Re: Denial of Service Attacks

gpong · ‎12-18-2001

My company is suspecting we are getting Denial of Service Attacks from outside. I found that this can be prevented by applying TCP intercept on the router, however, our 2600 router does not support TCP intercept. What other choices do I have? please assist me. Thanks!

tmiller · ‎12-18-2001

Find the address or port/type of traffic and direct that traffic to a null0 interface?

gpong · ‎12-18-2001

Can you please describe in detail how should i monitor and trace this kind of behaviour on my router? and what is the null0 interface?

tmiller · ‎12-19-2001

1. monitor your router logs, sh processess cpu, etc.

2. use a sniffer to find the address/networks you don't want.

3. create an access list to accept all traffic you want. all traffic you don't want goes to a static route: ip route 1.1.1.1 1.1.1.1 interface null0

4. use a "who is" service to find the network sending you ICMP ping of death attacks and work with them to find the address.

5.prevent the router from sending ICMP unreachables at all. That behavior is governed with the no ip unreachables command.

see "Essential IOS Features Every ISP Should Consider" on the cisco site. look at "black hole" and "selective filtering"

hope this helps

r.cheung · ‎01-03-2002

Download the IOS with the Firewall Feature set for the 2600. The TCP Intercept feature should be in there.

The redirection of the DOS packets to a null interface may be feasible, but keep in mind that the source address on the packets may be forged, and may have the ip address of a legitimate vendor, for example. This would mean that you'd be creating a denial of service for yourself, to your own users.

Also, if you have Windows servers that you want to secure, there are registry keys that recognize a syn attack, and limit its effects.

The reg key for a windows 2000 pro box is like this:

hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect = 2.