Security Basics mailing list archives
RE: Cisco IOS to defend against dod/ddos
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 20 Oct 2008 14:08:02 -0700
DoS attacks almost always involve deliberate consumption of resources to deny their legitimate use. They're an Availability issue rather than a Confidentiality or Integrity issue. Different resources may be attacked. A SYN-flood DoS consumes connection- table entries, for instance. Perhaps the resource *most commonly* attacked is bandwidth.... Michael: Different resources that may be attacked require different forms of defence. But MANY DoS attacks can be carried out anonymously -- that is, the packet source address may be freely spoofed without lessening the effectiveness of the attack. So countermeasures based on the attacking source address will not thwart the attack; in fact, an attacker who knows such measures are in place can magnify the effect of their attack by deliberately spoofing source addresses to throw suspicion on legitimate Internet resources. (Port scans, to be useful, DO generally need real source addresses, and so such measures can be useful in that case. You will need to understand how your threat environment corresponds to your vulnerabilities to determine whether these measures are appropriate.) Richard: If my objective is to consume too much bandwidth over the link from A to B, any effort at B to drop the traffic I'm sending is too late -- the bandwidth is already consumed. Whether B is managed by the customer whose internal network lies beyond it, or by the ISP who controls A, is entirely moot. The only way to keep the bandwidth on the link from being consumed is to detect and block the traffic at A, or even further upstream. (Typically, the attacking traffic arrives at A via higher-capacity, and/or (especially if DDoS) multiple, links, and so is only a significant attack when it reaches that target link.) David Gillett CISSP CCNP
-----Original Message----- From: Michael Condon [mailto:admin () singulartechnologysolutions com] Sent: Monday, October 20, 2008 9:51 AM To: Richard Golodner Cc: security-basics () securityfocus com Subject: Re: Cisco IOS to defend against dod/ddos What about the case where the client operates their own router instead of having a managed router? Or are you saying that this should be implemented further downstream? ----- Original Message ----- From: "Richard Golodner" <rgolodner () infratection com> To: "'Michael Condon'" <admin () singulartechnologysolutions com> Sent: Monday, October 20, 2008 11:11 AM Subject: RE: Cisco IOS to defend against dod/ddosMichael, Cisco builds DDoS mitigation hardware, but it isvery expensive.Your best bet is to speak with your upstream providers in order to stop this type of attack. The packet is dropped at your router's interface when using ACL's which means you are already DDossed. most sincerely, Richard -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Saturday, October 18, 2008 9:56 PM To: security-basics () securityfocus com Subject: Cisco IOS to defend against dod/ddos Does anyone have examples of Cisco IOS that will defend against dos/ddos/malformed packet attacks by denying access to thesending IPaddress(es)? Can this also be done for port scans? Can it be done on Routers, PIX Firewalls/Cisco ASA?
Current thread:
- Nessus / TSS alternatives Ray Van Dolson (Oct 17)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Re: Cisco IOS to defend against dod/ddos ॐ aditya mukadam ॐ (Oct 21)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Gareth Fletcher (Oct 20)
- Storing Windows Event Logs. Nick Vaernhoej (Oct 21)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 21)
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 22)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 22)