With the zone-based firewall, we should be aware of many caveats and rules regarding its operation. These are as follows:
In this final post in the series, we will examine a simple way to rate limit SYN packets in order to foil attacks involving the SYN attack technique.
In order to effectively rate limit the SYN packets in the correct manner, you should monitor your network baseline in order to determine the appropriate SYN packet rate that represents your acceptable packet flows. The policing can then be set effectively to guard against attack conditions.
Examine the following access list that is configured on our network edge device:
access-list 100 deny tcp any any established access-list 100 permit tcp any any
In this post in the series, we are going to examine another excellent step that goes a long way in preventing the potential devastating damage that a DDoS attack can cause. The goal here is to POLICE traffic that could potentially be used in the attack. Since many classic DDoS attacks utilize PING traffic in their attacks, this post will provide that example. Keep in mind, however, that this technique could be applied to whatever form of traffic that a new attack seeks to use in their exploit.
Since many of the DDoS attacks seek to spoof source IP addressing, it is very important to protect internal networks by filtering outside interfaces for “bogon” sources. What in the world is a bogon? Well, this is the slang that was adopted to refer to source IP addresses that should never show up on your outside (Internet-facing) interfaces.
It is a fun and worthwhile CCIE Security lab practice to see how many of these filter entries you can come up with off of the top of your head. When you are creating these filters in your production network, you can use RFCs like 3330 – Special-Use IPv4 Addresses in order to assist you.
Network engineers shudder when they see this string of letters – D-D-O-S. Decades ago a basic Denial of Service (DoS) attack was bad enough. Someone with too much time on their hands would find a vulnerability in an Operating System and then attack that weak point with a flood of traffic to render the service or entire machine unusable.
But things certainly advance over time. The Distributed Denial of Service (DDOS) attack steps it up considerable. With these attacks, client systems install specialized programs on systems called Handlers. These systems the turn around and control thousands of other infected computers called Agents. The many, many Agents then turn around and carry out the attack against the victim systems.
When I am ready to relax and not think about this madness, I put on the classics like The Beatles, Bob Dylan, and The Stones. When security professionals want to stress out, they think about the DDoS classics like SMURF, SYN FLOOD, and SQL SLAMMER.
Read Full Entry »
Cart