HostedDB - Dedicated UNIX Servers
index_202
Router Security Configuration Guide UNCLASSIFIED 202 UNCLASSIFIED Version 1.0g The third and fourth lines of access list 102 characterize TCP traffic.  The keyword established in the third line matches any TCP traffic with the ACK bit set, that is, any TCP traffic that is not a connection request.  The fourth line therefore matches only packets that are connection requests, the TCP SYN packets.  In normal operations, TCP SYN packets account for a third or less of the total TCP traffic. In a SYN flood, these SYN packets typically outnumber other TCP packets many times over.  Also, SYN floods usually contain packets with invalid source addresses; logging such traffic (as recommended in Section 4.3) will determine if such source addresses are present. There is a paper on the Cisco web site titled “Characterizing and Tracing Packet Floods Using Cisco Routers”.  This paper gives an overview of denial of service attacks and a detailed discussion of using access lists to categorize packets.  The paper also describes how to trace DoS attacks and the complications inherent in packet tracing [2]. 6.3.5.    Attack Reaction Options  It is difficult for the ultimate target of denial of service attacks to stop or even blunt an active attack.  If it can be determined that the originators of the attack are limited to a few addresses, it may be possible to apply specific filters at the external interface of the border router.  If filtering is not possible, or not sufficient to stop the attack, the only response may be to contact the reflector sites to reconfigure their networks to shut down the attack.  In a distributed attack, the ultimate target cannot filter out the attacking addresses.  In this case, the upstream provider to the victim may be able to filter out all ICMP echo replies to the target network; this filter should only be in place temporarily and only as a stopgap measure.   It is almost impossible to protect a network from denial of service attacks.  The best advice is to configure the router to check for IP spoofing, both inbound and outbound, and to only allow services that are needed  (see Sections 4.2 and 4.3).  An on-going problem is that new attacks can appear so fast on the internet that countermeasures are not immediately available.  Still, the only defense is to be vigilant about security and to keep up with that latest security news by regularly checking a site such as CERT and implementing the latest patches from the vendors.