×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DOS attacks!!

Unanswered Question
arunsing Fri, 10/14/2005 - 09:16
User Badges:

You can use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.


This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.


Alternatively I have seen that in most DOS attacks the destination IP is usually one network. You can route the traffic to a null interface. That really helpful incase the traffic is very high.


jackko Sat, 10/15/2005 - 00:35
User Badges:
  • Gold, 750 points or more

Cisco IOS software provides additional features that can help mitigate DoS attacks:


* Committed Access Rate (CAR). CAR allows you to enforce a bandwidth policy against network traffic that matches an access list. For example, CAR allows you to rate-limit what should be low-volume traffic, such as ICMP traffic. To find out more about CAR, refer to the Cisco IOS Quality of Service Solutions Configuration Guide.


* Context-based Access Control (CBAC). CBAC selectively blocks any network traffic not originated by a protected network. CBAC uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. Setting timeout values for network sessions helps mitigate DoS attacks by freeing up system resources, dropping sessions after a specified amount of time. For more information on CBAC, refer to the Cisco IOS Security Configuration Guide.


* TCP Intercept. The TCP Intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of DoS attack. A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Like CBAC, the TCP Intercept feature also uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. For more information on TCP Intercept, refer to the Cisco IOS Security Configuration Guide.


you can simply find those configuration guides by searching the cisco website. i was thinking to post the url, however, each ios version has a guide.

ishah Sun, 10/16/2005 - 07:30
User Badges:

All these are possible options in additional to black hole routing. These measures will protect against a low volume syn-flood or icmp based attack but when you get more complex attacks, you really need purpose built solutions.


However DDOS attacks really need to be stopped at the service provider level as some attacks can be multi Gigabit in size and before your perimeter router can stop the attack, your pipe will be flooded.


Cisco have a solution based on Detector and Guard products (formerly Riverhead)


Many Service Providers use either the Cisco solution or Arbor Networks DDoS detection (Peakflow SP) with mainly Cisco Guard protection for subscribing customers.


Customers who dual home to multiple providers need a more complex solution along with control of their AS routing policy.


The measures suggested thus far are good additional measures but really a Provider managed solution is required if you have mission critical systems you are trying to protect.

Actions

This Discussion