Brocade NetIron Denial of Service Prevention

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Brocade NetIron Denial of Service Prevention"

Transcription

1 White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms.

2 Table of Contents Brocade NetIron Denial of Service Prevention... 1 Introduction... 3 Overview of Denial of Service (DoS) Attacks... 3 Primary Types of DoS Attacks... 3 Brute Force Flooding Attacks... 4 IPv6 Neighbor Discovery (ND6) Attack Example Rate-Limiting IPv6 Traffic Hardware Based Drop Entry Solution... 5 TCP ACK Attack Example Control Traffic Prioritization Solution Control Plane Resiliency with Hardware Based Scheduling Solution IP Receive ACL (racl) Configuration Recommendation... 7 NetIron Brute Force Flooding Attack Solution Summary Protocol Based Attacks SYN Flood Attack Example TCP Rate Limiting Configuration Recommendation TCP ACL Configuration Recommendation TCP Reset Attack Example TCP Reset Attack Solution XMAS Tree Attack Example XMAS Tree Attack Solution SMURF Attack Example SMURF Attack Configuration Recommendation PING of Death Attack Example PING of Death Attack Solution TearDrop Attack Example TearDrop Attack Solution NetIron Protocol Based Attack Solution Summary Conclusion Page 2 of 17

3 INTRODUCTION This is Version 1 of a white paper that will discuss the best practices recommended by Brocade for securing the NetIron platform from Denial of Service (DoS) attacks. It will cover the definition of a DoS attack, the primary types of DoS attacks, and provide the solutions to prevent and mitigate each of the identified DoS attacks. Some of the prevention mechanisms are enabled by default in the hardware and/or software of the system. When that is the case, it will be pointed out. When a prevention mechanism requires configuration of the system, best practice parameters for these configurations are discussed. Version 2 of this white paper will contain more details of example best practice configurations. It is important to realize that the best practices discussed in this paper should be a subset of an overall security strategy to mitigate risk and improve network availability and stability. OVERVIEW OF DENIAL OF SERVICE (DOS) ATTACKS DoS attacks are threats to computer and network systems that aim to exploit known limitations and/or vulnerabilities in the software or hardware of devices in a network. The intended result is to disrupt or terminate services provided by that system, making the service or system unavailable for its intended use. The primary goal of a DoS attack is to crash the services being provided by the targeted system and/or to exhaust the available resources of the targeted system, making the system unstable or unusable. The result is that the service being offered is denied to valid users of the system. One advanced type of DoS attack is a Distributed Denial of Service (DDoS) attack. A DDoS attack occurs when multiple systems are coordinated to attack and exhaust the resources of a targeted system or to deny bandwidth to or from the targeted system. Because the source IP addresses of the attacking hosts can be spoofed, a DDoS attack could come from a limited set of hosts or even from a single specific host while giving the appearance of a distributed attack. These types of attacks are particularly difficult to trace which sources are responsible for the attack. PRIMARY TYPES OF DOS ATTACKS There are two primary categories of DoS attacks that are discussed in this paper. Brute Force Flooding attacks and Protocol Based attacks; both of which have many different variations of attack or exploit. A brute force flooding attack is aimed at consuming a finite resource such as CPU, bandwidth or a limited amount of memory space in the targeted system. A protocol based attack exploits a specific feature or implementation of a protocol installed on the targeted system, in order to consume excess amounts of its resources. Rather than just attacking the system by brute force, a specific protocol feature or implementation is targeted. Both of these types of attacks can cause resources in the targeted system to be excessively consumed; ultimately resulting in a denial of service. Some examples of protocol based attacks are: Attacks on TCP vulnerabilities o SYN flood o ACK flood o Reset attack o XMAS tree attack Attacks on ICMP o Smurf attack o Ping flood o Ping of death Attacks based on fragmentation o Teardrop attack Page 3 of 17

4 o Ping of death DNS based DDoS attacks o DNS amplification attack BRUTE FORCE FLOODING ATTACKS As previously stated, a brute force flooding attack is intended to consume a finite resource such as CPU, bandwidth or memory available in a targeted system. Doing so causes the system resources to become unavailable for legitimate users. The primary solution against a brute force flooding attack is to ensure there is better protection of all finite resources s in the system and to ensure prioritization ization of legitimate control plane traffic over other types of traffic. IPv6 Neighbor Discovery (ND6) Attack Example One example of a brute force flooding attack is the IPv6 Neighbor Discovery (ND6) DoS attack. IPv6 neighbor discovery is used by nodes on the same link to discover each other s presence, to determine each other s link- layer addresses, to find available routers on the link, and to maintain reachability information about active neighbors on the link. The IPv6 neighbor information is maintained in the ND6 table, which is stored in the routers memory. This type of attack involves a traffic sweep of unused addresses on the system and sending large amounts of traffic to one of the unused addresses. Performing an address sweep of unused directly connected hosts can consume the entire ND6 table, resulting in large numbers of Neighbor Solicitation (NS) messages to be generated. NS messages are sent by the router to determine the link-local local address of a neighbor, or to verify the neighbor is still reachable via a cached link-local local address. When the ND6 table is entirely consumed by this type of attack, the resulting depletion of legitimate ND6 table entries causes legitimate neighbors to become unreachable. Also, sending large amounts of traffic to a single unused IPv6 address can keep the CPU busy doing ND resolution. Both of these attacks can be mitigated by ensuring prioritization of legitimate control plane traffic over other types of traffic. Figure 1: Example of IPv6 Neighbor Discovery (ND6) Brute Force Attack 1. Rate-Limiting IPv6 Traffic As stated, when an IPv6 packet is received that is destined to a subnet address which belongs on the device, the packet is sent to the MP for processing. The MP then sends a neighbor solicitation packet to the neighbor if the neighbor MAC address is not yet resolved. An attacker can initiate a DoS attack in which it can send unsolicited packets to the router, destined for a non-existing address. The CPU on the MP will be using a lot of resources in Page 4 of 17

