SUMMARY

Whether a DoS or DDoS attack is mischievous or revengeful, a racket attempt from an organized crime group , or part of a larger attack plan, it is a threat that shouldn't be taken lightly. A nongeneric DoS attack is usually a form of incomplete exploitation that crashes the system or separate service instead of handing the control to a cracker. This kind of attack is rectified by applying a vendor patch, or, in the Cisco world, by upgrading the OS to a newer version. Meantime, turning off the vulnerable service or, at least, restricting the access to it with an access list is a sensible idea.

Generic DoS and, especially , DDoS attacks are far less elegant and intelligent , but at the same time they are more difficult to defend against. There isn't much you can do if your whole bandwidth is consumed by a lame ping flood. And as you saw in this chapter, some DDoS attacks are much worse than that. (Who said that SNMP GetBulk reflective DDoS isn't fun?) At the end of the day, you will have to collaborate with the ISP and authorities to block an attack as close to its source as possible.

Having more that one redundant connection to the Internet using different providers, different AS paths, and with load balancing enabled goes a long way toward combating fat pipe generic DoS/DDoS floods. You can always use CAR and NBAR to drop or rate limit offending traffic, saving your router CPU cycles, buffers, and hosts behind the router. Of course, it is better to do this at the ISP levelbut who said that ISP network administrators are not among our readers? And if you are familiar with the countermeasures described, you can always try to persuade the ISP staff to implement them when an attack against your network is in progress.



Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net