I have been trying to research the best to prevent a DoS attack on a Cisco border router. Thoughts anyone?
If the attack is against the border router itself, control plane policing/protection is a great feature that can help.
If there is a flood of traffic to the border router, the ISP could do some filtering for you, to reduce the flood before it even gets to you.
If we are protecting a DoS against devices behind our border router, we could use the above techniques, and add ingress filtering unicast RPF checks. We could also implement the software flavor of IPS (if our router supports it, and has enought CPU to handle it) to defend against an attack.
Following the best practices for hardening the router are a good idea as well. Here is a link to the NSA recommendations for a Cisco router:
Do not connect it to the Internet.
Have a Internet pipe bigger than the whole Internet.
Arrange with State Intelligence Service make it known any offenders may be visiting their HQ.
There is nothing you can do because you are at the end of the chain. You need to stop the attack within the Internet.
Cyber-terrorism is now thought to be the next form of warfare so there is nothing you can do except not connect to the Internet.
Before the Internet companies would have private circuits between their location but now the Internet is used to interact with customers and suppliers so you can detect DoS but you can not stop those packets filling up the circuit.
The only answer is an Internet police when you report a DoS attack and then every ISP stops routing traffic to you from potential attackers but would agreement be achieved I think not.
I suppose if you could give every supplier a certificate and modify IP to carry a hash using the private key and then each router would use the public key to check the IP packet and if invalid drop it it might work.
I have devices behind my border router that were getting attacked. I tried to blackhole the IP at that point on the border router but it was so overwhelmed it didn't do anything.
Our ISP ended up blocking traffic from that specific IP. I really am looking for a way that in the future should this (and it will) happen again the router can react in a proactive manner...I was thinking something along the lines of rate limiting on the public facing interface.
Once it hits your router it is too late. OK maybe so good traffic can get through but if the attacker is firing 2Mb at your 1Mb circuit nothing will stop it especially if he is faking the source addresses. Your ISP is the key.
Contact to prolexic dot com.
World leader to mitigate DDoS over internet. They have scrubbing centers in China, London and 2 in USA with 100 GIG bandwidth in each. They moved all your trafic (when under attack) from internet to their scrubbing centers and send back cleaned traffic over GRE tunnels to your gateway.
Amazing solution they have.
Example: You are hosting a web server at 10.1.1.90, which is under a denial of service attack. Use NBAR to limit web traffic to that server at 200 kb/s
access-list 188 permit tcp any host 10.1.1.90 eq www
class-map match-all DoS
match access-group 188
police cir 200000 bc 37500 be 75000
description "Outside Interface"
service-policy input DoS-Attack
Yes we cant stop attacks but:
"Network Security is to create hurdels in the way of attacker/hacker so that he might need extensive resources to cross hurdles OR he spend extensive time that grabed information would not be usefull/valuable for him"
It means we cant make it 100% secure but we can give him tough time.
Do not connect it to the Internet.
Wait...were you featured in that video, "Stuff" Information Assurance People Say?
I did try this method at home. It comes with the minor annoyance of also killing my email, but so far I have suffered no spam and it has really killed the pop-up ads!