5 attempting to resolve the unknown neighbor. Similarly an attacker can do an address sweep of the device to attempt t a DoS attack. Through this feature we are intending to prevent these kinds of DoS attacks. Here is a system level command which will be applicable to all the VRFs on the NetIron device. [no]ipv6 rate-limit subnet policy-map <policy-map > When this command is given, it will set rate limiter parameters based upon the defined policy map. The rate limiter will protect the MP CPU from excessive IPv6 packets destined to the device. If the policy map is not configured then it will configured the rate limiter with line rate values. This command is similar to the arp rate-limit command. It is also possible to view the counters for this command. show rate-limit ipv6 subnet This will show the number of bytes forwarded to MP CPU along with the number of dropped bytes. The output of this command is be similar to show rate-limit arp command. A sample output is shown below. Router# show rate-limit ipv6-subnet Fwd: 252 Drop: 0 bytes Re-mark: 0 Total: 252 bytes 2. Hardware Based Drop Entry Solution The hardware based drop entry feature is a mechanism to drop traffic that is destined to a host entry that is stored in a hardware cache, if that host is pending an ARP/ND resolution. This feature is built into the NetIron platform and requires no additional configuration. Host entries are automatically programmed in hardware to drop traffic destined to a host that is pending an ARP/ND resolution. All pending entries that are over the platform limit are then maintained in software.. During ARP or ND resolution, the drop entry is removed & a CAM entry is added after a successful resolution.. However, it is important to note that when the hardware drop entry limit is reached, the CPU is no longer protected from traffic to new hosts that need resolution. In this scenario, consider using receive ACLs as an additional way to protect the control plane CPU. Figure 2: : Example of Hardware Based Drop Entries Solution Page 5 of 17

6 TCP ACK Attack Example This type of attack consists of simply sending a high rate of TCP ACK packets to an IP address and TCP Port number of the system. This is done to a well known port that the targeted systems CPU is listening on (for instance, BGP Port 179). The TCP stack of the system needs to process the ACK before it can discard it as illegitimate traffic. This keeps the CPU busy processing the TCP ACKs and sending TCP RST packets back to the source. This is standard behavior for a TCP stack. However, doing so causes the CPU to potentially become unavailable for processing legitimate control and management plane traffic. This type of attack can be mitigated by configuring hardware-level Access Control List (ACL) mechanisms to protect the control plane from receiving traffic from unauthorized sources. Since the ACL is performed by hardware, it will operate at high-performance while preventing these illegitimate packets from ever reaching the systems CPU. Figure 3: : Example of TCP Port 179 Brute Force Attack 1. Control Traffic Prioritization Solution The NetIron platform performs prioritization of control plane traffic so that lower priority traffic cannot overwhelm high priority control plane traffic. The platform also features the use of separate queues for each priority level. This ensures that the critical high priority control plane traffic is not affected by high rates of low priority traffic. The platform also implements a complete separation of the data plane from the control plane,, so that data plane packets and control plane packets do not share same queues in hardware. Additionally, with complete separation of the data and control planes, impacts to the control plane CPU do not impact the packet forwarding performance that is done in hardware in the date plane. 2. Control Plane Resiliency with Hardware Based Scheduling Solution This feature allows prioritization and scheduling mechanisms at a finer granularity to achieve better control plane resiliency. All packets destined to the Line Processor (LP) CPU are put in 32 traffic manager queues that are in hardware. No QoS scheduling of these queues is handled by the LP CPU; all QoS scheduling is done in hardware by the traffic manager (TM) processor. Scheduling & policing applied within these queues guarantee s optimal control packet processing. Additional highlights of this feature: Protocol control packets are prioritized over management traffic (telnet, ping etc). Protocol control packets are prioritized over MAC SA learning, sflow, logging packets etc. Management traffic is prioritized over MAC SA learning, sflow, logging and other packets processed by the CPU Weighted scheduling used to ensure no queue starvation Rate shaping applied to packets to ensure that CPU is not affected by control packet storms Page 6 of 17

