Here it is - a pre-post exclusive for the list!!!! Edits are welcome :) Preventing Basic DDoS Attacks - Part 1 of 5 DDoS Overview Network engineers shudder when they see this string of letters - D-D-O-S. Decades ago a basic Denial of Service (DoS) attack was bad enough. Someone with too much time on their hands would find a vulnerability in an Operating System and then attack that weak point with a flood of traffic to render the service or entire machine unusable. But things certainly advance over time. The Distributed Denial of Service (DDOS) attack steps it up considerable. With these attacks, client systems install specialized programs on systems called Handlers. These systems the turn around and control thousands of other infected computers called Agents. The many, many Agents then turn around and carry out the attack against the victim systems. When I am ready to relax and not think about this madness, I put on the classics like The Beatles, Bob Dylan, and The Stones. When security professionals want to stress out, they think about the DDoS classics like SMURF, SYN FLOOD, and SQL SLAMMER. SQL SLAMMER was truly amazing. Here are some eye-popping statistics regarding that attack.
* The attack took advantage of a small vulnerability in SQL Server which could be attacked with a specially crafted packet to the port UDP port of 1434 , this would set off a stack overflow; Microsoft had released a patch for the vulnerability 6 months prior to the attack - DOH! * A single system with the required high-speed Internet connection could scan the entire Internet in 12 hours for the required SQL SLAMMER vulnerabilities * There were 75,000 victim systems within the first 10 minutes of the attack launch and it is estimated that this amounted to 90% of the infected machines Yes - DDoS attacks happen fast and furious when they occur. To make matters worse, these attacks follow a disturbing trend that has developed in the area of Network Security, the attacks get more sophisticated all of the time, and the sophistication level required to engage in the exploits is less and less. This is partially due to the development and easy deployment and advertising of attack applications. Some famous attack applications that have been used for DDoS include: * Trinoo * TFN * TFN2K * Stacheldraht In this first post of the series, we will examine a first step of five steps on Cisco routers that can help combat most common DDoS attacks. Step 1 - Unicast Reverse Path Forwarding (uRPF) This wonderful invention can stop SMURF, and attacks like it, right in their tracks. This is because uRPF seeks to combat IP source address spoofing. You probably recall how Reverse Path Forwarding (RPF) and the RPF Check work in Multicast. It is the loop prevention mechanism there. The router receives a multicast packet and checks the source address of that packet. It then examines the routing table to determine if it makes sense that the packet with that source address should enter on the interface that it did. If it makes no sense, then it drops the packet. Unicast Reverse Path Forwarding operates in a similar manner. It makes this little sanity check on where the packet is coming in from. Once again the routing table is check to see if the source address makes sense to come in from a certain interface. I keep saying the routing table here, but that is actually an oversimplification. To make this all much more efficient, uRPF relies on Cisco Express Forwarding (CEF). In fact, CEF is a requirement for this feature. So technically speaking, uRPF makes its check against the Forwarding Information Base (FIB). Configuring and Monitoring uRPF Where would you configure this feature? On the uplinks (primary and backups) to your ISP. And hopefully your ISP(s) are aware of the feature and they are using it as well. The configuration is very simple. On 12.4T code as an example, the command is: myhappyrouter(config-if)# ip verify unicast reverse-path [list] Notice the optional access list parameter that can be specified here. If you use an access list, your permit entries will allow potentially spoofed addresses to pass through to their destination, while deny entries will be blocked if spoofing is suspected. Not you could also use logging in the access list to further the built-in accounting capabilities of the feature. show ip traffic, show ip interface, and show access-lists are all verification commands that can be used to monitor this important feature. We hope you will join us for the next post in this series - Part 2 covers filtering RFC1918 and Bogons from entering your critical networks. Anthony Sequeira CCIE, CCSI Twitter: @compsolv Facebook: http://www.facebook.com/compsolv From: Carlos Alberto Campos Jardim [mailto:[email protected]] Sent: Wednesday, June 15, 2011 2:17 PM To: Anthony Sequeira Cc: [email protected] Subject: RES: [OSL | CCIE_Security] Adv.Sec. / Net. Attacks (strategy) Tks everybody! Hey Anthony, we´re looking forward to seeing your post! De: [email protected] [mailto:[email protected]] Em nome de Adil Pasha Enviada em: quarta-feira, 15 de junho de 2011 14:19 Para: Anthony Sequeira Cc: [email protected] Assunto: Re: [OSL | CCIE_Security] Adv.Sec. / Net. Attacks (strategy) You guys are the best. Best Regards. ______________________ Adil On Jun 15, 2011, at 12:24 PM, Anthony Sequeira wrote: This is pure awesomeness. It inspired me to start a new 5 part series on blog.ipexpert.com<http://blog.ipexpert.com> entitled Preventing Basic DDoS Attacks. I am expanding a bit on the article in the first link. The first post in the series will hit this week. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Renato Morais Sent: Tuesday, June 14, 2011 9:51 PM To: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] Adv.Sec. / Net. Attacks (strategy) Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks -http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml Defining Strategies to Protect Against TCP SYN Denial of Service Attacks -http://www.cisco.com/en/US/partner/tech/tk828/technologies_tech_note09186a00800f67d5.shtml Defining Strategies to Protect Against UDP Diagnostic Port Denial-of-Service Attacks -http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a008017690e.shtml ASA/PIX 7.x and Later: Mitigating the Network Attacks - http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00809763ea.shtml DNS Best Practices, Network Protections, and Attack Identification - http://www.cisco.com/web/about/security/intelligence/dns-bcp.html DHCP Consumption Attack and Mitigation Techniques -http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps708/white_Paper_C11_603833.html MAC Address Overflow Attack and Mitigation Techniques -http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html ARP Poisoning Attack and Mitigation Techniques -http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.html VLAN Security White Paper - http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml Virtual Fragmentation Reassembly - http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t8/feature/guide/gt_vfrag.html Renato Morais On Tue, Jun 14, 2011 at 11:10 AM, Carlos Alberto Campos Jardim <[email protected]<mailto:[email protected]>> wrote: Hi Guys, had a failed attempted in November last year but I did not give up! At this time, I decided to focus especially on Advanced Security and Network Attacks, the last two sections of the exam, in which I did not get the marks I was expecting for.. if I left something without answer it was because I didn't know the solution. I can say that 80% of my mistakes were on these last 2 sections and wanted to ask you all about techniques on how to prepare and get better on it. I had lots of practices but I failed identifying the best solution and the best strategy when it comes to protect the network against certain threats. I would be grateful if I get some ideas on how to study for it! Hope you guys are working hard! Regards; Carlos Jardim _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
<<inline: image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
