Nortel Networks 5530, 5520, 5510 manual 10.3 DoS

Page 37

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

Based on the diagram above, enter the following commands to enable DHCP Snooping

5530-24TFD(config)#interface fastEthernet all

5530-24TFD(config-if)#qos dhcp spoofing port 2-10 dhcp-server 172.30.30.50

10.3 DoS

The following command is used to enable the various DoS QoS Applications

5530-24TFD(config)#interface fastEthernet all

5530-24TFD(config-if)#qos dos <nachiasqlslamtcp-dnsporttcp-ftpporttcp- synfinscanxmas> port <port #> enable

SQLSlam

The worm targeting SQL Server computers is a self-propagating, malicious code that exploits a vulnerability that allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow. Once the worm compromises a machine it will try to propagate itself by crafting packets of 376 bytes and send them to randomly chosen IP addresses on UDP port 1434. If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate. Beyond the scanning activity for new hosts, the current variant of this worm has no Configuring Quality of Service and IP Filtering for Nortel Ethernet Routing Switch 5500 Series, Software Release 4.2 other payload. Activity of this worm is readily identifiable on a network by the presence of 376 byte UDP packets. These packets will appear to be originating from seemingly random IP addresses and destined for UDP port 1434.

When enabled, the DoS SQLSlam QoS Application will drop UDP traffic whose destination port is 1434 with the byte pattern of 0x040101010101 starting at byte 47 of a tagged packet.

Nachia

The W32/Nachi variants W32/Nachi-A and W32/Nachi-B are worms that spread using the RPC DCOM vulnerability in a similar fashion to the W32/Blaster-A worm. Both rely upon two vulnerabilities in Microsoft's software.

When enabled, the DoS Nachia QoS Application will drop ICMP traffic with the byte pattern of 0xaaaaaa) starting at byte 48 of a tagged packet.

Xmas

Xmas is a DoS attack that sends TCP packets with all TCP flags set in the same packet; which is illegal. When enabled, the DoS Xmas QoS Application will drop TCP traffic with the URG:PSH TCP flags set.TCP

SynFinScan

TCP SynFinScan is a DoS attack that sends both a TCP SYN and FIN in the same packet; which is illegal. When enabled, the TCP SynFinScan QoS Application will drop TCP traffic with the SYN:FIN TCP flags set.

TCP FtpPort

A TCP FtpPort attack is identified by TCP packets with a source port of 20 and a destination port less than 1024; which is illegal. A legal FTP request would have been initiated with a TCP port greater than 1024. When enabled, the TCP FtpPort QoS Application will drop TCP traffic with the TCP SYN flag set and a source port of 20 with a destination port less than or equal to 1024.

TCP DnsPort

The TCP DnsPort QoS Application is similar to the TCP FtpPort application but for DNS port 53. When enabled, this application will drop TCP traffic with the TCP SYN flag set and a source port of 53 with a destination port less than or equal to 1024.BPDU

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

36

Page 36 Page 38
Image 37
Page 36 Page 38
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Tables List of FiguresSymbols Document UpdatesConventions TextOverview Ethernet Routing Switch 5500 QoS and Filtering Untrusted Ports ClassificationUnrestricted Ports ƒ Layer 2 Classifier ElementsStatistics Actions SupportedQoS Flow Chart Overall Classification Functionality Filter FunctionalityClassifier Block Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Port Range FunctionalityPolicies Default Policy Drop ActionNN48500-559 5520-24T-PWRconfig#default qos agent buffer 5520-24T-PWRconfig#qos agent buffer large maximum regularQueue Sets Egress CoS Queuing Ethernet Routing Switch 5500 Egress CoS QueuingCoS 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#show qos queue-set-assignment5520-24T-PWRconfig#qos agent reset-default 5520-24T-PWRconfig#default qos agent queue-setEgress Queue Recommendations Bucket Size Traffic Meter and ShapingPolicing Traffic Actual Bucket SizeActual Bucket Size in Bytes Actual size in bytes Interface Parameter DescriptionExample Meter Bucket Size and Duration Interface ShaperBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Default Nortel CoS Markings Default Nortel Class of ServiceBinary Hex DecimalACL Configuration QoS Access Lists ACLIP-ACL Configuration Config#qos ip-acl name 1..16 character string ?ACL-Assign Configuration 2 L2-ACL ConfigurationACL Configuration Example Config#qos l2-acl name 1..16 character string ?5530H-24TFD#show qos acl-assign Verification5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy 5500config#no qos acl-assign 1 port 1/19 5500config#no qos acl-assign5500config#no qos ip-acl Changing ACLDhcp Snooping Configuration IP Security FeaturesDynamic ARP Inspection Configuration Dhcp SnoopingIP Source Guard IP Source Guard ConfigurationBpdu Filtering Bpdu Filtering ConfigurationQoS Interface Applications QoS Applications Number of Classifiers Used FeatureARP Spoofing Configuration ExampleDhcp Snooping Dhcp Attacks10.3 DoS Bpdu Blocking Role Combination Configuration Steps Policy ConfigurationERS5500-48T#show qos if-assign ERS5500-48T#show qos if-groupClassification ERS5500-48Tconfig#qos ip-element 1-64000?Adding IP and L2 Element IP ElementAdding a Classifier Block Adding a ClassifierParameters and variables Description MetersAdd a New Policy Pre-defined Values Configuration ExamplesQoS Action 12.2.1 ERS5500 Configuration Using Policies Configuration Example 1 Traffic Meter Using PoliciesConfigure the Interface Role Combination Configure the IP elementsConfigure the Classifier Block Configure MetersERS5500 Create the classifier block Verify Operations Configure the PolicyERS5500 Create the policy Verify the Role CombinationName m1 Verify Classifier and Classifier Block ConfigurationERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard 12.3.1 ERS5500 ConfigurationERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 Verify DHCP-Snooping ERS5500 Assign the IP-ACL’s to portsVID Verify ARP InspectionVerify IP Source Guard Verify ACL ConfigurationNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign TCP Port Range Configuration Example 3 Port Range Using ACL or PolicyConfigure the Policies Configuration Using PoliciesERS5500 Create IP elements for UDP port range ERS5500 Remark all other traffic to Bronze Configuration Using IP-ACL’sCreate Policy 12.5.1 ERS5500 Configuration Using PoliciesERS5500 Pass all other traffic with standard CoS 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Assign the L2-ACL’s to ports 12.6.1 ERS5500 Configuration Using Policies Configuration Example 5 L2 and L3 ClassificationERS5500 Add L2 elements for Vlan 110 Configure Classifier and Classifier BlocksDscp Mapping via Un-restricted Port Role 12.7.1 ERS5500 ConfigurationPolicy Configuration ACL ConfigurationID ID View the Queue AssignmentsEnable Shaping on Port Configuration Example 7 Interface ShapingVerify Shape Rate Configuration Reference Documentation Software BaselineContact us
Top Page Image Contents