7 Figure 4: Example of Hardware Based Scheduling Solution 3. IP Receive ACL (racl) Configuration Recommendation The IP receive Access-Control List feature (racl) provides a hardware-based filtering capability for IPv4 traffic destined for the CPU in the default VRF.. This protects the management module s CPU from being overloaded due to large amounts of traffic sent to one or more of the platform s IP interfaces. Control and management traffic that have a destination IP address of the device itself is handled by the management module s CPU. These racls will provide hardware based protection for the CPU; to prevent it from being overwhelmed by excessive and/or illegitimate control and management traffic. Figure 5: Example of Receive ACLs Solution Traffic types: Management traffic Used to manage and operate the device itself (Telnet, SSH, TFTP, SNMP etc) Control traffic Used to create and operate the network (ARP, BGP, OSPF etc) Data traffic Transit traffic being forwarded by the device.. Not processed by management module CPU. a. Receive ACLs and IP Inbound ACLs Interaction Normal IP inbound ACLs are applied at the interface level and are the conventional way of controlling access to or through the router. However, using IP inbound ACLs to protect the control plane can become quite cumbersome Page 7 of 17

8 because they need to be replicated for all interfaces. racls simplify this task, as only a single instance of an racl is needed to protect all the interfaces on the device. In other words, an racl is applied only once and provides protection for all interfaces on the router platform. On the NetIron platform, when both racls and inbound ACLs are configured simultaneously, traffic matching racls will not be subject to inbound ACL filtering. So it is important to have the racl configured appropriately, so that it matches only management and control traffic that is destined to the routers management CPU and the rest of the traffic can be subject to normal IP inbound ACL filtering. For instance, consider the following example An IP inbound ACL has been configured on the interface to deny all traffic to TCP port 80 An racl has also been configured on the same interface with the following clause permit host any. Figure 6: : Example of Receive ACLs and Inbound ACLs Solution Now, if host accesses port 80 on one of the system IP addresses, the traffic will be permitted. If the user does not want this behavior and wants the traffic to be dropped instead, he would have to add an explicit clause to the racl to drop traffic destined to port 80 from host b. racls and L2 Inbound ACLs Interaction L2 inbound ACLs are a way to control access to the network by filtering traffic based on the packet s L2 header information (including MAC addresses and VLAN ID). While, IP inbound ACLs filter traffic based on the packets L3 header information. If there is a requirement to simultaneously support L2 ACLs along with racls, racls are then evaluated in software rather than in hardware. Therefore, rate limiting using racls is not possible in this scenario. Furthermore, when an interface is configured with an L2 ACL, only traffic permitted by the L2 ACL will be processed by the racl. The L2 ACL is processed before any racls are processed. Due to this, it is recommended that racls are used in conjunction with IP ACLs instead of with L2 ACLs. Page 8 of 17

9 Figure 7: : Example of Receive ACLs and L2 ACLs Solution c. racls and DoS Attack Prevention Policies DoS attack policies protect the CPU from being flooded with attack traffic designed to slow down or stop normal operation. Brocade devices support measures to defend against two of these types of attacks Smurf attacks and TCP SYN attacks. The DoS attack prevention mechanisms are software implementations. However, when racls are configured along with DoS attack prevention, the DoS attack prevention features will act only on the traffic that has been permitted by racls. Figure 8: Example of Receive ACLs and DoS Attack Policy Solution d. racl and Rate Limiting Configuration Recommendation For legitimate control or management plane traffic, it is not possible to deny this traffic as this type of traffic is needed by the system. For this traffic, it is still preferable to protect the CPU from being overwhelmed from processing too much of this traffic. Rate limiting should be used in this case to protect the systems resources. Typical examples of this type of legitimate traffic are: ICMP echo requests to any of the interface IP addresses on the system OSPF control traffic Page 9 of 17

10 SNMP management traffic Although it is normal to expect a moderate amount of such traffic type, the control plane needs to be protected against possible attacks of sending very large amounts of this type of traffic. Rate limiting is the recommended method to mitigate this type of attack. racls can be used to rate limit such traffic going to the control plane by using a policy-map option. When the policy-map option is used, traffic matching the permit clause is rate limited as defined in the specified policy map and traffic matching the deny clause is permitted without rate limiting. Alternately, the policy-map can be used with the strict-acl option to rate limit traffic matching the permit clause and to drop traffic matching the deny clause. e. racl White vs Black List Configuration Recommendation It is always advisable to only permit specific authorized sources to access the control plane and deny everything else. This would involve the creation of a specific white list with a permit clause, followed by a deny all clause for all other traffic. However, it is risky to construct new racls this way unless all traffic and protocols are known in advance. It might be difficult to know in advance every protocol that might need to be processed by the management modules CPU. Therefore, a suggested approach of creating racls would be the following: Begin constructing racls by permitting known, authorized traffic (i.e. a white list): o List of known peers (eg: sources) for the control plane protocols that are deployed (BGP, OSPF, RSVP etc) o List of known hosts/subnets that are designated to operate in the management plane of the network (telnet, ssh, tftp, snmp, http/https etc) Explicitly deny specific, unwanted traffic (i.e. a black list): o IP fragments o Attack traffic from known hostile networks o Traffic from bogon IP addresses (reserved/unallocated IP space) It is then recommended to have additional clauses at the end of the racl to help classify currently unknown, incoming traffic further. This final clause is meant to identify all other traffic arriving on the device, whether that traffic type is known in advance or not. This allows the customer to determine all traffic types that are directed to the system. The preceding permit and deny clauses can then be updated based on this learned information. It is important to ensure that this last clause has a permit all so as not to inadvertently prevent critical traffic from reaching the management CPU. Over time, as all the traffic reaching the management modules CPU is identified and categorized as desirable or not, the racl can be fine tuned to either permit or deny each traffic class and the permit any at the bottom of the racl can be removed when the associated traffic counter is no longer incrementing. This is one method of identifying all important traffic types, when this is not known in advance. f. racls to Protect Local Services/Open Ports Configuration Recommendation All TCP/UDP ports are closed by default on the NetIron platform. A given port starts to listen for incoming connections only when the corresponding application has been configured and started. For instance, telnet port 23 is opened to listen for incoming telnet requests only when the telnet server is enabled on the device. When using racls, the following guidelines should be used when a new local service is configured: If the racl ends with a deny any any clause (ie, the racl consists only of a white list with explicitly permitted hosts/networks and ends with a deny all), explicit rules need to be added to allow access to the newly opened port. Page 10 of 17

