Vulnerabilidade: TA14-017A - Exemplo de Regra ACL Cisco para Mitigação de Ataques de Amplificação Baseados em UDP
Enviado: 23 Ago 2022, 09:52
Mitigação: TA14-017A
Objetivo: Recusar conexões UDP IP para o destino <PUBLIC-ADDRESS> na porta 161 (snmp) e 123 (ntp).
Acesso: C1905
Interface: Gateway de Navegação
Extended IP access list 199
10 deny ip 192.168.0.0 0.0.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip any 10.0.0.0 0.255.255.255
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 172.16.0.0 0.15.255.255
60 deny udp host PUBLIC-ADDRESS eq ntp any (3 matches)
70 deny udp host PUBLIC-ADDRESS eq snmp any (2 matches)
80 deny tcp host PUBLIC-ADDRESS eq domain any
90 deny udp host PUBLIC-ADDRESS eq domain any
100 permit ip any any (8714 matches)
========== SNMP OPEN ==========
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 08:35 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0058s latency).
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
========== NTP OPEN ==========
Testador: Server Test
IPv4 test results
Result:OK
Server:PUBLIC-ADDRESS
Stratum:3
Offset:0.004442
Delay:0.23228
========== REGRA APLICADA ==========
access-list 199 deny ip 172.16.0.0 0.15.255.255 any
access-list 199 deny ip any 10.0.0.0 0.255.255.255
access-list 199 deny ip any 192.168.0.0 0.0.255.255
access-list 199 deny ip any 172.16.0.0 0.15.255.255
access-list 199 deny udp host PUBLIC-ADDRESS eq 123 any
access-list 199 deny udp host PUBLIC-ADDRESS eq snmp any
access-list 199 deny tcp host PUBLIC-ADDRESS eq domain any
access-list 199 deny udp host PUBLIC-ADDRESS eq domain any
access-list 199 permit ip any any
========== VALIDAÇÃO DE MITIGAÇÃO ==========
$ sudo nmap -sU PUBLIC-ADDRESS -p 161
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:43 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
$ sudo nmap -sU PUBLIC-ADDRESS -p 123
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:43 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0057s latency).
PORT STATE SERVICE
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
$ sudo nmap -sU PUBLIC-ADDRESS -p 123
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:44 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0018s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
$ sudo nmap -sU PUBLIC-ADDRESS -p 161
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:44 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0058s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
Objetivo: Recusar conexões UDP IP para o destino <PUBLIC-ADDRESS> na porta 161 (snmp) e 123 (ntp).
Acesso: C1905
Interface: Gateway de Navegação
Extended IP access list 199
10 deny ip 192.168.0.0 0.0.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip any 10.0.0.0 0.255.255.255
40 deny ip any 192.168.0.0 0.0.255.255
50 deny ip any 172.16.0.0 0.15.255.255
60 deny udp host PUBLIC-ADDRESS eq ntp any (3 matches)
70 deny udp host PUBLIC-ADDRESS eq snmp any (2 matches)
80 deny tcp host PUBLIC-ADDRESS eq domain any
90 deny udp host PUBLIC-ADDRESS eq domain any
100 permit ip any any (8714 matches)
========== SNMP OPEN ==========
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 08:35 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0058s latency).
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
========== NTP OPEN ==========
Testador: Server Test
IPv4 test results
Result:OK
Server:PUBLIC-ADDRESS
Stratum:3
Offset:0.004442
Delay:0.23228
========== REGRA APLICADA ==========
- ABUSE DNS
- ABUSE NTP
- ABUSE SNMP
access-list 199 deny ip 172.16.0.0 0.15.255.255 any
access-list 199 deny ip any 10.0.0.0 0.255.255.255
access-list 199 deny ip any 192.168.0.0 0.0.255.255
access-list 199 deny ip any 172.16.0.0 0.15.255.255
access-list 199 deny udp host PUBLIC-ADDRESS eq 123 any
access-list 199 deny udp host PUBLIC-ADDRESS eq snmp any
access-list 199 deny tcp host PUBLIC-ADDRESS eq domain any
access-list 199 deny udp host PUBLIC-ADDRESS eq domain any
access-list 199 permit ip any any
========== VALIDAÇÃO DE MITIGAÇÃO ==========
$ sudo nmap -sU PUBLIC-ADDRESS -p 161
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:43 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 4.98 seconds
$ sudo nmap -sU PUBLIC-ADDRESS -p 123
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:43 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0057s latency).
PORT STATE SERVICE
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
$ sudo nmap -sU PUBLIC-ADDRESS -p 123
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:44 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0018s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
$ sudo nmap -sU PUBLIC-ADDRESS -p 161
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-23 09:44 -03
Nmap scan report for PUBLIC-ADDRESS
Host is up (0.0058s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds