CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Mitigating Denial of Service Attacks

Defeating DoS attacks or distributed DoS (DDoS) attacks (described in Chapter 6) begins by identifying the weak points in the network architecture where DoS attacks may have an advantage. Typically, weak points are located at the edge router. If an attacker launches a DDoS attack that is meant to consume the available network bandwidth, stopping the attack at the edge router does little good. Stopping a large DDoS attack requires coordination with the upstream ISP. DoS attack defense involves not just defending against a targeted DoS attack but also taking care to ensure that the network is not the source of a DoS attack Recall that DoS attacks attempt to inflict damage by flooding a network or a host with useless and undesired traffic. This traffic originates from a single host or multiple systems (in the case of DDoS) that an attacker has previously compromised. Preventing an attacker from compromising systems on the network in the first place prevents those systems from being the source of an attacker's DoS traffic. There are three primary methods of mitigating DoS attacks:

• Antispoof features

• Anti-DoS features

• Traffic-rate limiting

Antispoof Features

Antispoof features depend on RFC 2827 filtering. In short, although RFC 2827 is written mainly from an ISP perspective, it is equally applicable to networks of any size. RFC 2827 calls for filtering at the edge of the ISP network where customer networks connect. Traffic should be filtered at the edge by restricting outbound traffic to only those prefixes that are assigned to the customer. For example, in Figure 8-2, the ISP has assigned customer A the range 192.168.100.0/24 and customer B the range 192.168.101.0/24.

By applying filters at the ISP edge routers, the ISP can restrict traffic that is coming into the ISP network through those routers only to traffic that is assigned to those clients. The clients can implement egress filters according to the RFC 2827 guidelines as an additional filter to prevent their networks from becoming a source of DoS attacks.

Anti-DoS Features

The implementation of TCP intercept on Cisco routers also helps to mitigate DoS attacks, specifically attacks such as TCP SYN floods. Firewalls can also provide some measure of defense against TCP SYN floods by limiting the number of half-open connections permitted per host. TCP intercept works by requiring the router to intercept or "catch" the incoming TCP SYN requests from a client. The router responds to the SYN request by sending a SYN-ACK packet back and waiting for the client's final TCP ACK packet in order to complete the TCP three-way handshake. Once the three-way handshake is complete, the router replays the handshake to the server and then allows all further traffic between the server and client to continue. This feature protects a system whose incoming TCP SYN queue may be limited and thus liable to attack. This behavior is shown in Figure 8-3.

Traffic-Rate Limiting

An organization can implement, in cooperation with its ISP, traffic-rate limiting, whereby all nonessential traffic is given only a small fraction of the total bandwidth in the link. Additionally, an organization can implement quality of service (QoS) to identify permitted traffic and ensure that it is handled quickly while other, potentially unauthorized traffic is relegated to slower handling. Utilizing rate limits along with QoS shaping of traffic can greatly help to mitigate the impact of DoS and DDoS attacks.