Archive for August 2012
Configuring TCP intercept.
SYN floods are a pretty common DoS attack that can be performed on any TCP based (FTP, Web Server, Email, etc) application over the internet, luckily our normal run the mill Cisco IOS ISR routers have a feature known as TCP Intercept that can protect your servers from this type of attack.
TCP Intercept operates in 2 different modes but the overall concept is the same, TCP intercept will take into account every SYN packet from the client that traverses the router and if the connection remains half-open or there are so many half-open connections the router will start sent sending rest (RST) packets to close that connection. Half-open connection are those that do not fully complete the TCP handshake (SYN, SYN-ACK, ACK process).
The first of two modes that TCP Intercept operates in is intercept mode. In this mode the router actually accepts the SYN and responds to the source with the SYN-ACK packet, if the client completes the connection by sending the ACK the router then passes the original SYN to the destination and negotiates the connection with server, the client is completely unaware this process is even going on. The only thing to keep in mind with the intercept feature is that the router only keeps track of the TCP packet type, it does not take into account any TCP options within the packet (ie: window scaling or other TCP features within RFC 1323).
Here is a diagram of the process (This image is from Cisco Press: Cisco Router Firewall Security’s book)
TCP Intercept in Intercept mode capturing every SYN packet and acting as buffer protecting the server behind.
TCP Intercept can also operate in a watch mode in this mode the router takes a much more passive approach. In this mode the router does respond to any SYN packet it just sits back and watches the TCP handshake process. If the router notices a connection is half-open for so many seconds it will send a RST packet to the server so the server closes the half-open connection.
Now that we have an understanding of TCP Intercept let’s go ahead and configure TCP intercept.
TCP Intercept configuration options
TCP intercept is configured from global config mode and we have quite a few configurations options here. I’m going to configure TCP Intercept for both watch and intercept mode and we will go through the configurations:
Sample TCP Intercept watch mode configuration
This watch mode configuration accomplishes the following:
- Sets the TCP Intercept mode to watch mode. ip tcp intercept mode watch
- TCP Intercept is configured to monitored TCP connection to servers matched in the TCPInterceptACL access-list, this provides us granular control of the servers and ports we want to monitor. ip tcp intercept list TCPInterceptACL
- The router will transmit a RST packet to servers if the connection is not established within 8 seconds. ip tcp intercept watch-timeout 8
- TCP Intercept will enter an aggressive mode and start dropping the oldest TCP connection if there are 500 half-open TCP connections until that number is below 400 half-open TCP connection. ip tcp intercept max-incomplete high 500 & ip tcp intercept max-incomplete low 400
- TCP Intercept will enter an aggressive mode and start dropping the oldest TCP connection if 300 connection requests within one minute until that number is below 200 requests a minute. ip tcp intercept one-minute high 300 & ip tcp intercept one-minute low 200
- TCP Intercept will close and any connection that has been open for 8 hours (28800 seconds) with no activity. ip tcp intercept connection-timeout 28800
Sample TCP Intercept watch mode configuration
The above TCP Intercept intercept mode configuration is very similar to the previous watch mode but the first thing you will notice is the fact it doesn’t tell you it is operating in intercept mode, this is because it operates in intercept mode by default. You also notice 2 additional commands in here:
- ip tcp intercept finrst-timeout 20 this tells to router when it sees a TCP connection being torn down, if that connection is not closed within 20 seconds the router will close the connection itself by sending a RST packet.
- ip tcp intercept drop-mode random when TCP Intercept starts aggressively dropping connections by default it drops the oldest connections, this behavior can be changed so the router drops random TCP connections instead of the oldest connections.
You can verify how TCP Intercept is interacting with your traffic by issuing the following commands:
- show ip tcp intercept statistics – This will give you a quick look at incomplete, established, & how many connection requests have been made to the servers matched by the ACL.
- show ip tcp intercept connections – This command shows you all the current connections TCP Intercept is working with/watching.
- You can also use debug ip tcp intercept to quickly see what TCP Intercept is doing in real-time.
Now if you want to fully lab this feature out and see it in action you can set up a client/server enviroment in your lab and either configure an ACL to block ACKs from your source client or use a program call Scapy to transmit SYN packets.
Sample ACL:
access-list 101 deny tcp host hostaddress eq portnumber host destination ack
Sample Scapy SYN packet:
sr1(IP(dst=”destinationIP“)/TCP(dport=destinationPortNumber,flags=”S”))
Different DMVPN phases.
When you starting talking about DMVPN you’ll typically hear it being described as a Phase I, II, or III type DMVPN network, so let’s quickly discuss the differences between these three DMVPN phases:
DMVPN Phase I: This phase involves configuring a single mGRE interface on the hub, and all the spokes are still static tunnels so you won’t get any dynamic spoke-to-spoke connectivity. The only advantage of the phase I setup is the fact the hub router’s configuration is much simpler.
DMVPN Phase II: This phase involves everysite being configured with mGRE interface so you get your dynamic spoke-to-spoke connectivity, no more static tunnel destination’s will be configured.
DMVPN Phase III: This phase expands on the scalability of the DMVPN network. This involve summarizing into the DMVPN cloud to provide (Remember EIGRP allows us to summarize out interfaces and BGP allows us to advertise aggregate addresses to neighbors). Along with configuring NHRP redirects and NHRP shortcut switching. NHRP redirects tells the source to find a better path to the destination it is trying to reach. NHRP shortcuts allow DMVPN to learn about other networks behind other DMVPN routers (kind of like ARP for DMVPN). However Phase III will get it’s own post later on.
Configuring DMVPN.
Since I covered the basics of NHRP, now seems like the best time to tackle the configuration of DMVPN on Cisco IOS routers. I’m going simply build off of my last NHRP post, so we are going to have a single hub router and 2 spoke sites, we are going to adding encryption to our DMVPN using tunnel protection.
So lets first configure our IPSec parameters:
For a more in depth look at these commands refer to my older post Encrypted GRE tunnels.
Now that we have the IPSec parameters configured let’s go ahead and configure our tunnel interface for an encrypted DMVPN, so let’s start with the hub:
So there it is, the DMVPN hub, only a few these commands are typical of a normal GRE tunnel but most of them are specific to the DMVPN configuration. Let’s talk about a few these commands:
- ip nhrp authentication password: This command allows you to specify a password for your DMVPN network so not just any GRE tunnel can join your DMVPN cloud. (This is just one a few different mechanism to control who can participate within your DMVPN network)
- ip nhrp map multicast dynamic: This command allows NHRP to automatically map multicast traffic from other devices, without the need to statically configure each device. So this command is how our NHS builds its “nhrp database”
- ip nhrp network-id number: The NHRP network-id number ensures this DMVPN interface only participates within it’s own DMVPN network. Just in case you have more the one tunnel interface on the same router connected to two separate DMVPN clouds/networks.
- tunnel mode gre multipoint: This specifies the tunnel interface an GRE multipoint meaning this will be acting as single interfaces connected to multiple peers
- tunnel key number: This is another mechanism to keep your DMVPN network clean of any unwanted members, this is actually built into the GRE encapsulation itself, only GRE’s tunnels with the same tunnel key can communicate. So if the hub is using Tunnel key 10, then the spoke must use tunnel key 10 as well, if not then they will not be able to communicate.
Now let’s look at the spoke:
Now most of these commands are identical to that found on the hub, with the exception of the following:
- ip nhrp nhs 192.168.1.1: This commands specifies the Next Hop Server for the spoke
- ip nhrp map 192.168.1.1 10.1.1.1: This command maps the NHS GRE (protocol) address to it’s physical interface (NBMA) address.
- ip nhrp map multicast 10.1.1.1: This tells the NHC where to send its multicast traffic to.
And to reinforce that here is the configuration from the second spoke in this DMVPN network:
Identical to the first spoke (with the exception of the ip address).
So now that we have this configuration how do we verify our DMVPN is working, well let’s check our NHRP mappings along with our routing.
We issue the command sh ip nhrp this tells us we have NHRP mappings to both spokes 192.168.1.2 and 192.168.1.3.
Now let’s check the routing, I’ve configured these 3 routers to speak via eBGP:
So from this you’ll notice our hub has 2 eBGP adjacencies with our spokes, and we are are learning a few prefixes from those spokes.
But, now for the ultimate test, lets get spoke1 and spoke2 to create a direct tunnel between themselves.
From the top to bottom, you’ll notice Spoke2 only has NHRP mapping to the hub. I perform a traceroute to spoke1 and you see it bounce off the hub and then hit spoke1 I then perform the same traceroute a second later and it directly hits spoke1 bypassing the hub completely. Now when I issue the sh ip nhrp command you notice I still have my NHRP mapping to the hub at 192.168.1.1, but I also have a new NHRP mapping to spoke1 at 192.168.1.2. So our DMVPN is working successfully!