11 If the racl ends with a permit any any (ie, the racl consists of explicitly denied black list and ends with a permit all), deny statements should be added to block unwanted hosts/networks from accessing the newly opened up port. When access to the port/service cannot be explicitly granted to known hosts, consider rate limiting traffic to the local service/port to avoid full exposure to an attack. An example when configuring BGP on the device: If implementing white lists, add racl clauses to permit access to TCP port 179 from every configured BGP peer. This is needed to bring up BGP, as without allowing explicit access, BGP won t even come up. If implementing black lists, add racl clauses to explicitly deny access to TCP port 179 from known bad hosts/networks. Although BGP would be functional without this step, port 179 can be subject to a DOS attack and this is best prevented by adding a deny clause to the racl. Customers with 100s of BGP peers need to take the following into consideration while using racls. Every racl clause configured with a destination IP as any will be replicated internally in hardware for every IP address defined in the system. For example, on a system with 50 interface IP addresses, an racl clause such as permit ip any tcp any 179 will be replicated internally into 50 hardware entries. To avoid a scaling concern, customers can specify specific the destination IP addresses in their racl definitions, instead of using any. For instance, since every BGP peer will be establishing BGP session(s) with a specific destination IP address in the system, specifying white list clauses that allow those peers to connect to specific IP addresses will avoid hitting scaling issues. g. Changing an Existing racl Configuration Changes in racl configurations are not automatically applied to the systems hardware. Customers need to use the command ip rebind-receive receive-acl all to reapply the racls to the systems hardware. This command should be used in the following situations: Changes are made to an existing racl or a new racl clause is added to an existing set of racls in the system. When a new IP interface is added to the system. When an IP interface is removed from the system, and you want to free up the racl hardware table space allocated for that IP interface. It is advisable to make changes to racl configurations only during a scheduled maintenance window to mitigate the impact to production traffic. h. racl Configuration Considerations Here is a list of considerations that should be kept in mind when configuring racls. racl clauses with a destination IP address that is specified as any are replicated internally for every interface IP address configured on the system. Both the number of IP interfaces as well as the size of the racls needs to be considered while planning capacity for racls. If you are running into a scaling limitation with racls, consider the following: Page 11 of 17

12 Identify external facing interfaces separately from internal interfaces and apply an IP inbound ACLs per external interface. Convert the destination any in the racl clause to specific destination IP addresses. IPv6 racls are currently not supported. This is coming in a future release. In the meantime, consider using IPv6 interface ACLs to protect the system. racls are evaluated in software when configured simultaneously with L2 ACLs. NetIron Brute Force Flooding Attack Solution Summary The following table lists the NetIron solutions to prevent brute force flooding attacks. Some of these solutions are features that are built into the NetIron platform and some of these solutions require configuration based on best practices. NetIron Feature Problem(s) Addressed Enabling the feature Hardware based drop entry implementation Protects CPU from being overwhelmed due to high rate of spurious traffic to non-existing IPv6/IPv4 hosts needing ARP/ND6 resolution Built in no configuration necessary CPU Prioritization of Traffic Prioritizes critical control plane traffic from being disrupted due to large volume of data plane/attack traffic Built in no configuration necessary Receive ACLs Protects the CPU from being overloaded due to large amounts of traffic sent to one or more of the Brocade device s IP addresses Configuration necessary Many best practices and considerations for configuration of Receive ACLs provided PROTOCOL BASED ATTACKS Protocol based attacks are aimed at targeting protocol specific implementation vulnerabilities of a targeted system. There are various attacks that target different layers of the protocol stack IP, TCP, ICMP, etc. The nature of an attack can vary from having a high rate of traffic that consumes a protocol specific resource to the construction of malformed packets designed to exploit a protocol implementation flaw. Page 12 of 17

