| |
DOS protection on routers?just wondering, on some of the advanced routers with stateful-packet inspection, they claim dos protection...I'm just not sure how those routers could protect against flooding and stuff any better than plain packet filtering on the more basic routers. |
|
macyhEx-Isp MVM join:2001-04-24 Medina, OH ·WOW Internet and..
|
macyh
MVM
2001-Dec-1 4:33 pm
It's true that the routers can do little about DoS other than simply not pass the suspect packets onto the LAN. If someone floods your IP address with anything, there's not a lot you can do about it if you have no control of what passes at the other end of the link, farthest from you and closer to the origination point.
Any effective control of DoS really be done at the end of a link closest to the source. That's why any ISP that is the target of a DoS attack scrambles to have the attack filtered out at peering or uplink point.
Even the traditional methods of simple address filtering becomes difficult when the DoS attack comes from many different points of origination, as many of the most recent forms of attack do. In these cases, the actual target as well as source addresses must often be filtered and/or relocated to a new address. Again, not a practical option for an ADSL (or even a T1, for that matter) user on a leaf node with no backup address/path protection/redundancy.
There are techniques routers and firewalls can use to minimize participation in DoS attacks, often involving behaviors in the face of intentionally malformed packets. In most cases, that's what the vendors are trying to "talk up".
For those who want a bit more practical info about DoS attacks and how ISP's can cope with them, a good place to start might be the recent article on this topic in "Boardwatch" magazine. |
|
|
jbibe Premium Member join:2001-02-22
|
to regular9
When the vendor states that stateful packet inspection can handle DoS attacks, they are correct. For typical DoS attacks - Ping of Death, Teardrop attack, SYN flood, LAND attacks, IP spoofing - stateful packet inspection is superior to a plain packet filter. For example, stateful packet inspection can easily determine that the ping packet is too large (Ping of Death), or that the fragmented packets overlap (Teardrop attack), or that there is a large number of half-open connection requests (SYN flood), etc. In each of these cases, the packet filter can't identify the faulty packets.
If, as macyh assumes, the data rate is high enough, the incoming packets can saturate the data pipe, preventing the desired traffic from reaching the router. For this case, the data must be controlled upstream by the ISP, as stated by macyh. [text was edited by author 2001-12-01 17:54:41] |
|
| |
ah thx for clearing it up, i guess stateful-packet inspection just adds an extra layer or protection. |
|
| |
robbie to regular9
Anon
2001-Dec-3 2:41 pm
to regular9
Another item to point out:
SESSION THRESHOLDS
Code red is a very effective denial of service attack on routers. I own a Netscreen 5xp and this is how they handle it.
Every connection in and out of the device is managed thru a 'session' ... a table the Netscreen keeps up with internally. The maximum number of sessions is determined by the type of hardware chip installed in it. On a 5xp, the session maximum is 2000. One pc can use, say 10 sessions, for one web page. Sessions are dynamically added and removed from this table normally. Unclean exits will timeout after approx 20-30 minutes.
If code red infects a pc on the private, internal LAN, it will attempt to send out a flood of pings to some web site from the infected private machine. Well, it sends so many out that the session table of the Netscreen will fill up to the maximum of 2000. This now prevents normal, legal traffic from going to the internet. Denial of Service. This also keeps allowed traffic outside from coming in.
Netscreen created a threshold limit that says : no more than (example) 100 sessions maximum from one ip address. Leave the remaining 1900 sessions available.
Now go correct the infected pc.
This helps.
Robbie |
|
bbarrera MVM join:2000-10-23 Sacramento, CA kudos:1
|
to regular9
Just like every other firewall, ZyWALL manages connections thru the concept of a 'session.' For detecting and managing denial of service attacks, the ZyWALL monitors both the rate of session establishment attempts and the total number of half-open sessions. There are a number of configurable parameters that determine the thresholds for when a denial of service attack is occuring. Changing the default values is useful if you are running slow or busy servers.
In addition, you can tune the parameters for TCP timeouts (in both LAN->WAN and WAN->LAN directions). For connectionless protocols such as UDP and ICMP, the ZyWALL also allows you to configure timeout values. [text was edited by author 2001-12-04 02:03:56] |
|
| |
so would all this extra monitoring slow down the connection by a little bit? |
|
SYNACKJust Firewall It Mod join:2001-03-05 Venice, CA |
99.9% of all home connections are significantly slower that the top speed of these routers. Even if you are downloading at 1.5Mb/s, the router is mostly idle.
Compared to NAT housekeeping, etc. (that needs to be done anyway), these are all minor issues and are insignificant.
Imagine you get a SYN flood. Would you rather block them at first sight if a threshold is reached, or would you rather pipe them through all the packet processing of accepted packets? |
|