Preventing Basic DDoS Attacks – Part 5 of 5

VN:F [1.9.6_1107]
Rating: 2.7/5 (6 votes cast)
By Anthony Sequeira on June 29th, 2011

In this final post in the series, we will examine a simple way to rate limit SYN packets in order to foil attacks involving the SYN attack technique.

Policing SYN Packets

In order to effectively rate limit the SYN packets in the correct manner, you should monitor your network baseline in order to determine the appropriate SYN packet rate that represents your acceptable packet flows. The policing can then be set effectively to guard against attack conditions.

Examine the following access list that is configured on our network edge device:

access-list 100 deny tcp any any established
access-list 100 permit tcp any any

Notice this access list will only identify that traffic for TCP connections that are not established. Established connections are denied by the first entry. This list can then be used in our policing configuration:

class-map CM_TCPSYN 
 match access-group 100
!
policy-map PM_POLICE 
 class CM_TCPSYN 
 police 24000
!
interface serial 0/0 
 service-policy output PM_POLICE

TCP Intercept

Another effective technique in this regard is to call upon the TCP Intercept feature. The TCP Intercept feature helps prevent SYN-flood type attacks by intercepting and validating TCP connection requests.

This tool can utilize two modes. In intercept mode, the TCP Intercept feature intercepts TCP SYN packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server. If the conenction attempt is legitimate, the TCP Intercept device can then establish the conenction betweent he client and the actual server in the protected network.

The second mode is watch mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

The TCP Intercept feature is configured with the following command:

ip tcp intercept list access-list-number

For more information on TCP Intercept, visit the link below.

TCP Intercept Configuration Guide

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Preventing Basic DDoS Attacks – Part 5 of 5, 2.7 out of 5 based on 6 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , ,

This entry was posted on Wednesday, June 29th, 2011 at 9:25 am and is filed under Ask the Expert, CCIE, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply