Downloads |
Table Of Contents
Identifying and Tracking Denial of Service Attacks
How the IP Source Tracker Works
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Enabling IP Source Tracking for a Host Under Attack
Limiting the Number of Hosts that Are Tracked
Setting the Time Interval Used for Generating Syslog Messages
Setting the Time Interval Used for Exporting Statistics to the GRP or RSP
Monitoring and Maintaining IP Source Tracking
Configuring IP Source Tracking for an IP Address Example
Displaying Source Interface Statistics for All Tracked IP Addresses Example
Displaying a Flow Statistic Summary for All Tracked IP Addresses Example
Displaying Detailed Flow Statistics Collected by a Line Card/Port Adapter Example
Displaying Flow Statistics Exported from Line Cards/Port Adapters to the GRP/RSP Example
ip source-track export-interval
ip source-track syslog-interval
IP Source Tracker
Feature History
This feature module describes the IP Source Tracker feature and includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
The IP Source Tracker feature allows you to gather information about the traffic flowing to a host that is suspected of being under attack. This feature also allows you to easily trace an attack back to its entry point into the network.
Identifying and Tracking Denial of Service Attacks
One of the many challenges faced by ISPs today is tracking and blocking denial of service (DoS) attacks. Counteracting a DoS attack can be broken down into three areas: intrusion detection, source tracking, and blocking. This document discusses the need for source tracking.
To trace attacks, NetFlow and access control lists (ACLs) have been used. To block attacks, committed access rate (CAR) and ACLs have been used. Support for these features on the Cisco 12000 series Internet router has depended on the type of line card used. Support for these features on the Cisco 7500 series routers depends upon the type of port adapter used. There is, therefore, a need to develop a way to receive information tracing the source of an attack that is supported on all line cards and port adapters.
Normally, when you identify the host that is subject to a DoS attack, you must determine the network ingress point to effectively block the attack. This process starts at the router closest to the host.
For example, in Figure 1, you would start at Router A and try to determine the next upstream router to examine. To do this, you would traditionally apply an output ACL to the interface connecting to the host in order to log packets matching the ACL. The logging information is dumped to the router console or syslog. You then have to analyze this information, and possibly go through several ACLs in succession to identify the input interface for the attack. In this case the information points back to Router B.
You then repeat this process on Router B, which leads back to Router C, an ingress point into the network. At this point you can use ACLs or CAR to block the attack. This procedure can require applying several ACLs that generate an excessive amount of output to analyze, making it cumbersome and error prone.
Figure 1 Source Tracking in a DoS Attack
How the IP Source Tracker Works
The IP Source Tracker feature provides an easier, more scalable alternative to output ACLs for tracking DoS attacks. This feature is supported on all Engine 0, 1, 2, and 4 line cards in the Cisco 12000 series Internet router. In future releases, this feature will be supported on Engine 3. This feature is supported on all port adapters and Route Switch Processors (RSPs) that have Cisco Express Forwarding (CEF) switching enabled on Cisco 7500 series routers.
The IP Source Tracker works as follows:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Benefits
Complete Network Coverage
Because the IP Source Tracker feature is supported on Engine 0, 1, 2, and 4 (in future releases, Engine 3) line cards on Cisco 12000 series routers and on all port adapters on Cisco 7500 series routers, it allows you to track DoS attacks across your entire network.
Complete Tracking Information Provided
The IP source tracker generates all the necessary information in an easy-to-use format to track the network entry point of a DoS attack.
Tracking an Unlimited Number of IPs Simultaneously
Using the IP source tracker, you can track multiple IPs at the same time. By default there is no limit. To limit the number of IPs that are simultaneously tracked, use the ip source-track address-limit command.
Restrictions
Support for Cisco 12000 Series Line Cards
Starting in IOS Release 12.0(21)S, the IP Source Tracker feature is supported on all Cisco 12000 Series line cards, except for ISE (Engine 3) line cards.
The IP Source Tracker is supported on ISE line cards in IOS Release 12.0(26)S and later releases.
Packets Can Be Dropped for Routers
The IP source tracker is designed to track attacks against hosts. Packets can be dropped if the line card or port adapter CPU is overwhelmed. Therefore, you should be aware that when used to track an attack against a router, the IP source tracker can drop control packets, such as BGP updates.
Engine 0 and 1 Performance Impacted on Cisco 12000 Series
There is no performance impact for packets destined to nontracked IP addresses on Engine 2 and Engine 4 line cards because the IP source tracker affects only tracked destinations. Engine 0 and Engine 1 performance is impacted because on these engines all packets are switched by the CPU.
Note
Related Features and Technologies
For related information, refer to other security features, such as:
•
•
•
Related Documents
•
•
•
•
•
Supported Platforms
•
•
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at the following URL:
http://www.cisco.com/register.
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
See the following sections for configuration tasks for the IP Source Tracker feature. Each task in the list is identified as either required or optional.
