Print Page | Close Window

solution for denial of service



Printed From: ProjectsQA
Category: Projects Forum
Forum Name: Computer/IT Projects
Forum Discription: Projects in any Programming language, Software, Networking, Final Year Projects, Mini Projects etc.
URL: http://projectsqa.com/forum_posts.asp?TID=542
Printed Date: 21-Jan-2020 at 10:01pm


Topic: solution for denial of service
Posted By: punam90singh
Subject: solution for denial of service
Date Posted: 20-Apr-2012 at 12:00am
can u provide me any algorithm or mechanism to stop dos
attack due to network flooding



Replies:
Posted By: Stranger
Date Posted: 30-Apr-2012 at 1:35pm
Came across this from CERT:

Denial-of-service attacks can result in significant loss of time and money for many organizations. We strongly encourage sites to consider the extent to which their organization could afford a significant service outage and to take steps commensurate with the risk.

We encourage you to consider the following options with respect to your needs:

*    Implement router filters of CA-96.21.tcp_syn_flooding. This will lessen your exposure to certain denial-of-service attacks. Additionally, it will aid in preventing users on your network from effectively launching certain denial-of-service attacks.
*    If they are available for your system, install patches to guard against TCP SYN flooding as described in CA-96.21.tcp_syn_flooding, referenced above. This will substantially reduce your exposure to these attacks but may not eliminate the risk entirely.
*    Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack.
*    Enable quota systems on your operating system if they are available. For example, if your operating system supports disk quotas, enable them for all accounts, especially accounts that operate network services. In addition, if your operating system supports partitions or volumes (i.e., separately mounted file systems with independent attributes) consider partitioning your file system so as to separate critical functions from other activity.
*    Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic.
*    Routinely examine your physical security with respect to your current needs. Consider servers, routers, unattended terminals, network access points, wiring closets, environmental systems such as air and power, and other components of your system.
*    Use Tripwire or a similar tool to detect changes in configuration information or other files.
*    Invest in and maintain "hot spares" - machines that can be placed into service quickly in the event that a similar machine is disabled.
*    Invest in redundant and fault-tolerant network configurations.
*    Establish and maintain regular backup schedules and policies, particularly for important configuration information.
*    Establish and maintain appropriate password policies, especially access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator.


Posted By: Avinash
Date Posted: 30-Apr-2012 at 1:42pm
These are suggested methods to prevent distributed denial of service attacks.

1. Use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.

    This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.

    The effect of Unicast RPF is that it stops SMURF attacks (and other attacks that depend on source IP address spoofing) at the ISP's POP (lease and dial-up). This protects your network and customers, as well as the rest of the Internet. To use unicast RPF, enable "CEF switching" or "CEF distributed switching" in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes. RPF is an input side function that enabled on an interface or sub-interface and operates on packets received by the router.

    It is very important for CEF to be turned on in the router. RPF does not work without CEF. Unicast RPF is not supported in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that support CEF, which includes the AS5800. Hence, unicast RFP can be configured on the PSTN/ISDN dial-up interfaces on the AS5800.

2. Filter all RFC-1918 leavingcisco.com address space using Access Control Lists (ACLs).

    Refer to this example:

        access-list 101 deny ip 10.0.0.0    0.255.255.255 any
        access-list 101 deny ip 192.168.0.0 0.0.255.255 any
        access-list 101 deny ip 172.16.0.0 0.15.255.255 any
        access-list 101 permit ip any any

        interface xy
           ip access-group 101 in

    Another source of information about special use IPv4 address space that can be filtered is the (now expired) IETF draft 'Documenting Special Use IPv4 Address Blocks that have been registered with IANA leavingcisco.com.'

3. Apply ingress and egress filtering (see RFC-2267 leavingcisco.com) using ACLs.

    Refer to this example:

             { ISP Core } -- ISP Edge Router -- Customer Edge Router -- { Customer network }

    The ISP edge router should only accept traffic with source addresses belonging to the customer network. The customer network should only accept traffic with source addresses other than the customer network block. This is a sample ACL for an ISP edge router:

        access-list 190 permit ip {customer network} {customer network mask} any
        access-list 190 deny ip any any [log]

        interface {ingress interface} {interface #}
             ip access-group 190 in

    This is a sample ACL for a customer edge router:

        access-list 187 deny ip {customer network} {customer network mask} any
        access-list 187 permit ip any any

        access-list 188 permit ip {customer network} {customer network mask} any
        access-list 188 deny ip any any

        interface {egress interface} {interface #}
             ip access-group 187 in
             ip access-group 188 out

    If you are able to turn on Cisco Express Forwarding (CEF), the length on the ACLs can be substantially reduced and thus increase performance by enabling unicast reverse path forwarding. In order to support unicast reverse path forwarding, you only need to be able to enable CEF on the router as a whole; the interface on which the feature is enabled does not need to be a CEF switched interface.

4. Use CAR to rate limit ICMP packets.

    Refer to this example:

        interface xy
        rate-limit output access-group 2020 3000000 512000 786000 conform-action
        transmit exceed-action drop

        access-list 2020 permit icmp any any echo-reply

5. Configure rate limiting for SYN packets.

    Refer to this example:

        access-list 152 permit tcp any host eq www
        access-list 153 permit tcp any host eq www established

        interface {int}
             rate-limit output access-group 153 45000000 100000 100000
        conform-action transmit exceed-action drop
             rate-limit output access-group 152 1000000 100000 100000
        conform-action transmit exceed-action drop

    In the previous example, replace:

        45000000 with the maximum link bandwidth

        1000000 with a value that is between 50% and 30% of the SYN flood rate

        burst normal and burst max rates with accurate values

    Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. In order to get an idea of where to set the burst rate, use the show interfaces rate-limit command in order to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.

    Warning: It is recommended that you first measure amount of SYN packets during normal state (before attacks occur) and use those values to limit. Review the numbers carefully before you deploy this measure.

    If an SYN attack is aimed against a particular host, consider installing an IP filtering package on that host.



Print Page | Close Window