RE: Cisco IOS to defend against dod/ddos

["David Gillett" <gillettdavid () fhda edu>]

  DoS attacks almost always involve deliberate consumption of resources
to deny their legitimate use.  They're an Availability issue rather than
a Confidentiality or Integrity issue.

  Different resources may be attacked.  A SYN-flood DoS consumes connection-
table entries, for instance.  Perhaps the resource *most commonly* attacked
is bandwidth....

  Michael:  Different resources that may be attacked require different forms

of defence.  But MANY DoS attacks can be carried out anonymously -- that is,
the packet source address may be freely spoofed without lessening the 
effectiveness of the attack.  So countermeasures based on the attacking 
source address will not thwart the attack; in fact, an attacker who knows
such 
measures are in place can magnify the effect of their attack by deliberately

spoofing source addresses to throw suspicion on legitimate Internet
resources.
  (Port scans, to be useful, DO generally need real source addresses, and so
such measures can be useful in that case.  You will need to understand how
your threat environment corresponds to your vulnerabilities to determine
whether 
these measures are appropriate.)

  Richard:  If my objective is to consume too much bandwidth over the link
from
A to B, any effort at B to drop the traffic I'm sending is too late -- the 
bandwidth is already consumed.  Whether B is managed by the customer whose
internal network lies beyond it, or by the ISP who controls A, is entirely 
moot.  The only way to keep the bandwidth on the link from being consumed is

to detect and block the traffic at A, or even further upstream.
  (Typically, the attacking traffic arrives at A via higher-capacity, and/or
(especially if DDoS) multiple, links, and so is only a significant attack
when it reaches that target link.)

David Gillett
CISSP CCNP


> -----Original Message-----
> From: Michael Condon [mailto:admin () singulartechnologysolutions com] 
> Sent: Monday, October 20, 2008 9:51 AM
> To: Richard Golodner
> Cc: security-basics () securityfocus com
> Subject: Re: Cisco IOS to defend against dod/ddos
>
> What about the case where the client operates their own 
> router instead of having a managed router? Or are you saying 
> that this should be implemented further downstream?
> ----- Original Message -----
> From: "Richard Golodner" <rgolodner () infratection com>
> To: "'Michael Condon'" <admin () singulartechnologysolutions com>
> Sent: Monday, October 20, 2008 11:11 AM
> Subject: RE: Cisco IOS to defend against dod/ddos
>
>
> > Michael, Cisco builds DDoS mitigation hardware, but it is 
> very expensive.
> > Your best bet is to speak with your upstream providers in order to 
> > stop this type of attack. The packet is dropped at your router's 
> > interface when using ACL's which means you are already DDossed.
> >
> >      most sincerely, Richard
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com 
> > [mailto:listbounce () securityfocus com]
> > On
> > Behalf Of Michael Condon
> > Sent: Saturday, October 18, 2008 9:56 PM
> > To: security-basics () securityfocus com
> > Subject: Cisco IOS to defend against dod/ddos
> >
> > Does anyone have examples of Cisco IOS that will defend against 
> > dos/ddos/malformed packet attacks by denying access to the 
> sending IP 
> > address(es)?
> > Can this also be done for port scans?
> > Can it be done on Routers, PIX Firewalls/Cisco ASA?