Perimeter Denial-of-Service Protection

Previous page
Table of content
Next page

The ASA/PIX Security Appliance has default protection built in for denial-of-service (DoS) attacks. However, it also provides an interface to change the parameters, if required.

DoS attacks come in different flavors:

  • An attack that attempts to take up so much bandwidth on your network that the network becomes unusable

  • An attack that takes up so much of a system resource or CPU on a network device that it renders the device or the network unusable

  • A single-packet attack design so that a network device doesn't know what to do with the packet and the device stops forwarding traffic or crashes

Unfortunately, DoS attacks are easy to launch and not so easy to protect against. The ASA/PIX Security Appliance, however, does have some built-in functionality to reduce the impact of the attacks. As well, you should follow some best practices to mitigate the effect of these attacks.

The ASA/PIX Security Appliance mitigates against various types of DoS attacks by deploying different technologies to protect the perimeter of your network. The specific features that the ASA/PIX uses include the following:

  • DNSGuard Protects against DoS attacks aimed at DNS servers. DNSGuard allows only a single response to multiple outgoing DNS queries, thereby preventing DNS storms.

  • FloodGuard Prevents DoS attacks caused by multiple AAA authentication attempts.

  • FragGuard Prevents a class of DoS attacks based on sending fragmented packets to the ASA/PIX Security Appliance.

  • IPVerify Most DoS attacks use invalid or spoofed addresses so that the attack cannot be traced back to the attacker. IPVerify ensures that the source traffic is valid before the security appliance will respond to the request, effectively mitigating spoofing DoS attacks.

  • TCP Intercept Protects against the most popular DoS attack, a TCP SYN flood. In this attack, a hacker sends thousands of requests to open a connection through the security appliance. TCP Intercept recognizes these packets as being an attack and cleans up the resources, allowing only valid traffic to go through the security appliance.

Mitigating Network Bandwidth DoS Attacks

If an attacker has taken it upon himself to try to consume all the bandwidth on the outside of your security appliance, you will need to get your Internet security provider (ISP) involved. It would not be that difficult, depending on how much bandwidth you have available between you and your ISP, for an attacker to use several zombie machines. With these machines, attackers can start streaming data destined for your web server or your mail server until those services are no longer usable.

Your ISP will have several options to help out. Most of the time, they are willing to help, because the attacks destined for you also take up bandwidth and slow down their network and the networks of their customers. Following is just a partial list of simple steps the ISP can do to help protect you under these circumstances. Most ISPs have several other options besides these that they can deploy to help stop DoS attacks:

  • Most DoS attackers use spoofed source addresses such as private and bogon addresses because attackers don't want the attack to be traced back to them. Therefore, ISPs can filter these invalid source addresses to protect your network.

  • ISPs can implement a technology called rate limiting. Rate limiting slows down the traffic and thereby returns some bandwidth.

  • ISPs now have technology available to them that enables them to differentiate invalid DoS traffic from valid traffic, filter the bad traffic out, and send you only valid traffic destined for your network.

You should always contact your ISP if you believe that you are the victim of a DoS attack so that it can deploy these methods to get you back on line as soon as possible.

On your ASA/PIX Security Appliance, the default configuration called Anti-Spoofing can help during these attack conditions.

Anti-Spoofing will ensure that DoS attacks are not launched from inside your own network.

You should follow this procedure to enable Anti-Spoofing on your inside interface to ensure that DoS attacks are not inadvertently being launched from the inside of your security appliance:

Step 1.

Navigate to Configurations > Features > Properties > Advanced to see the default setting for Anti-Spoofing. Highlight the Inside interface.

Step 2.

Click Enable. The interface status will change to Enabled.

Step 3.

Click Apply to effect the change.

Figure 8-9 shows the Anti-Spoofing panel with the inside interface enabled.

Figure 8-9. Anti-Spoofing Panel


Mitigating Resource-Intensive DoS Attacks

DoS attacks designed to take up system resources can, but don't usually, have the same volume of traffic as an all-out bandwidth attack described previously. These attacks are more "finesse" oriented. They are crafted attacks that try to use the features of network protocols against the devices that they are attacking.

An example of this is a TCP SYN attack. In this type of attack, malicious software sends millions of requests to open network sockets on a security appliance. When a security appliance gets a SYN packet (for example, a request to open a connection), it might do the following:

  • Use the CPU to allocate a certain amount of memory to establish this connection, taking up both CPU and memory.

  • Send a SYN request to the device it is destined for and wait until the device on the inside responds, maintaining the memory resource.

  • Use the CPU to check for a response for the destination device.

  • Receive the response and send an acknowledgment that the connection is open. This connection remains open until the security appliance or the device sends a request to tear down the connection.

If a security appliance is capable of handling only one million connections and the software running the SYN attack sends five million connections, the security appliance could conceivably crash or, at the very least, be rendered useless.

To mitigate these types of attacks, the ASA/PIX Security Appliance has a mechanism built in to it that enables it to delete connections that don't have data following the acknowledgment packet after a certain amount of time.

Navigate to the following ASDM panel to see the default timeouts set for the ASA/PIX Security Appliance: Configurations > Features > Properties > Advanced > Timeouts. You will see the panel shown in Figure 8-10.

Figure 8-10. ASA/PIX Default Timeouts


The default settings on the ASA/PIX are generally good enough to mitigate the attacks described in the previous paragraphs. However, if you find that you have an attack that isn't effectively being mitigated, you should first classify the type of traffic present in the attack and then either lower your timeouts or contact your ISP (or the Cisco Technical Assistance Center at http://www.cisco.com) for help.


Previous page
Table of content
Next page
Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar
BUY ON AMAZON
CISSP Exam Cram 2
Metrics and Models in Software Quality Engineering (2nd Edition)
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy