index_202
Router Security Configuration Guide
UNCLASSIFIED
202
UNCLASSIFIED
Version 1.0g
The third and fourth lines of access list 102 characterize TCP traffic. The keyword
established in the third line matches any TCP traffic with the ACK bit set, that is, any
TCP traffic that is not a connection request. The fourth line therefore matches only
packets that are connection requests, the TCP SYN packets. In normal operations,
TCP SYN packets account for a third or less of the total TCP traffic. In a SYN flood,
these SYN packets typically outnumber other TCP packets many times over. Also,
SYN floods usually contain packets with invalid source addresses; logging such
traffic (as recommended in Section 4.3) will determine if such source addresses are
present.
There is a paper on the Cisco web site titled Characterizing and Tracing Packet
Floods Using Cisco Routers. This paper gives an overview of denial of service
attacks and a detailed discussion of using access lists to categorize packets. The
paper also describes how to trace DoS attacks and the complications inherent in
packet tracing [2].
6.3.5. Attack Reaction Options
It is difficult for the ultimate target of denial of service attacks to stop or even blunt
an active attack. If it can be determined that the originators of the attack are limited
to a few addresses, it may be possible to apply specific filters at the external interface
of the border router. If filtering is not possible, or not sufficient to stop the attack, the
only response may be to contact the reflector sites to reconfigure their networks to
shut down the attack. In a distributed attack, the ultimate target cannot filter out the
attacking addresses. In this case, the upstream provider to the victim may be able to
filter out all ICMP echo replies to the target network; this filter should only be in
place temporarily and only as a stopgap measure.
It is almost impossible to protect a network from denial of service attacks. The best
advice is to configure the router to check for IP spoofing, both inbound and
outbound, and to only allow services that are needed (see Sections 4.2 and 4.3). An
on-going problem is that new attacks can appear so fast on the internet that
countermeasures are not immediately available. Still, the only defense is to be
vigilant about security and to keep up with that latest security news by regularly
checking a site such as CERT and implementing the latest patches from the vendors.