Security Basics mailing list archives
RE: Cisco IOS to defend against dod/ddos
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 21 Oct 2008 11:20:03 -0700
It is, IF the attack consumes the resource it is attacking *before* your local solution can see it. I don't believe you've told us what resource the DoS/DDoS you have in mind is attacking, but if it's your bandwidth to the Internet, the attack can only be mitigated from the Internet side of the link. David Gillett
-----Original Message----- From: Michael Condon [mailto:admin () singulartechnologysolutions com] Sent: Tuesday, October 21, 2008 10:58 AM To: gillettdavid () fhda edu; 'Richard Golodner' Cc: security-basics () securityfocus com Subject: Re: Cisco IOS to defend against dod/ddos So, are you saying that defending against dos/ddos attacks locally is futile? ----- Original Message ----- From: "David Gillett" <gillettdavid () fhda edu> To: "'Michael Condon'" <admin () singulartechnologysolutions com>; "'Richard Golodner'" <rgolodner () infratection com> Cc: <security-basics () securityfocus com> Sent: Monday, October 20, 2008 4:08 PM Subject: RE: Cisco IOS to defend against dod/ddosDoS attacks almost always involve deliberate consumptionof resourcesto deny their legitimate use. They're an Availability issue rather than a Confidentiality or Integrity issue. Different resources may be attacked. A SYN-flood DoS consumes connection- table entries, for instance. Perhaps the resource *most commonly* attacked is bandwidth.... Michael: Different resources that may be attacked requiredifferentforms of defence. But MANY DoS attacks can be carried out anonymously -- that is, the packet source address may be freely spoofed without lessening the effectiveness of the attack. Socountermeasures basedon the attacking source address will not thwart the attack;in fact,an attacker who knows such measures are in place can magnify the effect of their attack by deliberately spoofing source addresses to throw suspicion on legitimate Internet resources. (Port scans, to be useful, DO generally need real sourceaddresses,and so such measures can be useful in that case. You will need to understand how your threat environment corresponds to your vulnerabilities to determine whether these measures areappropriate.)Richard: If my objective is to consume too much bandwidthover thelink from A to B, any effort at B to drop the traffic I'msending istoo late -- the bandwidth is already consumed. Whether Bis managedby the customer whose internal network lies beyond it, orby the ISPwho controls A, is entirely moot. The only way to keep thebandwidthon the link from being consumed is to detect and block the traffic at A, or even further upstream. (Typically, the attacking traffic arrives at A viahigher-capacity,and/or (especially if DDoS) multiple, links, and so is only a significant attack when it reaches that target link.) David Gillett CISSP CCNP-----Original Message----- From: Michael Condon [mailto:admin () singulartechnologysolutions com] Sent: Monday, October 20, 2008 9:51 AM To: Richard Golodner Cc: security-basics () securityfocus com Subject: Re: Cisco IOS to defend against dod/ddos What about the case where the client operates their own router instead of having a managed router? Or are you saying that this should be implemented further downstream? ----- Original Message ----- From: "Richard Golodner" <rgolodner () infratection com> To: "'Michael Condon'" <admin () singulartechnologysolutions com> Sent: Monday, October 20, 2008 11:11 AM Subject: RE: Cisco IOS to defend against dod/ddosMichael, Cisco builds DDoS mitigation hardware, but it isvery expensive.Your best bet is to speak with your upstream providersin order tostop this type of attack. The packet is dropped at your router's interface when using ACL's which means you are already DDossed. most sincerely, Richard -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Saturday, October 18, 2008 9:56 PM To: security-basics () securityfocus com Subject: Cisco IOS to defend against dod/ddos Does anyone have examples of Cisco IOS that will defend against dos/ddos/malformed packet attacks by denying access to thesending IPaddress(es)? Can this also be done for port scans? Can it be done on Routers, PIX Firewalls/Cisco ASA?
Current thread:
- Nessus / TSS alternatives Ray Van Dolson (Oct 17)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Re: Cisco IOS to defend against dod/ddos ॐ aditya mukadam ॐ (Oct 21)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Gareth Fletcher (Oct 20)
- Storing Windows Event Logs. Nick Vaernhoej (Oct 21)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 21)
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 22)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 22)