13 SYN Flood Attack Example The goal of a SYN flood attack is to exhaust the targeted systems half open TCP queue, which is a limited resource. For example: An attacker creates a random source address for each packet. The SYN flag is set in each packet so a request to open a new connection from the spoofed IP address is made on the targeted system. The TCP/IP stack of the targeted system responds to the spoofed IP address with a SYN ACK, and puts this connection in a half open queue. This queue is limited in size and much smaller than the established queue. The half open queue fills up waiting for client ACK s that never arrive. At this point, legitimate user requests are ignored as well. This results in denying them access to the targeted system. 1. TCP Rate Limiting Configuration Recommendation The ip tcp burst-normal command allows the user to configure NetIron devices to drop TCP SYN packets when excessive numbers are encountered. Syntax: ip tcp burst-normal <value> < burst-max <value> lockup <sec> Recommended values for the ip tcp burst-normal command The value for burst-normal should be set to the expected number of new TCP connection requests coming into the device. For instance, when there are 50 BGP peers configured, all 50 peers would initiate new connections when the device initializes. So in this scenario, the value of burst-normal should be set to at least 50. The burst-max should be set to a value that is never expected to be reached under normal operating conditions. This threshold should be set to a value that indicates an attack with certainty, as the associated action would be to lock up the system from accepting any new connections, including both legitimate and illegitimate sources. The lockup should be set to a value that will protect the system for the expected duration of the attack. Typical attacks last in the order of minutes. So typical values for the lockup field should be 5 to 10 minutes. 2. TCP ACL Configuration Recommendation In the case where the attacking host or network is identifiable (not random), ACLs (either IP inbound ACLs or racls) can be used to protect the control plane against the SYN flood by using the following clause in the ACL definition: deny tcp tcp-operator syn If the attack is on a specific unsecured external interface which is different from the secure internal interfaces, IP inbound ACLs can be used on the external interfaces to protect against SYN flood attacks. If the attack is coming in on multiple interfaces on the system and directed at the system IP addresses, use racls to protect the control plane from SYN flood attacks Page 13 of 17

14 TCP Reset Attack Example This type of attack is meant to abnormally terminate legitimate TCP connections by sending a packet with the TCP RST bit set. The attacker tries to guess the sequence number of the RST segment, in order to exploit poor implementations of window checking on the targeted systems TCP stack. 1. TCP Reset Attack Solution The NetIron platform has in-built capabilities to prevent against such an attack, and performs stringent sequence number checks before treating the RST as valid and terminating the connection. XMAS Tree Attack Example A XMAS tree attack is designed to exploit the vulnerabilities of a targeted systems TCP stack implementation. This type of attack works by setting multiple bits in the TCP header (SYN, FIN, URG, PUSH). A XMAS tree attack can be used to scan the system, whereby the response to the XMAS tree packets can help the attacker figure out the underlying operating system. XMAS tree attacks can also be used to cause unpredictable behavior of the targeted systems TCP/IP stack, thereby disrupting the TCP state machine of the system. 1. XMAS Tree Attack Solution The TCP stack of the NetIron platform is hardened against an XMAS tree attack, and discards packets that have conflicting TCP bits set. SMURF Attack Example This type of attack relies on sending a large amount of ICMP echo request (ping) traffic to an IP broadcast address on the targeted system. All of these packets would have a spoofed source IP address that belongs to the targeted system. When a router delivers the IP broadcast to all directly connected hosts, most hosts will respond with an ICMP echo reply, thereby overwhelming the targeted system resources. A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to amplify (worsen the severity of) a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to a spoofed source IP address (which belongs to the target of the attack). 1. SMURF Attack Configuration Recommendation To protect against Smurf attacks on the NetIron: Avoid being an intermediary in a SMURF attack. A smurf attack relies on an intermediary system to broadcast ICMP echo request packets to hosts on a target subnet. To avoid being an intermediary, you can disable forwarding of directed broadcast packets by using the command no ip directed-broadcast broadcast. Note: ip directed-broadcast is disabled by default on the NetIron platform. Avoiding being a victim of a SMURF attack. You can configure the device to drop ICMP packets when excessive numbers are encountered by using the ip icmp burst-normal command Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds> Example: Brocade(config)#ip ip icmp burst-normal 5000 burst-max lockup 300 Page 14 of 17

