Denial of Service Attacks
Denial
of Service Attacks
The following Cisco features can be used to increase the
basic security measures related to the way in which the router forwards IP
packets.
Controlling
Directed Broadcasts
An IP directed broadcast is a datagram
sent to the subnet broadcast address. The directed broadcast is routed through
the network as a unicast packet until it arrives at the target subnet, where
it’s converted into a link-layer broadcast. Only the last router, the one
directly connected to the target subnet, can positively identify a directed
broadcast.
IP directed broadcasts are used in smurf DoS
attacks, in which the attacker sends ICMP echo requests from a falsified source
address to a directed broadcast address. This causes all the hosts on the target
subnet to send replies to the falsified source. By sending a continuous stream
of these requests, the attacker can create a much larger stream of replies,
burying the smurfed host and their link to their ISP.
The no ip directed-broadcast command on an
interface causes discards directed broadcasts, such as 192.168.12.255, that
would otherwise “explode” into link-layer broadcasts at that interface. The no ip directed-broadcast command is the default in Cisco IOS
software version 12.0 and later.
Flood
Management
As you saw in Chapter 1, many DoS attacks rely on floods of useless packets
that congest network links, slow hosts, and overloaded routers. Being aware of
where performance bottlenecks lie is important in flood management. If a DoS
flood is burying a T1 line, then filtering the flood at the source end router
can help, while filtering at the destination end will have little or no
effect.
If an “underpowered” router is the bottleneck, then adding
additional filtering will probably make things worse. In this case, increasing
memory or replacing the device might have to be part of the solution.
Transit Floods
In some cases, Cisco’s quality of service (QoS) features can
be used against some kinds of floods on serial links. Using weighted fair
queuing (WFQ), the default for low-speed serial lines in recent versions of
Cisco IOS software, has proven effective against ping floods, but less effective
against SYN floods. A ping flood appears to WFQ as a
single traffic flow, whereas each packet in a SYN flood generally appears as a
separate flow. A smurf reply stream falls somewhere between the two. Cisco QoS
features are covered extensively on Cisco’s web site.
TCP Intercept
The TCP Intercept feature is designed
specifically to reduce the impact of SYN flooding attacks on hosts. TCP
Intercept is available in some IOS versions for many routers with model numbers
of 4000 or greater. A device supporting TCP Intercept can literally step in as a
proxy and handle TCP session requests for a server that is under attack or heavy
load. The device attempts to complete the TCP 3-way handshakes, forwarding
successful attempts to the server and discarding the rest.
Antispoofing
with RPF Checks
Cisco IOS versions that support Cisco Express Forwarding
(CEF) can have the router check the source address of any packet against the
interface through which the packet entered the router. If, according to the
routing table, the input interface isn’t a feasible path to the source address,
the packet is then dropped. The feature is known as a reverse
path forwarding (RPF) check and is enabled with the command ip
verify unicast rpf. cp5unau
250 times read
|
|
|
Did you enjoy this article?
 (total 2 votes)
|
Sections
Comments (0 posted)
Syndication
