GUIインターフェイスを起動すると不正アクセス検知でLand attackの情報が。。。
以下の設定が効いていた模様
ip pp intrusion detection in on
1.Logを確認
> show ip intrusion detection
PP[01][in]
---------------------------------------------------------------------
Configuration:
IP: on (pass)
IP Option: on (pass)
Fragment: on (pass)
ICMP: on (pass)
UDP: on (pass)
TCP: on (pass)
FTP: on (pass)
Winny: on (pass)
Share: on (pass)
Default: on (pass)
Log:
2010/11/25 15:53:15: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:24:53: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:26:07: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:29:48: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:34:01: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:36:01: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:42:14: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:33:40: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:39:11: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:40:12: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:42:26: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:44:31: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:58:27: Land attack 133.176.200.xxx > 133.176.200.xxx
2.攻撃に対処するフィルタ定義投入
ip filter 60 reject 133.176.200.0/24 * * * *
ip filter 61 reject 10.0.0.0/8 * * * *
ip filter 62 reject 172.16.0.0/12 * * * *
ip filter 63 reject 192.168.0.0/16 * * * *
ip filter 70 reject * 133.176.200.0/24 * * *
ip filter 71 reject * 10.0.0.0/8 * * *
ip filter 72 reject * 172.16.0.0/12 * * *
ip filter 73 reject * 192.168.0.0/16 * * *
ip filter 99 pass 133.176.200.0/24 * * *
ip filter 100 pass * 133.176.200.0/24 * * *
3.前項設定の定義をフィルタに追加
pp select PP番号(WAN側インターフェイスを指定)
ip pp secure filter in 60 61 62 63 100
ip pp secure filter out 70 71 72 73 99
4.インターネット側へのoutboundの不正アクセス検知機能も有効化
ip pp intrusion detection out on
5.以下のコマンドを投入(取りあえず "Land attack"と"ICMP source quench"のみ)
ip pp intrusion detection in on
ip pp intrusion detection in ip on reject=on
ip pp intrusion detection in ip-option on reject=off
ip pp intrusion detection in fragment on reject=off
ip pp intrusion detection in icmp on reject=on
ip pp intrusion detection in udp on reject=off
ip pp intrusion detection in tcp on reject=off
ip pp intrusion detection in default off
ip pp intrusion detection out on
ip pp intrusion detection out ftp on reject=off
ip pp intrusion detection out winny on reject=on
ip pp intrusion detection out share on reject=on
ip pp intrusion detection out default off
Logを確認
> show ip intrusion detection
PP[01][in]
---------------------------------------------------------------------
Configuration:
IP: on (reject)
IP Option: on (pass)
Fragment: on (pass)
ICMP: on (reject)
UDP: on (pass)
TCP: on (pass)
FTP: off
Winny: off
Share: off
Default: off
Log:
(no intrusions are detected)
PP[01][out]
---------------------------------------------------------------------
Configuration:
IP: off
IP Option: off
Fragment: off
ICMP: off
UDP: off
TCP: off
FTP: on (pass)
Winny: on (reject)
Share: on (reject)
Default: off
Log:
(no intrusions are detected)
不正アクセスがあったときのLog
2010/11/25 15:53:15: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:24:53: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:26:07: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:29:48: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:34:01: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:36:01: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 12:42:14: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:33:40: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:39:11: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:40:12: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:42:26: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:44:31: Land attack 133.176.200.xxx > 133.176.200.xxx
2010/12/01 13:58:27: Land attack 133.176.200.xxx > 133.176.200.xxx

