A high foot, a high foot. With the development of the network, more and more hacker attack methods are available. However, many attack methods may require DoS attacks. In other words, DoS attacks are a prerequisite for initiating other attacks. For example, a denial-of-service attack causes the DNS server to crash, and then DNS spoofing. A few days ago, the Baidu website was hacked, and the denial of service attack could also be seen. Therefore, how to effectively prevent Dos attacks is critical to enterprise network security.
How can we effectively prevent Dos attacks? There are many ways to achieve this. What I want to talk about today is how to use a firewall to defend against Dos attacks. We hope that this article will help you effectively defend against Dos attacks and improve server security.
1. Block multipart data packets from passing through the firewall
As shown in, If attackers want to launch Dos attacks on the Web servers behind the firewall, what should they do? Generally, Sos attacks use segmented IP packets to attack host servers. An IP packet is separated into multiple IP packets, which are called IP segments. This segmentation method can improve the efficiency of Dos attacks. If the firewall can prevent segment data packets from passing through the firewall, it can effectively prevent Dos attacks.
On the PIX Firewall, you can use the Fragment command to prevent multipart packets from passing through the firewall. Run the following command: fragment chain 1 outside. What does this command mean? Parameter 1 indicates that all groups must be complete, that is, those without IP segments. This command is used to prevent the entry and exit of a segmentation group from the vswitch. Through the filter of the switch, you can effectively prevent segment data packets from going through the firewall and launching attacks against the Web servers behind the firewall.
However, in some cases, IP segments are required for data packets. In this case, you need to enable the segment protection function on the firewall. That is to say, according to certain rules, the packet that enters the firewall is checked to determine whether it meets the rules. If yes, allow it to pass. Otherwise, it will be discarded. For example, the firewall checks that each non-initial IP segment has an associated legal initial IP segment. If you limit the number of segments, when the number of segments exceeds a certain number (by default, it may be 24 segments at most), the segment data packet cannot pass through the firewall. You can set the number of security personnel according to your actual needs. These security inspection measures can also help enterprises effectively prevent Dos attacks.
I suggest that you use the fragment command to prevent segment data packets from entering the firewall without special circumstances. This can fundamentally prevent DoS attacks.
2. Prevent DoS attacks from damaging the DNS server
At ordinary times, we often hear that the DNS server is paralyzed due to Dos attacks. So how did this happen? In fact, the attack principle is relatively simple. Attackers send DNS queries to each DNS server. The query contains the pseudo address that reaches the destination. This is a small query that cannot be smaller. However, the DNS server generates tens of thousands of responses. The response information will be routed to the target address disguised by the attacker. This will cause link congestion. In severe cases, it may also cause network faults and cannot be connected properly.
If a firewall is put in front of the DNS server, can it effectively defend against Dos attacks? The answer is yes. For example, the PIX Firewall is used as an example. By default, the firewall cannot reallocate the DNS port. That is to say, DNS needs to perform relevant checks to ensure that DNS queries are not affected by common UDP based on activity timeout processing. In this case, when an attacker sends a DNS query request to the DNS server, the attacker can smoothly access the DNS server. However, the firewall only allows a single DNS response. Instead of sending many response messages. How is this implemented? As long as the firewall receives a DNS query result, the UDP connection associated with DNS query and response will be closed. In this case, the firewall will automatically discard other responses, effectively avoiding Dos attacks. This feature is a DNS protection function specially designed by the firewall for DNS servers. If you want to deploy DNS when purchasing a firewall, you must consider whether the firewall has DNS protection functions.
Note that Network Address Translation technologies such as NAT may also be used in the network. If DNS protection is enabled, will it adversely affect the application of these technologies? In general, it may affect the normal use of NAT and other technologies. However, it mainly depends on whether the firewall Manufacturer uses related technologies to prevent this situation. According to my understanding, Cisco's version of PIX Firewall 6.2 or later fully supports technologies such as DNS message NAT. That is to say, whether these messages come from internal interfaces or external interfaces, the DNS protection function can coexist with Network Address Translation technologies such as NAT. If an enterprise has its own DNS server, this feature may be very useful. At this time, if A user in an internal network sends A query request to the DNS server on the external interface and requests the DNS resolution of an internal FTP server, the dns a record can be correctly converted. Therefore, you do not need to use the allias command. Allias commands are not only inefficient, but also have certain security risks. In actual work, it is better not to use this command. Courseware, NAT, and other network address translation technologies can coexist with the DNS protection function of the firewall. When purchasing a firewall, if you have such requirements, you need to pay attention to whether the firewall supports this feature. Although this technology is not difficult, it will become very troublesome if not.
By default, the DNS protection function is enabled for the PIX Firewall. When a DNS server is available, ask the security administrator to enable this function. This function can protect the DNS server from Dos attacks to a large extent. The effect is very obvious.
3. prevent flooding attacks by limiting the maximum data connected in the initial stage
In addition to the above forms, Dos attacks also have a typical attack behavior, namely flood attacks. This Dos attack method is mainly used to prevent flood attacks by using a half-open TCP initial connection. The flood attack name also comes from this. In fact, flood attacks are essentially Dos attacks. After learning about the attack principle, it is much easier to prevent it. Generally, this attack can be prevented as long as the initial connection quantity is limited or the connection data of the host server is limited. In practice, you can use the static command to limit the maximum number of initial connections. You can set this value to 200 or 500 as needed.
Note that the maximum initial number of connections cannot be set too low. If the setting is relatively low, after the maximum value is reached, access by legal users will be rejected, so that attackers can proceed with a Denial-of-Service attack. So how much is this value suitable? No network expert can give a definite answer. This is mainly because the enterprise's network environment is different, the number of clients is different, the number of concurrent users is different, and the applications are different. The reasonable value range of this value is also different. Other enterprises are suitable for connecting to the largest data at the initial stage. It may not be suitable for changing the Enterprise. So how should we determine? The author believes that security management personnel can set a relatively large value first. Then, run the "show local-host IP Address" command to check the connection data of the host and the initial connection data. In actual work, it may take a period of time to track and adjust, and finally obtain a more suitable enterprise parameter value.
From the typical cases of the above three DoS attacks, we can see that as long as you select the appropriate firewall and configure it properly, it can effectively prevent DoS attacks.