Three-layer switching sniper Dos attack

Although global network security experts are investing in the fight against Dos attacks, they have little effect because Dos attacks exploit the weaknesses of the TCP protocol itself. Set up on the switch and install specialized DOS identification and prevention tools to minimize the damage caused by Dos attacks.

Using three-layer exchange to establish a comprehensive network security system, the foundation must be a three-tier exchange and routing as the core of the intelligent network, with a sound three-layer security policy management tools. At the same time, in the design phase of the network, it should be reasonable layout.

LAN Layer

In the LAN layer, the network administrator can take a lot of preventive measures. For example, although it is almost impossible to completely eliminate IP packet spoofing, network administrators can build filters that, if the data has a source address for the intranet, can effectively reduce internal counterfeit IP attacks by restricting data entry traffic. Filters can also restrict the flow of external IP packets, preventing fake IP Dos attacks from being treated as intermediate systems.

Other methods include shutting down or restricting specific services, such as restricting the UDP service to be used only for network diagnostics purposes within the intranet.

Unfortunately, these restrictions may have a negative impact on legitimate applications, such as RealAudio that use UDP as a transport mechanism. If an attacker can intimidate a victim into not using IP services or other legitimate applications, the hackers have already achieved the purpose of a Dos attack.

Network Transport Layer

The following control over the network transport layer can be supplemented by the above deficiencies.

1, independent of the layer of wire speed quality of service (QoS) and access control

The advent of wire-speed multilayer switches with configurable intelligent software, layer-independent QoS, and access control features improves the ability of network transmission devices to protect data flow integrity.

In traditional routers, authentication mechanisms, such as filtering fake groupings with internal addresses, require traffic to reach the edge of the router and match the criteria in a specific access control list. But maintaining access control lists is not only time-consuming, but also greatly increases the cost of routers.

In contrast, linear-speed multilayer switches can be flexibly implemented with various policy-based access controls.

This layer-independent access control capability separates the security decision from the network structure decision, so that the network administrator can effectively deploy DOS precautions without using suboptimal routing or switching topology. As a result, network administrators and service providers can seamlessly integrate policy-based control standards across a metropolitan area network, data center, or enterprise network environment, regardless of whether they are using a complex router based core service or a relatively simple second-tier exchange. In addition, the wire-speed processing data authentication can be performed in the background, basically no performance delay.

2. Customizable filtering and "trust neighbors" mechanisms

Another advantage of Intelligent multilayer access control is that it can easily implement custom filtering operations, such as customizing the control granularity of the response to the system according to specific criteria. Multi-tier switching pushes packets to specific QoS profiles for the specified maximum bandwidth limit, rather than making simple "pass" or "discard" decisions for groups that may be Dos attacks. This way, you can prevent Dos attacks and reduce the risk of discarding legitimate packets.

Another advantage is the ability to customize the routing access policy, and to support "trusted neighbor" relationships between specific systems to prevent unauthorized use of internal routes.

As an example of the Extremeware suite software for an extreme network company, it maps and overwrites the IEEE 802.1p and DiffServ tags so that all switches can ignore, observe, or process any DiffServ tags from untrusted neighbors. These mechanisms enable system administrators to adjust internal routing policies based on traffic from a particular neighbor.

3. Customizing the Network logon configuration

The network logon uses the unique username and the password, authenticates the identity before the user is allowed to enter. The network login is submitted by the user's browser to the Dynamic Host Configuration Protocol (DHCP) to the switch, the switch captures the user identity, sends a request to the RADIUS server, authenticates, only after authentication, the switch allows the user to emit packet traffic flowing through the network.

In the draft IEEE 802.1, the network login mechanism can control user access to the switch, minimizing the risk of direct Dos attacks. At the same time, network logons provide a robust mechanism for managing and tracking internal users.