Denial of Service Attacks and Countermeasures Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)
Student Objectives Upon successful completion of this module, the student will be able to: Describe DoS attacks. Describe two common DoS attack modes and five DoS attack types. Describe basic DoS countermeasures. Describe and configure IP broadcast forwarding. Describe, configure, verify, and troubleshoot DoS-Protect. Identify actions to take during a DoS attack. page 2
What are DoS Attacks? Security breach designed to overwhelm systems with bogus or defective network traffic Potential to take network systems offline Can cost companies millions in damages page 3
Two Common DoS Attack Modes Asymmetrical Distributed page 4
DoS Attack Types SYN-ACK Attack or TCP-SYN Flooding Teardrop Attacks Smurf Attacks Martian Attacks Other page 5
TCP SYN Flood Example 10.10.10.1 1 10.10.10.2 20.20.20.1 30.30.30.1 5 2 4 3 6 1. TCP SYN from 10.10.10.1 to 10.10.10.2 2. Change address from 10.10.10.1 to 20.20.20.1 3. TCP SYN, ACK from 10.10.10.2 to 10.10.10.1 No longer there 4. TCP SYN from 20.20.20.1 to 10.10.10.2 5. Change address from 20.20.20.1 to 30.30.30.1 6. TCP SYN, ACK from 10.10.10.2 to 20.20.20.1 No longer there page 6
DoS Attack Countermeasures Ingress Address Filtering Prevent Broadcast Amplification by disabling IP Broadcast forwarding Turn off unused TCP and UDP services ACL entries: Block unwanted traffic DoS-Protect page 7
IP Broadcast Forwarding Control To disable the IP forwarding broadcast (default is off) disable ipforwarding broadcast To disable the generation of ICMP network unreachable (type 3, code 0) and host unreachable (type 3, code 1) messages disable icmp unreachables {vlan <name>} To disable the generation of ICMP port unreachable messages (type 3, code 3) disable icmp port-unreachables {vlan <name>} To disable the modification of route table information when an ICMP redirect message is received (default is off) disable icmp useredirects {vlan <name>} page 8
How DoS-Protect Works DoS protection counts the incoming packets Suspicious packet counts near threshold, packet headers are saved When threshold is reached, headers are analyzed Hardware ACL is created to limit flow of the suspect packets to the CPU ACL will periodically expire, will be re-enabled if attack is still occurring With ACL in place, CPU has cycles to process legitimate traffic page 9
Implementing DoS-Protect Learn your network data-streams enable dos-protect simulated Configure the DoS-Protect parameters configure dos-protect type L3-protect alert-threshold <packets> configure dos-protect type L3-protect notify-threshold <packets> Configure Trusted Ports (optional) configure dos-protect trusted ports <ports> Enable DoS-Protect enable dos-protect page 10
Protecting the Switch CPU DoS-Protect Alerts and ACLs Alerts: Activated when specified threshold reached Interval: default 1 second Alert Threshold: default 4000 packets Notify Threshold: default 3500 packets ACL Expiration Time Default 5 seconds, can be adjusted configure dos-protect acl-expire <seconds> Dynamically creates ACL on the fly page 11
show dos-protect detail Displaying DoS-Protect Settings page 12
show log Troubleshooting DoS-Protect show log 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect notice: this second: raw packets to cpu: 4002 dropped in software: 0 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect: create ACL block from PhysPorts 1:1 to 10.201.30.29 10/07/2003 11:42.15 <WARN:SYST> DOSprotect: possible Denial-of-Service: best guess origin: physport 1:1 mac 00:50:70:50:26:a6 to 10.201.30.29 10/07/2003 11:42.15 <DBUG:SYST> DOSprotect timeout: remove ACL block from PhysPorts 1:1 to 10.201.30.29 page 13
Actions to Take When Under DoS Attack Check the following Verify DoS-Protect is enabled CPU utilization IPARP statistics ICMP statistics Show IPSTAT ACL hit count page 14
Summary Describe DoS attacks. Describe two common DoS attack modes and five DoS attack types. Describe basic DoS countermeasures. Describe and configure IP broadcast forwarding. Describe, configure, verify, and troubleshoot DoS-Protect. Identify actions to take during a DoS attack. page 15