Skip navigation
Cisco Learning Home > Certifications > Security (CCNP Security) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
4241 Views 8 Replies Latest reply: May 9, 2012 4:50 AM by ESummers RSS

Currently Being Moderated

DoS attack prevention

Dec 28, 2010 9:12 AM

cjinfantino 231 posts since
Sep 13, 2008

Hey all,

 

 

I have been trying to research the best to prevent a DoS attack on a Cisco border router. Thoughts anyone?

 

Thanks

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    1. Dec 28, 2010 9:27 AM (in response to cjinfantino)
    Re: DoS attack prevention

    If the attack is against the border router itself, control plane policing/protection is a great feature that can help.

     

    If there is a flood of traffic to the border router, the ISP could do some filtering for you, to reduce the flood before it even gets to you.

     

    If we are protecting a DoS against devices behind our border router, we could use the above techniques, and add ingress filtering unicast RPF checks.   We could also implement the software flavor of IPS (if our router supports it, and has enought CPU to handle it) to defend against an attack.

     

    Following the best practices for hardening the router are a good idea as well.   Here is a link to the NSA recommendations for a Cisco router:

    http://www.nsa.gov/ia/guidance/security_configuration_guides/cisco_router_guides.shtml

     

    Best wishes,

     

    Keith

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    2. Dec 28, 2010 9:28 AM (in response to cjinfantino)
    Re: DoS attack prevention

    Hi Cjinfantino

     

    Do not connect it to the Internet.

     

    Have a Internet pipe bigger than the whole Internet.

     

    Arrange with State Intelligence Service make it known any offenders may be visiting their HQ.

     

    There is nothing you can do because you are at the end of the chain. You need to stop the attack within the Internet.

     

    Cyber-terrorism is now thought to be the next form of warfare so there is nothing you can do except not connect to the Internet.

     

    Before the Internet companies would have private circuits between their location but now the Internet is used to interact with customers and suppliers so you can detect DoS but you can not stop those packets filling up the circuit.

     

    The only answer is an Internet police when you report a DoS attack and then every ISP stops routing traffic to you from potential attackers but would agreement be achieved I think not.

     

    I suppose if you could give every supplier a certificate and modify IP to carry a hash using the private key and then each router would use the public key to check the IP packet and if invalid drop it it might work.

     

    Regards Conwyn

  • Conwyn 7,914 posts since
    Sep 10, 2008
    Currently Being Moderated
    4. Dec 28, 2010 10:48 AM (in response to cjinfantino)
    Re: DoS attack prevention

    Hi CJ

     

    Once it hits your router it is too late. OK maybe so good traffic can get through but if the attacker is firing 2Mb at your 1Mb circuit nothing will stop it especially if he is faking the source addresses. Your ISP is the key.

     

    Regards Conwyn

  • Muhammad 3 posts since
    May 23, 2011
    Currently Being Moderated
    5. May 9, 2012 4:21 AM (in response to cjinfantino)
    Re: DoS attack prevention

    Hi

     

    Contact to prolexic dot com.

    World leader to mitigate DDoS over internet. They have scrubbing centers in China, London and 2 in USA with 100 GIG bandwidth in each. They moved all your trafic (when under attack) from internet to their scrubbing centers and send back cleaned traffic over GRE tunnels to your gateway.

     

    Amazing solution they have.

  • Muhammad 3 posts since
    May 23, 2011
    Currently Being Moderated
    6. May 9, 2012 4:24 AM (in response to cjinfantino)
    Re: DoS attack prevention

    Example: You are hosting a web server at 10.1.1.90, which is under a denial of service attack. Use NBAR to limit web traffic to that server at 200 kb/s

    access-list 188 permit tcp any host 10.1.1.90 eq www

    class-map match-all DoS
      match access-group 188

    policy-map DoS-Attack
      class DoS
      police cir 200000 bc 37500 be 75000
      conform-action transmit
      exceed-action drop
      violate-action drop

    interface gig0/0

    description "Outside Interface"
    service-policy input DoS-Attack

  • Muhammad 3 posts since
    May 23, 2011
    Currently Being Moderated
    7. May 9, 2012 4:30 AM (in response to Conwyn)
    Re: DoS attack prevention

    To Conwyn

     

    Yes we cant stop attacks but:

     

    "Network Security is to create hurdels in the way of attacker/hacker so that he might need extensive resources to cross hurdles OR he spend extensive time that grabed information would not be usefull/valuable for him"

     

    It means we cant make it 100% secure but we can give him tough time.

  • ESummers 312 posts since
    Sep 10, 2010
    Currently Being Moderated
    8. May 9, 2012 4:50 AM (in response to Conwyn)
    Re: DoS attack prevention

    Conwyn wrote:

     

    Hi Cjinfantino

     

    Do not connect it to the Internet.

     

    Wait...were you featured in that video, "Stuff" Information Assurance People Say? 

     

    I did try this method at home.  It comes with the minor annoyance of also killing my email, but so far I have suffered no spam and it has really killed the pop-up ads!

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)