Mitigating Trinity v3
Trinity is capable of launching several types of ?¬‚ooding attacks on a victim site, including
UDP, fragment, SYN, restore (RST), acknowledgement (ACK), and other ?¬‚oods.
Communication from the handler or intruder to the agent is accomplished via Internet Relay
Chat (IRC) or ICQ from AOL. Trinity appears to use primarily TCP port 6667 and also has
a backdoor program that listens on TCP port 33270.
Refer to Figure 5-12 for the network topology upon which the following con?¬?gurations
are based.
Edge(config-if)#ip access-group 151 in Takes all access list lines
that are de?¬?ned as being
part of group 151 and
applies them in an
inbound manner
Edge(config-if)#exit Returns to global
con?¬?guration mode
Edge(config)#
Edge(config)#access-list 152 deny tcp any any
eq 6667 log
Denies any TCP traf?¬?c
from any network from
going to any network
through port 6667, and
logs any instance in which
this statement was used
Edge(config)#access-list 152 deny tcp any any
eq 32270 log
Denies any TCP traf?¬?c
from any network from
going to any network
through port 32270, and
logs any instance in which
this statement was used
Edge(config)#access-list 152 permit ip any any Allows all other traf?¬?c
through
Edge(config)#interface fastethernet 0/0 Moves to interface
con?¬?guration mode
118 Mitigating Dedicated DoS Attacks with ACLs
Mitigating SubSeven
SubSeven is a backdoor Trojan horse program that targets Windows machines.
Pages:
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112