15 Recommended values PING of Death Attack Example The value for burst-normal should be set to the expected number of ICMP packets coming into the device. These could be a mix of legitimate ICMP echo requests directed to the device for management purposes and ICMP diagnostic messages (unreachable messages etc) that need to be processed by the device. The burst-max should be set to a value that is never expected to be reached under normal operating conditions. This threshold should be set to a value that indicates an attack with certainty, as the associated action would be to lock up the system from processing any new ICMP packets including both legitimate and illegitimate. The lockup should be set to a value that will protect the system for the expected duration of the attack. Typical attacks last in the order of minutes. So typical values for the lockup field should be 5 to 10 minutes. This type of attack uses a ping packet of abnormal size, exceeding the TCP/IP specification, to either cause a system crash or to cause control and management plane applications to stop processing on the targeted system. This is usually implemented as a fragmented attack, which exploits vulnerabilities in the reassembly logic of the IP stack. When a targeted system attempts to reassemble a malformed fragment, a buffer overflow may occur, thereby possibly causing a system crash. The attack can be prevented by adding more rigorous checks in the reassembly process, where the length of the resulting IP datagram is pre-computed and checked not to exceed maximum IP datagram length (65535) before performing reassembly. 1. PING of Death Attack Solution On NetIron devices, the reassembly mechanism of the IP stack is hardened against this attack. All necessary checks for fragment length and offset are conducted before attempting to reassemble fragments. Invalid fragments are discarded by the stack. You can also use racls to block all IP fragments. Since legitimate control and management plane traffic is unlikely to be fragmented, you can use racls to block all IP fragments directed to the device. TearDrop Attack Example A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the targeted system. This can possibly crash the operating system of a targeted system due to a bug in the TCP/IP fragmentation reassembly logic. The attack can be prevented by placing more stringent checks in the IP reassembly process of the IP stack, to check for overlapping fragments and the resulting length before reassembling IP datagrams. 1. TearDrop Attack Solution On NetIron devices, the reassembly mechanism of the IP stack is hardened against this attack. All necessary checks for fragment length and offset are conducted before attempting to reassemble fragments. Invalid fragments are discarded by the stack. You can also use racls to block all IP fragments. Since legitimate control and management plane traffic is unlikely to be fragmented, you can use racls to block all IP fragments directed to the device. Page 15 of 17

16 NetIron Protocol Based Attack Solution Summary The following table lists the NetIron solutions to prevent protocol based attacks. Some of these solutions are features that are built into the NetIron platform and some of these solutions require configuration based on best practices. NetIron Feature Problem(s) Addressed Enabling the feature TCP SYN rate limiting Protects against SYN flood attacks Configuration necessary RST attack protection Protects against abnormal termination of legitimate connections Built in no configuration necessary TCP flag checker Protects against malformed TCP control packets Built in no configuration necessary Disabling Ip directed broadcast Protects against being an intermediary in a SMURF attack Built in no configuration necessary ICMP rate limiting Protects against being the victim of a SMURF attack, or any other ICMP flood attack Configuration necessary Strict IP reassembly module Protects against IP fragmentation attacks such as ping of death, teardrop attack Built in no configuration necessary Page 16 of 17

17 CONCLUSION Brocade NetIron routers support extensive protection mechanisms against Denial of Service (DoS) attacks. In addition, NetIron products have been reliably deployed for many years in many large SP and Enterprise networks. Examples of known attacks and the Brocade recommended solutions have been documented in this paper. Some of the solutions that are discussed are enabled by default in the systems hardware and software. They are explained here for completeness. When a solution requires a specific configuration to be enabled, examples are given on the best practice parameters associated with each type of configuration. Version 2 of this white paper will cover more details of example best practice configurations. The DoS prevention recommendations documented in this paper should become part of every NetIron router configuration template when a system is deployed in any network. As initially stated, this guide is a subset of an overall security strategy to mitigate risk and improve network availability and performance. Additional information regarding NetIron products can be found at Page 17 of 17

Chapter 7 Protecting Against Denial of Service Attacks

Chapter 7 Protecting Against Denial of Service Attacks Chapter 7 Protecting Against Denial of Service Attacks In a Denial of Service (DoS) attack, a Routing Switch is flooded with useless packets, hindering normal operation. HP devices include measures for

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

Chapter 28 Denial of Service (DoS) Attack Prevention

Chapter 28 Denial of Service (DoS) Attack Prevention Chapter 28 Denial of Service (DoS) Attack Prevention Introduction... 28-2 Overview of Denial of Service Attacks... 28-2 IP Options... 28-2 LAND Attack... 28-3 Ping of Death Attack... 28-4 Smurf Attack...

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

Denial Of Service. Types of attacks

Denial Of Service. Types of attacks Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

CIT 480: Securing Computer Systems. TCP/IP Security

CIT 480: Securing Computer Systems. TCP/IP Security CIT 480: Securing Computer Systems TCP/IP Security Topics 1. Internet Protocol (IP) 2. IP Spoofing and Other Vulnerabilities 3. ICMP 4. Transmission Control Protocol (TCP) 5. TCP Session Hijacking 6. UDP

More information

ICMP Protocol and Its Security

ICMP Protocol and Its Security Lecture Notes (Syracuse University) ICMP Protocol and Its Security: 1 ICMP Protocol and Its Security 1 ICMP Protocol (Internet Control Message Protocol Motivation Purpose IP may fail to deliver datagrams

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

1. Firewall Configuration

1. Firewall Configuration 1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

A Very Incomplete Diagram of Network Attacks

A Very Incomplete Diagram of Network Attacks A Very Incomplete Diagram of Network Attacks TCP/IP Stack Reconnaissance Spoofing Tamper DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link 1) HTML/JS files 2)Banner Grabbing