•
•
•
•
•
Enabling IP Source Tracking for a Host Under Attack
To enable IP source tracking, enter the following command in global configuration mode:
:
Router(config)# ip source-track address
Enables IP source tracking on all line cards and port adapters for the IP address of the host under attack.
Limiting the Number of Hosts that Are Tracked
To specify the limit for the number of hosts for which you can configure tracking, enter the following command in global configuration mode:
:
Router(config)# ip source-track address-limit number
Configures an administrative limit for the number of ip source-track commands that you can enter. By default, there is no limit.
Setting the Time Interval Used for Generating Syslog Messages
To set the time interval used to generate syslog messages, enter the following command in global configuration mode:
Setting the Time Interval Used for Exporting Statistics to the GRP or RSP
To set the time interval used to export traffic flow information to the Gigabit Route Processor (GRP) or Route Switch Processor (RSP), enter the following command in global configuration mode:
:
Verifying IP Source Tracking
Step 1
Router# show ip source-track summaryAddress Bytes Pkts Bytes/s Pkts/s10.0.0.1 119G 1194M 443535 4432192.168.1.1 119G 1194M 443535 4432192.168.42.42 119G 1194M 443535 4432If no traffic has yet been received for the hosts, the show ip source-track summary command displays the following:
Address Bytes Pkts Bytes/s Pkts/s10.0.0.1 0 0 0 0192.168.1.1 0 0 0 0192.168.42.42 0 0 0 0Step 2
Router# show ip source-trackAddress SrcIF Bytes Pkts Bytes/s Pkts/s10.0.0.1 PO0/0 119G 1194M 513009 5127192.168.1.1 PO0/0 119G 1194M 513009 5127192.168.42.42 PO0/0 119G 1194M 513009 5127
Monitoring and Maintaining IP Source Tracking
Configuration Examples
This section provides the following examples:
•
•
•
•
•
Configuring IP Source Tracking for an IP Address Example
This example shows how to configure IP source tracking on all line cards/port adapters in the router, in order that each line card or port adapter collects traffic flow data to host address 100.10.0.1 for two minutes before creating an internal system log entry. Packet and flow information recorded in the system log is exported for viewing to the GRP/RSP every 60 seconds.
Router# configure interfaceRouter(config)# ip source-track 100.10.0.1Router(config)# ip source-track syslog-interval 2Router(config)# ip source-track export-interval 60Displaying Source Interface Statistics for All Tracked IP Addresses Example
This example displays a summary of the traffic flow statistics collected on each source interface for tracked host addresses.
Router# show ip source-trackAddress SrcIF Bytes Pkts Bytes/s Pkts/s10.0.0.1 PO2/0 0 0 0 0192.168.9.9 PO1/2 131M 511M 1538 6192.168.9.9 PO2/0 144G 3134M 6619923 143909Displaying a Flow Statistic Summary for All Tracked IP Addresses Example
This example displays a summary of traffic flow statistics for all hosts being tracked and shows that no traffic has yet been received.
Router# show ip source-track summaryAddress Bytes Pkts Bytes/s Pkts/s10.0.0.1 0 0 0 0100.10.1.1 131M 511M 1538 6192.168.9.9 146G 3178M 6711866 145908Displaying Detailed Flow Statistics Collected by a Line Card/Port Adapter Example
This example displays the traffic flow information collected on line card/port adapter 0 for all tracked hosts.
Router# exec slot 0 show ip source-track cache========= Line Card (Slot 0) =======IP packet size distribution (7169M total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.000 .000 .000 0.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000IP Flow Switching Cache, 278544 bytes1 active, 4095 inactive, 13291 added198735 ager polls, 0 flow alloc failuresActive flows timeout in 0 minutesInactive flows timeout in 15 secondslast clearing of statistics neverProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowSrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs PktsPort Msk AS Port Msk AS NextHop B/Pk ActivePO0/0 101.1.1.0 Null 100.1.1.1 06 00 00 55K0000 /0 0 0000 /0 0 0.0.0.0 100 10.1Displaying Flow Statistics Exported from Line Cards/Port Adapters to the GRP/RSP Example
This example displays the packet flow information exported from line cards/port adapters to the GRP/RSP.
Router# show ip source-track export flowsSrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP PktsPO0/0 101.1.1.0 Null 100.1.1.1 06 0000 0000 88KPO0/0 101.1.1.0 Null 100.1.1.3 06 0000 0000 88KPO0/0 101.1.1.0 Null 100.1.1.2 06 0000 0000 88KCommand Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
•
•
•
ip source-track
To enable IP source tracking for a specified host, use the ip source-track command in global configuration mode. To disable IP source tracking, use the no form of this command.
ip source-track address
no ip source-track address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable IP source tracking for a specified destination address.
Examples
The following example configures IP source tracking for the host having the IP address 100.1.1.3:
Router(config)# ip source-track 100.1.1.3Related Commands
Configures the maximum number of ip source-track commands that you can enter for hosts under attack.
Sets the time interval used to export IP tracking statistics collected in the line cards/port adapters to the GRP/RSP.
