Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Transcription

1 Denial of Service Attacks and Countermeasures Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

2 Student Objectives Upon successful completion of this module, the student will be able to: Describe DoS attacks. Describe two common DoS attack modes and five DoS attack types. Describe basic DoS countermeasures. Describe and configure IP broadcast forwarding. Describe, configure, verify, and troubleshoot DoS-Protect. Identify actions to take during a DoS attack. page 2

3 What are DoS Attacks? Security breach designed to overwhelm systems with bogus or defective network traffic Potential to take network systems offline Can cost companies millions in damages page 3

4 Two Common DoS Attack Modes Asymmetrical Distributed page 4

5 DoS Attack Types SYN-ACK Attack or TCP-SYN Flooding Teardrop Attacks Smurf Attacks Martian Attacks Other page 5

6 TCP SYN Flood Example TCP SYN from to Change address from to TCP SYN, ACK from to No longer there 4. TCP SYN from to Change address from to TCP SYN, ACK from to No longer there page 6

7 DoS Attack Countermeasures Ingress Address Filtering Prevent Broadcast Amplification by disabling IP Broadcast forwarding Turn off unused TCP and UDP services ACL entries: Block unwanted traffic DoS-Protect page 7

8 IP Broadcast Forwarding Control To disable the IP forwarding broadcast (default is off) disable ipforwarding broadcast To disable the generation of ICMP network unreachable (type 3, code 0) and host unreachable (type 3, code 1) messages disable icmp unreachables {vlan <name>} To disable the generation of ICMP port unreachable messages (type 3, code 3) disable icmp port-unreachables {vlan <name>} To disable the modification of route table information when an ICMP redirect message is received (default is off) disable icmp useredirects {vlan <name>} page 8

9 How DoS-Protect Works DoS protection counts the incoming packets Suspicious packet counts near threshold, packet headers are saved When threshold is reached, headers are analyzed Hardware ACL is created to limit flow of the suspect packets to the CPU ACL will periodically expire, will be re-enabled if attack is still occurring With ACL in place, CPU has cycles to process legitimate traffic page 9

10 Implementing DoS-Protect Learn your network data-streams enable dos-protect simulated Configure the DoS-Protect parameters configure dos-protect type L3-protect alert-threshold <packets> configure dos-protect type L3-protect notify-threshold <packets> Configure Trusted Ports (optional) configure dos-protect trusted ports <ports> Enable DoS-Protect enable dos-protect page 10

11 Protecting the Switch CPU DoS-Protect Alerts and ACLs Alerts: Activated when specified threshold reached Interval: default 1 second Alert Threshold: default 4000 packets Notify Threshold: default 3500 packets ACL Expiration Time Default 5 seconds, can be adjusted configure dos-protect acl-expire <seconds> Dynamically creates ACL on the fly page 11

12 show dos-protect detail Displaying DoS-Protect Settings page 12

13 show log Troubleshooting DoS-Protect show log 10/07/ :42.15 <DBUG:SYST> DOSprotect notice: this second: raw packets to cpu: 4002 dropped in software: 0 10/07/ :42.15 <DBUG:SYST> DOSprotect: create ACL block from PhysPorts 1:1 to /07/ :42.15 <WARN:SYST> DOSprotect: possible Denial-of-Service: best guess origin: physport 1:1 mac 00:50:70:50:26:a6 to /07/ :42.15 <DBUG:SYST> DOSprotect timeout: remove ACL block from PhysPorts 1:1 to page 13

14 Actions to Take When Under DoS Attack Check the following Verify DoS-Protect is enabled CPU utilization IPARP statistics ICMP statistics Show IPSTAT ACL hit count page 14

15 Summary Describe DoS attacks. Describe two common DoS attack modes and five DoS attack types. Describe basic DoS countermeasures. Describe and configure IP broadcast forwarding. Describe, configure, verify, and troubleshoot DoS-Protect. Identify actions to take during a DoS attack. page 15