Be careful about network paralysis and prevent router attacks

This article describes in detail how to prevent network paralysis and how to prevent router attacks and set security vulnerabilities? The following article will give you a detailed answer.

It is usually easier for hackers to launch attacks by exploiting vro vulnerabilities. Vro attacks waste CPU cycles, mislead information traffic, and paralyze the network. A good router uses a good security mechanism to protect itself, but this is far from enough. To protect the security of a router, the network administrator must take appropriate security measures during the configuration and management of the router.

Block security vulnerabilities against vro attacks

Limiting system physical access is one of the most effective ways to ensure vro security. One way to restrict physical access to the system is to configure console and terminal sessions to automatically exit the system after a short period of idle time. It is also important to avoid connecting the modem to the secondary port of the router. Once physical access to the vro is restricted, you must ensure that the security patch of the vro is the latest. Vulnerabilities are often disclosed before the supplier releases the patch. This allows hackers to exploit the affected system before the supplier releases the patch, which requires the user's attention.

Preventing vro attacks and preventing identity crisis

Hackers often use weak passwords or default passwords for attacks. This vulnerability can be prevented by using a password extension and a password validity period of 30 to 60 days. In addition, once an important IT Employee Resign, the user should change the password immediately. The user should enable the password encryption function on the vro, so that even if the hacker can browse the system configuration file, he still needs to decrypt the ciphertext password. Implement reasonable verification control so that the router can transmit certificates securely. On most routers, you can configure some protocols, such as remote authentication dial-in to the user service, so that these protocols can be used together with the verification server to provide encrypted and verified Router Access. Verification control can forward user authentication requests to verification servers on the backend network. The verification server can also require users to use two-factor verification to enhance the verification system. The two factors are the software or hardware token generation part, and the latter is the user identity and token pass code. Other verification solutions involve transferring security certificates within the Secure Shell (SSH) or IPSec.

Disable unnecessary services to prevent router attacks

It is a good thing to have a large number of routing services, but many recent security events have highlighted the importance of disabling local services. It should be noted that disabling CDP on a vro。 may affect the performance of the vro. Another factor that users need to consider is timing. Timing is essential for effective network operations. Even if the user ensures time synchronization during deployment, the clock may gradually lose synchronization after a period of time. You can use a service named Network Time Protocol (NTP) to compare valid and accurate time sources to ensure the hourly synchronization of devices on the network. However, the best way to ensure clock synchronization between network devices is not through a router, but to place an NTP server in the network segment of the firewall-protected DMZ, configure the server to only allow time requests to external trusted public time sources. On a vro, you rarely need to run other services, such as SNMP and DHCP. These services are used only when absolutely necessary.

Preventing vro attacks and limiting logical access

Logical access is restricted mainly by rationally processing the access control list. Limiting remote terminal sessions helps prevent hackers from obtaining system Logical access. SSH is the preferred logical access method, but if Telnet cannot be avoided, Use Terminal Access Control to restrict access to trusted hosts only. Therefore, you must add an access list to the virtual terminal port used by Telnet on the vrotelnet.

Controlling the Message Protocol (ICMP) helps to troubleshoot, but it also provides attackers with information to browse network devices, determine local timestamps and network masks, and speculate on the OS revised version. To prevent hackers from collecting the above information, only the following types of ICMP traffic are allowed to enter the user network: ICMP cannot be reached, the host cannot be reached, the port cannot be reached, the packet is too large, the source is blocked, and the TTL is exceeded. In addition, logical access control should also prohibit all traffic other than ICMP traffic.

Use inbound access control to direct a specific service to the corresponding server. For example, only SMTP traffic is allowed to enter the mail server, DNS traffic is allowed to enter the DSN server, and HTTP (HTTP/S) traffic through the SSL protocol layer is allowed to enter the Web server. To prevent a router from becoming a DoS attack target, the user should reject the following traffic: packets without IP addresses, packets with local host addresses, broadcast addresses, multicast addresses, and any fake internal addresses. Although users cannot prevent DoS attacks, users can restrict the harm of DoS. You can increase the length of the syn ack queue and shorten the ACK timeout to protect the router from tcp syn attacks.

You can also use outbound access control to restrict traffic from the network. This control can prevent internal hosts from sending ICMP traffic and only allow valid source address packets to leave the network. This helps prevent IP Address Spoofing and reduce the possibility of hackers using the user system to attack another site.