Sets the time interval used to generate syslog messages to remind users that IP source tracking is enabled.
Displays the traffic flow statistics collected for tracked IP host addresses.
ip source-track address-limit
To configure the maximum number of ip source-track commands that you can enter for hosts under attack, use the ip source-track address-limit command in global configuration mode. To cancel this administrative limit and return to the default, use the no form of this command.
ip source-track address-limit number
no ip source-track address-limit
Syntax Description
Defaults
None (unlimited number of hosts are tracked).
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to limit the number of destination addresses that you can configure for IP source tracking with the ip source-track command.
Examples
The following example limits IP source tracking to 10 IP addresses:
Router(config)# ip source-track address-limit 10Related Commands
ip source-track export-interval
To set the time interval used to export IP tracking statistics collected in the line cards/port adapters to the GRP/RSP, use the ip source-track export-interval command in global configuration mode. To cancel this setting and return to the default interval, use the no form of this command.
ip source-track export-interval number
no ip source-track export-interval
Syntax Description
number
Number of seconds used by line cards or port adapters before exporting IP tracking information to the RSP/GRP.
Defaults
30 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify the frequency of IP tracking information to send to the GRP/RSP for viewing.
Examples
The following example sets the time interval used by line cards/port adapters to 30 seconds before exporting IP tracking information:
Router(config)# ip source-track export-interval 30Related Commands
Enables IP source tracking for a specified host.
Configures the maximum number of ip source-track commands that you can enter for hosts under attack.
Sets the time interval used to generate syslog messages to remind users that IP source tracking is enabled.
Displays the traffic flow statistics collected for tracked IP host addresses.
ip source-track syslog-interval
To set the time interval used to generate syslog messages to remind users that IP source tracking is enabled, use the ip source-track syslog-interval command in global configuration mode. To cancel this setting and disable syslog generation, use the no form of this command.
ip source-track syslog-interval number
no ip source-track syslog-interval
Syntax Description
Defaults
0 (no syslog messages are generated).
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable the generation of reminder syslog messages.
Examples
The following example configures the router to generate a syslog message every two minutes after you enable IP source tracking with the ip source-track command:
Router(config)# ip source-track syslog-interval 2Related Commands
Enables IP source tracking for a specified host.
Configures the maximum number of ip source-track commands that you can enter for hosts under attack.
Sets the time interval used to export IP tracking statistics collected in the line cards/port adapters to the GRP/RSP.
Displays the traffic flow statistics collected for tracked IP host addresses.
show ip source-track
To display the traffic flow statistics collected for tracked IP host addresses, use the show ip source-track command in privileged EXEC mode.
show ip source-track {address} {summary | cache | export flows}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display a summary or details of the traffic flow and packet information collected for all host addresses (or a specific address) configured for IP source tracking.
Examples
The following example displays a summary of traffic flow statistics for all host addresses being tracked:
Router# show ip source-track summaryAddress Bytes Pkts Bytes/s Pkts/s100.1.1.1 119G 1194M 443535 4432100.1.1.2 119G 1194M 443510 4432100.1.1.3 119G 1194M 443511 4432Related Commands
Enables IP source tracking for a specified host.
Configures the maximum number of ip source-track commands that you can enter for hosts under attack.
Sets the time interval used to export IP tracking statistics collected in the line cards/port adapters to the GRP/RSP.
Sets the time interval used to generate syslog messages to remind users that IP source tracking is enabled.
Glossary
ASIC—Application-specific integrated circuit. Used to consolidate many chips into a single package to reduce board size and power consumption.
ACL—Access control list. List of packet filtering rules to provide security features.
CEF—Cisco Express Forwarding. A Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.
DoS—Denial of Service. Denial of Service (DoS) attacks threaten a Service Provider's ability to ensure the high availability of network resources, such as Web servers. Usually launched by hackers from a bogus IP address, DoS attacks saturate a server or other network device with service requests. The network resource under attack then experiences a "traffic jam" of sorts that prevents customers from accessing it.
FIB—Forwarding information base. A table that contains a mirror image of the forwarding information in the IP routing table. When routing or topology changes occur in the network the route processor updates the IP routing table and CEF updates the FIB.
GRP—Gigabit route processor. The main system processor used in Cisco 12000 series routers.
GSR—Gigabit Switch Router. Former name of the Cisco 12000 series routers.
ISE—IP Services Engine. ISE line cards for Cisco 12000 series Internet Routers provide enhanced Layer 3 capabilities for high-speed customer aggregation, backbone connectivity, and peering solutions. These line cards are available in both concatenated and channelized versions.
LC—Line card. Any I/O card that can be inserted in a modular chassis.
PSA—Packet Switching ASIC. This is also known as Engine 2 on Cisco 12000 series routers.
RP—Route processor. Processor module in the Cisco 7000 family routers that contains the CPU, system software, and most of the memory components that are used in the router. Sometimes called a supervisory processor
RSP—Route switch processor. Processor module in the Cisco 7500 series routers that integrates the functions of the RP and the Switch Processor (SP).
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
