Cisco IOS Release 12.2(25)S. The following commands were introduced or modified: ip source-track, ip source-track address-limit, ip source-track export-interval, ip source-track syslog-interval, show ip source-track, show ip source-track export flows. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.