Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Denial of Service Attacks

My company is suspecting we are getting Denial of Service Attacks from outside. I found that this can be prevented by applying TCP intercept on the router, however, our 2600 router does not support TCP intercept. What other choices do I have? please assist me. Thanks!

New Member

Re: Denial of Service Attacks

Find the address or port/type of traffic and direct that traffic to a null0 interface?

New Member

Re: Denial of Service Attacks

Can you please describe in detail how should i monitor and trace this kind of behaviour on my router? and what is the null0 interface?

New Member

Re: Denial of Service Attacks

1. monitor your router logs, sh processess cpu, etc.

2. use a sniffer to find the address/networks you don't want.

3. create an access list to accept all traffic you want. all traffic you don't want goes to a static route: ip route interface null0

4. use a "who is" service to find the network sending you ICMP ping of death attacks and work with them to find the address.

5.prevent the router from sending ICMP unreachables at all. That behavior is governed with the no ip unreachables command.

see "Essential IOS Features Every ISP Should Consider" on the cisco site. look at "black hole" and "selective filtering"

hope this helps

New Member

Re: Denial of Service Attacks

Download the IOS with the Firewall Feature set for the 2600. The TCP Intercept feature should be in there.

The redirection of the DOS packets to a null interface may be feasible, but keep in mind that the source address on the packets may be forged, and may have the ip address of a legitimate vendor, for example. This would mean that you'd be creating a denial of service for yourself, to your own users.

Also, if you have Windows servers that you want to secure, there are registry keys that recognize a syn attack, and limit its effects.

The reg key for a windows 2000 pro box is like this:

hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect = 2.

CreatePlease to create content