RE: Cisco IOS to defend against dod/ddos

["David Gillett" <gillettdavid () fhda edu>]

  It is, IF the attack consumes the resource it is attacking *before*
your local solution can see it.  I don't believe you've told us what 
resource the DoS/DDoS you have in mind is attacking, but if it's your
bandwidth to the Internet, the attack can only be mitigated from the 
Internet side of the link.

David Gillett


> -----Original Message-----
> From: Michael Condon [mailto:admin () singulartechnologysolutions com] 
> Sent: Tuesday, October 21, 2008 10:58 AM
> To: gillettdavid () fhda edu; 'Richard Golodner'
> Cc: security-basics () securityfocus com
> Subject: Re: Cisco IOS to defend against dod/ddos
>
> So, are you saying that defending against dos/ddos attacks 
> locally is futile?
>
> ----- Original Message -----
> From: "David Gillett" <gillettdavid () fhda edu>
> To: "'Michael Condon'" 
> <admin () singulartechnologysolutions com>; "'Richard Golodner'" 
> <rgolodner () infratection com>
> Cc: <security-basics () securityfocus com>
> Sent: Monday, October 20, 2008 4:08 PM
> Subject: RE: Cisco IOS to defend against dod/ddos
>
>
> >  DoS attacks almost always involve deliberate consumption 
> of resources 
> > to deny their legitimate use.  They're an Availability issue rather 
> > than a Confidentiality or Integrity issue.
> >
> >  Different resources may be attacked.  A SYN-flood DoS consumes
> > connection-
> > table entries, for instance.  Perhaps the resource *most commonly* 
> > attacked is bandwidth....
> >
> >  Michael:  Different resources that may be attacked require 
> different 
> > forms
> >
> > of defence.  But MANY DoS attacks can be carried out anonymously -- 
> > that is, the packet source address may be freely spoofed without 
> > lessening the effectiveness of the attack.  So 
> countermeasures based 
> > on the attacking source address will not thwart the attack; 
> in fact, 
> > an attacker who knows such measures are in place can magnify the 
> > effect of their attack by deliberately
> >
> > spoofing source addresses to throw suspicion on legitimate Internet 
> > resources.
> >  (Port scans, to be useful, DO generally need real source 
> addresses, 
> > and so such measures can be useful in that case.  You will need to 
> > understand how your threat environment corresponds to your 
> > vulnerabilities to determine whether these measures are 
> appropriate.)
> >  Richard:  If my objective is to consume too much bandwidth 
> over the 
> > link from A to B, any effort at B to drop the traffic I'm 
> sending is 
> > too late -- the bandwidth is already consumed.  Whether B 
> is managed 
> > by the customer whose internal network lies beyond it, or 
> by the ISP 
> > who controls A, is entirely moot.  The only way to keep the 
> bandwidth 
> > on the link from being consumed is
> >
> > to detect and block the traffic at A, or even further upstream.
> >  (Typically, the attacking traffic arrives at A via 
> higher-capacity, 
> > and/or (especially if DDoS) multiple, links, and so is only a 
> > significant attack when it reaches that target link.)
> >
> > David Gillett
> > CISSP CCNP
> >
> >
> > > -----Original Message-----
> > > From: Michael Condon [mailto:admin () singulartechnologysolutions com]
> > > Sent: Monday, October 20, 2008 9:51 AM
> > > To: Richard Golodner
> > > Cc: security-basics () securityfocus com
> > > Subject: Re: Cisco IOS to defend against dod/ddos
> > >
> > > What about the case where the client operates their own router 
> > > instead of having a managed router? Or are you saying that this 
> > > should be implemented further downstream?
> > > ----- Original Message -----
> > > From: "Richard Golodner" <rgolodner () infratection com>
> > > To: "'Michael Condon'" <admin () singulartechnologysolutions com>
> > > Sent: Monday, October 20, 2008 11:11 AM
> > > Subject: RE: Cisco IOS to defend against dod/ddos
> > >
> > >
> > > > Michael, Cisco builds DDoS mitigation hardware, but it is
> > > very expensive.
> > > > Your best bet is to speak with your upstream providers 
> in order to 
> > > > stop this type of attack. The packet is dropped at your router's 
> > > > interface when using ACL's which means you are already DDossed.
> > > >
> > > >      most sincerely, Richard
> > > >
> > > > -----Original Message-----
> > > > From: listbounce () securityfocus com
> > > > [mailto:listbounce () securityfocus com]
> > > > On
> > > > Behalf Of Michael Condon
> > > > Sent: Saturday, October 18, 2008 9:56 PM
> > > > To: security-basics () securityfocus com
> > > > Subject: Cisco IOS to defend against dod/ddos
> > > >
> > > > Does anyone have examples of Cisco IOS that will defend against 
> > > > dos/ddos/malformed packet attacks by denying access to the
> > > sending IP
> > > > address(es)?
> > > > Can this also be done for port scans?
> > > > Can it be done on Routers, PIX Firewalls/Cisco ASA?