Security Basics mailing list archives
Re: Cisco IOS to defend against dod/ddos
From: "Michael Condon" <admin () singulartechnologysolutions com>
Date: Tue, 21 Oct 2008 12:58:14 -0500
So, are you saying that defending against dos/ddos attacks locally is futile?
----- Original Message ----- From: "David Gillett" <gillettdavid () fhda edu> To: "'Michael Condon'" <admin () singulartechnologysolutions com>; "'Richard Golodner'" <rgolodner () infratection com>
Cc: <security-basics () securityfocus com> Sent: Monday, October 20, 2008 4:08 PM Subject: RE: Cisco IOS to defend against dod/ddos
DoS attacks almost always involve deliberate consumption of resources to deny their legitimate use. They're an Availability issue rather than a Confidentiality or Integrity issue.Different resources may be attacked. A SYN-flood DoS consumes connection- table entries, for instance. Perhaps the resource *most commonly* attackedis bandwidth....Michael: Different resources that may be attacked require different formsof defence. But MANY DoS attacks can be carried out anonymously -- that is,the packet source address may be freely spoofed without lessening the effectiveness of the attack. So countermeasures based on the attacking source address will not thwart the attack; in fact, an attacker who knows suchmeasures are in place can magnify the effect of their attack by deliberatelyspoofing source addresses to throw suspicion on legitimate Internet resources.(Port scans, to be useful, DO generally need real source addresses, and sosuch measures can be useful in that case. You will need to understand how your threat environment corresponds to your vulnerabilities to determine whether these measures are appropriate.) Richard: If my objective is to consume too much bandwidth over the link from A to B, any effort at B to drop the traffic I'm sending is too late -- the bandwidth is already consumed. Whether B is managed by the customer whose internal network lies beyond it, or by the ISP who controls A, is entirelymoot. The only way to keep the bandwidth on the link from being consumed isto detect and block the traffic at A, or even further upstream.(Typically, the attacking traffic arrives at A via higher-capacity, and/or(especially if DDoS) multiple, links, and so is only a significant attack when it reaches that target link.) David Gillett CISSP CCNP-----Original Message----- From: Michael Condon [mailto:admin () singulartechnologysolutions com] Sent: Monday, October 20, 2008 9:51 AM To: Richard Golodner Cc: security-basics () securityfocus com Subject: Re: Cisco IOS to defend against dod/ddos What about the case where the client operates their own router instead of having a managed router? Or are you saying that this should be implemented further downstream? ----- Original Message ----- From: "Richard Golodner" <rgolodner () infratection com> To: "'Michael Condon'" <admin () singulartechnologysolutions com> Sent: Monday, October 20, 2008 11:11 AM Subject: RE: Cisco IOS to defend against dod/ddos > Michael, Cisco builds DDoS mitigation hardware, but it is very expensive. > Your best bet is to speak with your upstream providers in order to > stop this type of attack. The packet is dropped at your router's > interface when using ACL's which means you are already DDossed. > > most sincerely, Richard > > -----Original Message----- > From: listbounce () securityfocus com > [mailto:listbounce () securityfocus com] > On > Behalf Of Michael Condon > Sent: Saturday, October 18, 2008 9:56 PM > To: security-basics () securityfocus com > Subject: Cisco IOS to defend against dod/ddos > > Does anyone have examples of Cisco IOS that will defend against > dos/ddos/malformed packet attacks by denying access to the sending IP > address(es)? > Can this also be done for port scans? > Can it be done on Routers, PIX Firewalls/Cisco ASA? > > >
Current thread:
- Nessus / TSS alternatives Ray Van Dolson (Oct 17)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Re: Cisco IOS to defend against dod/ddos ॐ aditya mukadam ॐ (Oct 21)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Gareth Fletcher (Oct 20)
- Storing Windows Event Logs. Nick Vaernhoej (Oct 21)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 21)
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 22)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 22)