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Safeguards Against Denial of Service Attacks for IP Phones

Safeguards Against Denial of Service Attacks for IP Phones W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)

More information

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals Denial of Service Attacks Notes derived from Michael R. Grimaila s originals Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident

More information

Frequent Denial of Service Attacks

Frequent Denial of Service Attacks Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

More information

Cisco Configuring Commonly Used IP ACLs

Cisco Configuring Commonly Used IP ACLs Table of Contents Configuring Commonly Used IP ACLs...1 Introduction...1 Prerequisites...2 Hardware and Software Versions...3 Configuration Examples...3 Allow a Select Host to Access the Network...3 Allow

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

ACHILLES CERTIFICATION. SIS Module SLS 1508

ACHILLES CERTIFICATION. SIS Module SLS 1508 ACHILLES CERTIFICATION PUBLIC REPORT Final DeltaV Report SIS Module SLS 1508 Disclaimer Wurldtech Security Inc. retains the right to change information in this report without notice. Wurldtech Security

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS) Denial of Service Attacks and Countermeasures Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS) Student Objectives Upon successful completion of this module,

More information

Deployment Guide DDoS Protection for Web and DNS Servers

Deployment Guide DDoS Protection for Web and DNS Servers Deployment Guide DDoS Protection for Web and DNS Servers DG_DDoS Protection 052013.1 TABLE OF CONTENTS 1 Introduction... 4 2 Deployment Guide Overview... 4 3 What is DDoS?... 4 4 Types of DDoS Attacks

More information

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) Relates to Lab 2: A short module on the Internet Control Message Protocol (ICMP). 1 Overview The IP (Internet Protocol) relies on several other protocols to perform

More information

What is a DoS attack?

What is a DoS attack? CprE 592-YG Computer and Network Forensics Log-based Signature Analysis Denial of Service Attacks - from analyst s point of view Yong Guan 3216 Coover Tel: (515) 294-8378 Email: guan@ee.iastate.edu October

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

IPv6 Diagnostic and Troubleshooting

IPv6 Diagnostic and Troubleshooting 8 IPv6 Diagnostic and Troubleshooting Contents Introduction.................................................. 8-2 ICMP Rate-Limiting........................................... 8-2 Ping for IPv6 (Ping6)..........................................

More information

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe

More information

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities

More information

A Study of DOS & DDOS Smurf Attack and Preventive Measures

A Study of DOS & DDOS Smurf Attack and Preventive Measures A Study of DOS & DDOS Smurf Attack and Preventive Measures 1 Sandeep, 2 Rajneet Abstract: The term denial of service (DOS) refers to a form of attacking computer systems over a network. When this attack

More information

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method

More information

CMS Operational Policy for Firewall Administration

CMS Operational Policy for Firewall Administration Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS Operational Policy for Firewall Administration July 16, 2008 Document Number: CMS-CIO-POL-INF11-01

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,

More information

Gaurav Gupta CMSC 681

Gaurav Gupta CMSC 681 Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the

More information

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,

More information

Denial of Service. Tom Chen SMU tchen@engr.smu.edu

Denial of Service. Tom Chen SMU tchen@engr.smu.edu Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types

More information

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015 Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

Ethernet. Ethernet. Network Devices

Ethernet. Ethernet. Network Devices Ethernet Babak Kia Adjunct Professor Boston University College of Engineering ENG SC757 - Advanced Microprocessor Design Ethernet Ethernet is a term used to refer to a diverse set of frame based networking

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Attack Lab: Attacks on TCP/IP Protocols

Attack Lab: Attacks on TCP/IP Protocols Laboratory for Computer Security Education 1 Attack Lab: Attacks on TCP/IP Protocols Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

IPv6 Security : ICMPv6 Vulnerabilities. Navaneethan C. Arjuman National Advanced IPv6 Centre December 2012

IPv6 Security : ICMPv6 Vulnerabilities. Navaneethan C. Arjuman National Advanced IPv6 Centre December 2012 IPv6 Security : ICMPv6 Vulnerabilities Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre December 2012 1 Understanding ICMP What is ICMP? Internet Control Message Protocol (ICMP) ICMP

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW) Implementing Secure Converged Wide Area Networks (ISCW) 1 Mitigating Threats and Attacks with Access Lists Lesson 7 Module 5 Cisco Device Hardening 2 Module Introduction The open nature of the Internet

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Application DDoS Mitigation

Application DDoS Mitigation Application DDoS Mitigation Revision A 2014, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Volumetric vs. Application Denial of Service Attacks... 3 Volumetric DoS Mitigation...

