Refuses to serve (DoS) to attack is one attack method which the present hacker widely uses, it through monopolizes the network resource, to enable other main engines to carry on the normal visit, thus causes the dawdle machine or the network meltdown.
The DoS attack mainly divides into Smurf, SYN Flood and the Fraggle three kinds, in the Smurf attack, the aggressor uses the ICMP data packet to block the server and other network resource; SYN Flood the attack use quantity huge TCP half connection takes the network resource; The Fraggle attack and the Smurf attack principle is similar, uses UDP the echo request, but is not ICMP the echo request initiates the attack.
Although the network security experts are trying to develop prevent the DoS attack the equipment, but the result is not big, because the DoS attack has used the TCP agreement's weakness.
The correct disposition router can prevent DoS to attack effectively. Take the Cisco router as the example, Cisco in the router IOS software has many prevents the characteristic which DoS attacks, protects the router own and the internal network security.
The use expansion visit tabulation expansion visit tabulation prevents the effective tool which DoS attacks. It already may use for to survey the DoS attack the type, may also prevent the DoS attack. Show ip the access-list order can demonstrate that each expansion visit tabulation the matched data package, according to data packet's type, the user may determine the DoS attack the type. If in the network appeared has established the TCP connection massively the request, this indicated that the network has received SYN the Flood attack, by now the user might change the visit tabulation the disposition, prevented the DoS attack.
Uses the QoS use grade of service to optimize (QoS) the characteristic, like the weighting fair formation (WFQ), the pledge access rate (CAR), the general current capacity reshaping (GTS) as well as has custom-made the formation (CQ) and so on, may prevent the DoS attack effectively.
What needs to pay attention, the different QoS strategy copes with the different DoS attack the effect to have the difference.
For example, WFQ copes with Ping the Flood attack to prevent SYN the Flood attack to be more effective than, this is because Ping Flood usually in WFQ the performance will be an independent transmission formation, but SYN in the Flood attack's each data packet can display is an independent data stream.
In addition, the people may limit the ICMP data packet current capacity using CAR the speed, prevents Smurf to attack, may also use for to limit the SYN data packet the current capacity speed, prevents SYN the Flood attack. Uses QoS to prevent DoS to attack, needs the user to clarify QoS as well as the DoS attack principle, like this can aim at the DoS attack the different type to take the corresponding measure.
Uses the one address reversion repeater reversion repeater (RPF) is a router input function, this function uses for each data packet which inspects the router connection to receive. If the router receives to a source IP address for 10.10.10.1's data packet, but CEF (Cisco Express Forwarding) in the routing list has not supplied any routing information for this IP address, the router will discard this data packet, therefore the reversion repeater can prevent the Smurf attack and other based on the IP address camouflage attack.
Uses the RPF functional need to suppose the router for the fast repeater pattern (CEF switching), and cannot begin using the RPF function the connection disposition is the CEF exchange. RPF in prevents the IP address deceit aspect to have the superiority compared to the visit tabulation, first it can dynamic accept in the tendency and the static routing list change; Second RPF needs the operation maintenance are few; Third RPF takes a counter-deceit the tool, has the performance impact on the router itself, must tabulate the use visit is much smaller.
Uses TCP intercepts Cisco after the IOS 11.3 editions, has introduced the TCP interception function, this function may prevent SYN Flood to attack the internal main engine effectively. Before the TCP connection request arrives at the goal main engine, the TCP interception prevents this kind of attack through the interception and the confirmation. The TCP interception may, in intercepts and monitors under two kind of patterns to work. In intercepts under the pattern, the router interception arrives the TCP synchronization requested, and on behalf of server establishment and client's connection, if connects successfully, on behalf of the client establishment and server's connection, and carries on two connections the transparent merge. In the entire connection period, the router has intercepted and the transmission data packet. Requested regarding the illegal connection that the router provides strictly regarding the half-open overtime limit, prevents own resources to exhaust by the SYN attack. In monitors under the pattern, the router observes passively flows through the router the connection to request, if connected has surpassed the setup time which disposed, the router will close this connection.
Opens the TCP interception functional need two steps on the Cisco router: First, the disposition expansion visit tabulation, by determined needs to protect IP address; Second, opens the TCP interception. The disposition visit tabulation is to define needs to carry on the TCP interception the source address and the destination address, protects the internal goal main engine or the network. When disposition, the user usually needs to suppose the source address is any, and assigns the concrete goal network or the main engine. If does not dispose the visit tabulation, the router will permit all request process.
Use based on content access control
Based on content access control (CBAC) is visit to the Cisco tradition tabulation expansion, it based on the application layer conversation information, the intellectualization filters TCP and the UDP data packet, prevents DoS to attack.
CBAC through establishes when the overtime the limiting value and the conversation threshold value decided when the conversation the maintenance time as well as does delete half connection.
Speaking of TCP, half connection is refers to one not to complete three stage handshake process the conversation.
Speaking of UDP, half connection is refers to the router not to examine the returns current capacity the conversation.
CBAC is precisely through monitors the frequency which half connection quantity and produces to prevent the flood attack. Whenever has not the normal half connection establishment or appears massively in a short time partly connects, the user may judge has suffered the flood attack. CBAC each minute examines half connection quantity which one time already existed and attempts to establish the connection the frequency, when already existed half connection quantity will surpass the threshold value, the router will delete some half connection, guaranteed that the new establishment connection the demand, the router deleted half connection continually, was lower than another threshold value until existence half connection quantity; Similarly, when will attempt to establish the connection the frequency to surpass the threshold value, the router will take the same measure, will delete part of connections to request, and will continue to request connection quantity to be lower than another threshold value. Through this kind of surveillance and the deletion continuously, CBAC may prevent SYN Flood and the Fraggle attack effectively.
The router is the enterprise interior network first protective barrier, is also a hacker attack profitable target, if the router is very easy to break through, then the enterprise interior network's security also without knowing where to begin mentions, therefore takes the adequate measures on the router, prevents each kind of DoS attack is very essential.
What user need attention is, above introduced several methods, cope with the different type DoS attack ability are different, takes to router CPU and the memory resources also has the very wide difference, in the actual environment, the user need chooses the use suitable way according to own situation and the router performance.