While this is a small victory, the topic of DMVPN is a fairly large one and we still have a few more topics to cover:
- How DMVPN interacts with IGPs. (Think about this one, some of the tools we rely on to prevent routing loops will be working against here)
- Different “phases” of DMVPN networks.
- Dual cloud DMVPN networks.
So stay tuned there is more to come!
Let’s look at NHRP.
DMVPN, a staple in any large scale VPN network, or a cheap internet backup solution for a primary MPLS network. We all know the great thing about DMVPN is the fact it creates a single mGRE tunnel interface in which multiple connections can be made to/from (trust me if you ever have to manage a router with 500+ GRE tunnels you will quickly learn to love DMVPN) and the fact that mGREs can create tunnels automatically between spokes putting less load on the hub router is another major advantage. It also increases network performance due the fact in a typical hub/spoke topology if two spokes need to communicate between themselves the hub router must decrypt the traffic from spoke1 and then encrypt it again to send it to spoke2, just for spoke2 to decrypt the data again when it receives the data (assuming you are running IPSec over your tunnels). So you have some double encryption/decryption/encapsulation going on there, not very optimal at all.
The question is how does DMVPN know how to create these tunnels, and what mechanism is it that allows DMVPN to create all these tunnels, well that would be NHRP Next Hop Resolution Protocol. NHRP works off a server/client relationship, where the NHRP clients (let’s call them next hop clients/NHCs) register with their next hop server (NHS), it’s the responsibility of the NHS to track all of its NHCs this is done with registration request and reply packets. When two spokes need to communicate between themselves the spokes send over a resolution request packet and the NHS responds with a resolution reply packet, with that information the spokes need to build a tunnel directly between themselves.
So let’s take a quick look at how process occurs between some Cisco routers:
Here is an overview of 2 NHC’s registering with their NHS:
10.1.1.1 / 192.168.1.1 – NHS
10.1.2.1 / 192.168.1.2 – NHC
10.1.3.1 / 192.168.1.3 – NHC
Taking a closer look these NHRP packets they are comprised of a few different parts:
From top to bottom this packet starts off pretty normal, you see the normal L2/L3 information, and the GRE tunnel (since NHRP runs through a GRE tunnel) right after that we get to the NHRP portion of the packet. Now RFC 2332 defines these portions:
- Fixed Header – This portion is always the same, and just covers some basic information NHRP version, Ethertypes of the physical medium, address family information, and etc.
- Mandatory Part – This is where the NHRP packet type is defined (Registration request/reply, resolution request/reply, etc) and tunnel interface (Displayed as the protocol address) and physical interface (displayed as the NBMA address) IP addresses are contained.
- Client Information Entries CIE: Which contains specific information for clients such as MTU and hold down times.
NHRP Packets
Above is a quick screenshot of some of the NHRP packet types. You can the NHC at 10.1.3.1 attempts to register with 10.1.1.1 (the NHS) until the NHS sends its registration reply. Then you can see 10.1.3.1 sending a resolution request to the NHS, this represents the NHC at 10.1.3.1 attempting to reach the NHC at 10.1.2.1 after 10.1.3.1 receives its response from the NHS, 10.1.3.1 sends its it reply directly the NHC at 10.1.2.1. Clearing the NHRP cache on the Cisco router actually forces it to transmit a purge packets.
And now for a closer look:
The fixed header shown above, always includes the same information no matter which NHRP packet type is sent. Not too much to look at the NHRP version, address family, protocol type, and so forth.
The Mandatory Part of the header is what defines the NHRP packet type, this packet was the NHRP resolution request sent from the 10.1.3.1 (a NHC) to 10.1.1.1 (the NHS) when 192.168.1.3 attempted to ping 192.168.1.2 another NHC on the DMVPN network. Something I want to clarify here is the fact there are a lot of different IP addresses shown here. The Source NBMA address is the IP of the physical interface, the Source Protocol Address is the address of DMVPN tunnel on the NHC, and the Destination Protocol Address is the IP address of the DMVPN tunnel of the other NHC we are trying to reach. So NBMA Addresses are for physical interfaces and Protocol Addresses for the logical tunnels. After all that you’ll notice the Client Information Entry at the bottom. (Also keep in mind there are many other parts to the NHRP packet I did not show)
So there was a real quick and dirty run down on NHRP the protocol that makes DMVPN possible. It all really boils down to NHCs registering with the NHS, the NHS keeping all the NHC information in a cached local database, and the NHC’s asking for NHRP resolutions from the NHS when they want to spin up tunnels directly between NHCs. You can find a much more in depth discussion of NHRP in RFC 2332
CCIE or Null! 