More information

Surviving DNS DDoS Attacks. Introducing self-protecting servers

Surviving DNS DDoS Attacks. Introducing self-protecting servers Introducing self-protecting servers Background The current DNS environment is subject to a variety of distributed denial of service (DDoS) attacks, including reflected floods, amplification attacks, TCP

More information

OSI Transport layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

OSI Transport layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) OSI Transport layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Transmission Control Protocol (TCP) IP can only be used to send datagrams chunks or streams of information

More information

General Network Security

General Network Security 4 CHAPTER FOUR General Network Security Objectives This chapter covers the following Cisco-specific objectives for the Identify security threats to a network and describe general methods to mitigate those

More information

NetFlow/IPFIX Various Thoughts

NetFlow/IPFIX Various Thoughts NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Best Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013

Best Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013 Best Practices Guide: Vyatta Firewall SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013 INTRODUCTION Vyatta Network OS is a software-based networking and security solution that delivers advanced

More information

Firewalls Netasq. Security Management by NETASQ

Firewalls Netasq. Security Management by NETASQ Firewalls Netasq Security Management by NETASQ 1. 0 M a n a g e m e n t o f t h e s e c u r i t y b y N E T A S Q 1 pyright NETASQ 2002 Security Management is handled by the ASQ, a Technology developed

More information

Configuring Denial of Service Protection

Configuring Denial of Service Protection 24 CHAPTER This chapter contains information on how to protect your system against Denial of Service (DoS) attacks. The information covered in this chapter is unique to the Catalyst 6500 series switches,

More information

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory Denial of Service (DoS) attacks and countermeasures Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory Definitions of DoS/DDoS attacks Denial of Service is the prevention of authorised access

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

More information

How do I get to www.randomsite.com?

How do I get to www.randomsite.com? Networking Primer* *caveat: this is just a brief and incomplete introduction to networking to help students without a networking background learn Network Security. How do I get to www.randomsite.com? Local

More information

Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering.

Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering. CSE 127 Computer Security Fall 2011 More on network security Todays outline NAT, Firewalls IDS DDoS Chris Kanich (standing in for Hovav) [some slides courtesy Dan Boneh & John Mitchell] TCP/IP Protocol

More information

Announcements. No question session this week

Announcements. No question session this week Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being

More information

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Agenda A couple of examples of network protocols that

More information

IP Routing Features. Contents

IP Routing Features. Contents 7 IP Routing Features Contents Overview of IP Routing.......................................... 7-3 IP Interfaces................................................ 7-3 IP Tables and Caches........................................

More information

Chapter 8 Network Security

Chapter 8 Network Security [Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network

More information

Chapter 4 Rate Limiting

Chapter 4 Rate Limiting Chapter 4 Rate Limiting HP s rate limiting enables you to control the amount of bandwidth specific Ethernet traffic uses on specific interfaces, by limiting the amount of data the interface receives or

More information

IP Filter/Firewall Setup

IP Filter/Firewall Setup CHAPTER 9 IP Filter/Firewall Setup 9.1 Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a way of restricting users on the local

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

A Layperson s Guide To DoS Attacks

A Layperson s Guide To DoS Attacks A Layperson s Guide To DoS Attacks A Rackspace Whitepaper A Layperson s Guide to DoS Attacks Cover Table of Contents 1. Introduction 2 2. Background on DoS and DDoS Attacks 3 3. Types of DoS Attacks 4

More information

Survey on DDoS Attack Detection and Prevention in Cloud

Survey on DDoS Attack Detection and Prevention in Cloud Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

Survey on DDoS Attack in Cloud Environment

Survey on DDoS Attack in Cloud Environment Available online at www.ijiere.com International Journal of Innovative and Emerging Research in Engineering e-issn: 2394-3343 p-issn: 2394-5494 Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita

More information

IP address format: Dotted decimal notation: 10000000 00001011 00000011 00011111 128.11.3.31

IP address format: Dotted decimal notation: 10000000 00001011 00000011 00011111 128.11.3.31 IP address format: 7 24 Class A 0 Network ID Host ID 14 16 Class B 1 0 Network ID Host ID 21 8 Class C 1 1 0 Network ID Host ID 28 Class D 1 1 1 0 Multicast Address Dotted decimal notation: 10000000 00001011

More information

Firewalls and Intrusion Detection Systems. Advanced Computer Networks

Firewalls and Intrusion Detection Systems. Advanced Computer Networks Firewalls and Intrusion Detection Systems Advanced Computer Networks Firewalls & IDS Outline Firewalls Stateless packet filtering Stateful packet filtering Access Control Lists Application Gateways Intrusion

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

TCP/IP Concepts Review. A CEH Perspective

TCP/IP Concepts Review. A CEH Perspective TCP/IP Concepts Review A CEH Perspective 1 Objectives At the end of this unit, you will be able to: Describe the TCP/IP protocol stack For each level, explain roles and vulnerabilities Explain basic IP

More information

Denial of Service Attacks, What They are and How to Combat Them

Denial of Service Attacks, What They are and How to Combat Them Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

More information

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE 51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;

More information

Networks: IP and TCP. Internet Protocol

Networks: IP and TCP. Internet Protocol Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments

More information

Client Server Registration Protocol

Client Server Registration Protocol Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

More information

IP - The Internet Protocol

IP - The Internet Protocol Orientation IP - The Internet Protocol IP (Internet Protocol) is a Network Layer Protocol. IP s current version is Version 4 (IPv4). It is specified in RFC 891. TCP UDP Transport Layer ICMP IP IGMP Network

More information