Denial of Service (DoS) attacks are widely used by hackers. They exclusively occupy network resources and prevent other hosts from accessing them normally, resulting in downtime or network breakdown.
DoS attacks include Smurf, SYN Flood, and Fraggle. In Smurf attacks, attackers use ICMP packets to block servers and other network resources; SYN Flood attacks use a large number of TCP semi-connections to occupy network resources. Fraggle attacks are similar to Smurf attacks. They use UDP echo requests instead of ICMP echo requests to initiate attacks.
Although network security experts are focusing on developing devices to prevent DoS attacks, DoS attacks are ineffective because they exploit the weakness of TCP protocol. Correct router configuration can effectively prevent DoS attacks. Taking a Cisco router as an example, the IOS software in a Cisco router has many features to prevent DoS attacks and protect the security of the router itself and its internal network.
Use extended access list
Extended access list is an effective tool to prevent DoS attacks. It can be used to detect the type of DoS attacks and prevent DoS attacks. The Show ip access-list command displays matching data packets for each extended access list. Based on the data packet type, you can determine the DoS attack type. If a large number of TCP connection requests occur on the network, it indicates that the network is under SYN Flood attack. In this case, you can change the access list configuration to prevent DoS attacks.
Using QoS features such as weighted fair queue WFQ), guaranteed access rate CAR), general traffic integer GTS, and custom queue CQ can effectively prevent DoS attacks. It should be noted that different QoS policies are effective in dealing with different DoS attacks. For example, WFQ is more effective against Ping Flood attacks than SYN Flood attacks, because Ping Flood is usually represented as a separate transmission queue in WFQ, each packet in the SYN Flood attack is represented as a separate data stream. In addition, people can use CAR to limit the traffic speed of ICMP data packets, prevent Smurf attacks, or limit the traffic speed of SYN data packets to prevent SYN Flood attacks. To use QoS to prevent DoS attacks, you must clarify the principles of QoS and DoS attacks so that you can take corresponding preventive measures against different types of DoS attacks.
Reverse forwarding using a single address
(RPF) is an input function of the router. This function is used to check each packet received by the router interface. If the router receives a packet with the source IP address 10.10.10.1 but does not provide any route information for the IP address in the route table, the router discards the packet, therefore, reverse forwarding can prevent Smurf attacks and other attacks based on IP address camouflage.
To use the RPF function, you must set the vro to the Fast forward mode CEF switching. You cannot configure the interfaces that enable the RPF function as CEF switches. RPF is more advantageous than access list in preventing IP Address Spoofing. First, it can dynamically accept changes in Dynamic and Static route tables. Second, RPF requires less O & M; RPF, as a anti-spoofing tool, has a much lower impact on the performance of the router than the access list.
Cisco introduced the TCP Interception Function after IOS 11.3, which can effectively prevent SYN Flood attacks on internal hosts.
Before TCP connection requests reach the target host, TCP interception blocks such attacks through interception and verification. TCP interception can be performed in both interception and monitoring modes. In interception mode, the Router intercepts TCP synchronization requests and establishes a connection with the client on behalf of the server. If the connection succeeds, the client establishes a connection with the server, and transparently merge the two connections. During the entire connection period, the vro continuously intercepts and sends packets. For illegal connection requests, the router provides stricter limits on half-open timeout to prevent its resources from being exhausted by SYN attacks. In monitoring mode, the vro passively observes the connection requests flowing through the vro. If the connection exceeds the configured establishment time, the vro closes the connection.
To enable TCP interception on a Cisco router, two steps are required: 1. Configure the extended access list to determine the IP address to be protected; 2. Enable TCP interception. Configure the access list to define the source address and destination address for TCP interception and protect the internal target host or network. During configuration, you usually need to set the source address to any and specify the target network or host. If the access list is not configured, the router will allow all requests to pass through.
Use Content-Based Access Control
Content-based access control (CBAC) is an extension of Cisco's traditional access list. It intelligently filters TCP and UDP packets based on application layer session information to prevent DoS attacks.
CBAC sets the timeout value and threshold value to determine the session persistence time and when to delete the semi-join. For TCP, semi-join refers to a session that does not complete the three-phase handshake process. For UDP, a semi-connection is a session in which the router does not detect the returned traffic.
CBAC prevents flood attacks by monitoring the number and frequency of semi-connections. When an abnormal semi-connection is established or a large number of semi-connections appear in a short period of time, the user can determine that it is under a flood attack. CBAC checks the number of existing semi-connections and the frequency of trying to establish connections every minute. When the number of existing semi-connections exceeds the threshold, the router deletes some semi-connections, to ensure that the new connection is required, the vro continuously deletes the semi-connection until the number of existing semi-connections is lower than the other threshold. Similarly, when the frequency of trying to establish a connection exceeds the threshold, the router will take the same action to delete some connection requests and continue until the number of request connections is lower than the other threshold. Through continuous monitoring and deletion, CBAC can effectively prevent SYN Flood and Fraggle attacks.
Vro is the first protection barrier in the enterprise's internal network and an important target of hacker attacks. If a vro is easy to crack, the security of the enterprise's internal network will not be discussed, therefore, it is necessary to take appropriate measures on the vro to prevent various DoS attacks. You must note that the methods described above have different capabilities for dealing with different types of DoS attacks, and the CPU usage and memory usage of routers vary greatly, in the actual environment, you need to select an appropriate method based on your own situation and the performance of the router.