A new approach to routers defending against Dos attacks

The DoS (Denial of service) attack is the use of reasonable services requests to occupy too many service resources, so that legitimate users can not get the service response.

Dos attacks are a lot of ways, but they all have some common characteristics, such as the use of spoofed source address, the use of network protocol defects, the use of operating system or software vulnerabilities, the network generated a large number of useless packets consume service resources. Therefore, to protect against Dos attacks, we must start from the characteristics of these attacks, analyze their characteristics, and formulate appropriate strategies and methods.

Feature description of Smurf attack

The Smurf attack was named according to its attack program and is an ICMP echo flooding attack.

In such an attack, the spoofed source address contained in the ping package is the ultimate victim and the main victim, while the broadcast segment connected by the router becomes an accomplice to the attack (similar to an amplifier that makes network traffic grow rapidly) and is the victim.

Ways to defend against Smurf attacks

According to the characteristics of the Smurf attack, we can defend the Smurf attack from two aspects: one is to prevent the network from becoming the accomplice of the attack, the first victim, and the other is to defend the Smurf attack from the angle of the ultimate victim. Here are two ways to discuss the path and method of defense.

First, refusing to be an accomplice to an attack

Smurf to use a network as a "traffic amplifier", the network must have the following characteristics:

1, the router allows the IP source address spoofing packets through;

2. The router converts the directed broadcast (packet sent to the broadcast address) into the second layer (MAC layer) broadcast and broadcasts to the connected network segment;

3, broadcast network host to allow the Ping broadcast to respond;

4, the router's response to the host ping data traffic is not limited;

Therefore, can be based on the above four points to redesign the network so that their network does not have to become a "flow amplifier" conditions.

Prevent IP Source Address spoofing

IP Source Address spoofing can be applied in a variety of different attack modes, such as TCP SYN flooding, UDP flooding, ICMP flooding, etc.

A forged source address can be an address that does not exist (not allowed to be published on the public web), or is the address of the final attack target.

In UDP flooding, an attacker is connected by connecting the target system's Changen port to the Echo port of the host that the source address is pointing to, causing the Changen port to produce a large number of random characters to the Echo port, and the Echo Port will return the character received. The end result is that both systems crash due to exhaustion of resources.

Note: To protect against UDP flooding, we must prevent the router's diagnostic ports or services from opening to areas outside the admin domain, and should be turned off if these ports or services are not required.

The most effective way to prevent IP Source address spoofing is to verify the authenticity of the source address, and on the Cisco router we can use the following two methods:

A, the implementation of IP Source address spoofing in the network boundary filtering

One of the easiest and most effective ways to block IP Source address spoofing is to limit the packets sent in by the downstream network by using an inward access list at the border router. At the same time, in order to trace the attacker, you can use log to record the deleted data information.

b, use reverse address to send

Using access control lists to do IP restrictions at the downstream entrance is based on the certainty of the downstream IP address segment. But at the upstream entrance, the range of IP addresses that flow into data is sometimes difficult to determine. One possible way to determine the scope of a filter is to use a reverse address to send (Unicast Reverse Path forwarding).

Reverse address forwarding is a feature of the Cisco router's new iOS offering, referred to as URPF.

URPF works by: When a router receives a packet on an interface, it looks for the CEF (Cisco Express Forward) table to verify that there is a route from the receiving interface to the source address specified in the package, that is, to reverse lookup the path and verify its authenticity. If no such path exists, the packet is deleted.

Compared to access control lists, URPF has many advantages, such as: consuming less CPU resources, can adapt to the dynamic change of Router routing table (because the CEF table will follow the dynamic change of the routing table), so less maintenance, the performance of the router less impact.

The URPF is based on interface configuration, and the configuration commands are as follows:

(config) # IP CEF

(config-if) # IP Verify unicast reverse-path

Note: The implementation of URPF, CEF must be global open and also enabled on the configuration interface.

Prohibit directed broadcast

In a Smurf attack, an attacker sends a PING packet to a broadcast address of a network, for example: 192.168.1.255. In most cases, the router, after receiving the broadcast packet, converts the third-tier broadcast to a second-level broadcast, which is about to convert 192.168.1.255 to Ethernet FF:FF:FF:FF:FF:FF. All Ethernet interface cards on the broadcast network segment, after receiving this second level broadcast, will send a interrupt request to the host system and respond to the broadcast, which consumes the host resources, and the response may cause an attack on the target of the source address.

Therefore, in most cases, you should prohibit directed broadcast on the border router, and use the following interface command to prohibit

(config) # no IP directed-broadcast

Note: In most cases, there is no need to use the directed broadcast function of a router, and there are exceptions to using directed broadcasts, for example, if an SMB or NT Server needs to have a remote LAN to see itself, it must send a directed broadcast to the LAN. However, this application can be resolved by using a WINS server.

Prevent hosts from responding to ping broadcasts

Most of the operating systems currently have special settings that allow the host system to not respond to ICMP echo broadcasts.

Preventing a host on the amplifier network from responding to ICMP ECHO (ping) broadcasts can prevent the broadcast network from becoming an accomplice to an attack.

Limit the flow of ICMP Echo

When a large number of data influx to an interface, even if the use of access policy to remove the ICMP packets, the interface may be busy with the continuous deletion of large amounts of data caused the interface can not provide normal service.

In contrast to passive data deletion, an active approach is to set the commitment rate limit (committed access rate, or car) on the interface to limit the flow of specific data to a range, allowing it to pass in moderation, while ensuring the normal passage of other traffic.

Example: Using car to restrict ICMP echo flooding

! Set up access lists, classify the data to be filtered

Access-list 102 Permit ICMP any any echo

Access-list 102 Permit ICMP any any echo-reply

! Configure car on the interface to send ICMP echo traffic

! Limited to 256k, allow burst 8k

Interface serial3/0/0

Rate-limit input Access-group 102 256000 8000 8000 conform-action transmit exceed-action drop

Ii. Strategies for victims

The attack data traffic generated by the Smurf attack is magnified by the "amplifier network", and the data traffic can be huge when the final target is reached. To protect the compromised system from crashing, we can take the following two strategies:

Filtering data using the Control access list

The access control list is used on the network boundary router of the final attack target, and the ping attack packet is refused to be sent to the attacked host. But this is a rough way, because when you have completely limited the ping packets to the attacked host on the router, the other ping packets that you want to pass through normally will not pass. In addition, after using the Access control list to filter ping data on a border router, while protecting the internal network in which the router is connected is protected from attack, the data of the attack will flood the router and cause the router interface to block.

Use car limit rate

It is preferable to use the car restrictions on the network boundary routers of the final attack target. By car, you can limit the total flow of a packet of packets flowing into the network to a certain range, thus guaranteeing the normal passage of other data.

Conclusion

In this paper, the method based on router configuration to prevent Dos attacks has a very significant effect in practical application. Most of the current network still uses the router as the boundary connection device, so the method elaborated in this article has the universal implementation significance.