- Protecting yourself from a new online scam
- Diary of a deliberately spammed housewife
- Silly Internet traditions: A concise history
- How to avoid laptop loss at the airport
- Top 10 worst uses for Windows
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
More chapters from new and classic Cisco Press books
Rate your favorite Cisco Press books
The Cisco distributed denial-of-service (DDoS) mitigation solution is composed of two key components: Cisco Traffic Anomaly Detector, which is responsible for detecting a DDoS attack, and Cisco Guard, which is responsible for mitigating the attack. Customers can implement a DDoS solution with the Cisco Guard and the Cisco Traffic Anomaly Detector, or they can purchase the DDoS solution from a service provider. The solution from a service provider is often called a clean pipes solution. A clean pipes solution is implemented with a variety of products, including the Cisco Guard, Cisco Traffic Anomaly Detector, and partner products from vendors like Arbor Networks.
The Cisco Guard and the Cisco Traffic Anomaly Detector are based upon the patented Multi-Verification Process (MVP) architecture. This MVP architecture enables the Cisco Guard and Cisco Traffic Anomaly Detector to leverage the latest analysis and attack recognition techniques to detect and remove network attack traffic while scrubbing and reinjecting valid network traffic to its proper destination. Before describing the functions and configuration processes for these products, this chapter summarizes various DDoS attacks.
Table 2-1 describes several varieties of generic DDoS attacks.
Table 2-1 Generic DDoS Attacks
|
Name of Attack |
Flooding Capability |
Short Description |
|
Land |
TCP SYN |
Source and destination IP addresses are the same, causing the TCP response to loop. |
|
SYN |
TCP |
Sends large numbers of TCP connection initiation requests to the target. The target system must consume resources to keep track of these partially opened connections. |
|
Teardrop |
TCP fragments |
Sends overlapping IP fragments. |
|
Smurf |
Internet Control Message Protocol (ICMP) |
Sends ICMP ping requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast ping request respond to the request and flood the target's network. |
|
Ping of death |
ICMP |
Brings down a system by sending out more than 65536 ICMP packets. |
|
Open/close |
TCP, UDP |
Opens and closes connections at a high rate to any port serviced by an external service through inetd. The number of connections allowed is hard coded inside inetd (Internet super daemon, often used to run other services like FTP). |
|
ICMP Unreachable |
ICMP |
The attacker sends ICMP unreachable packets from a spoofed address to a host. This causes all legitimate TCP connections on the host to be torn down to the spoofed address. This causes the TCP session to retry, and as more ICMP unreachables are sent, a denial-of-service (DoS) condition occurs. |
|
ICMP redirect |
ICMP |
Causes data overload to the system being targeted. |
|
ICMP Router Discovery Protocol (IRDP) |
ICMP |
Spoofing IRDP causes fake routing entries to be entered into a Windows machine. IRDP has no authentication. Upon startup, a system running MS Windows 95/98 will always send 3 ICMP Router Solicitation packets to the 224.0.0.2 multicast address. If the machine is NOT configured as a DHCP client, it ignores any Router Advertisements sent back to the host. However, if the Windows machine is configured as a DHCP client, any Router Advertisements sent to the machine will be accepted and processed. |
|
ARP redirect |
ARP |
Attacks local subnets. |
|
Looping User Datagram Protocol (UDP) ports |
UDP |
Spoofs two UDP services—chargen (port 19) and echo (port 7)—to send data to each other. |
|
Fraggle |
UDP |
Same as Smurf, but uses UDP rather than ICMP to broadcast address for amplification. |
|
UDP flood |
UDP |
Sends large numbers of UDP packets to the target system, thus tying up network resources. |
|
TCP flood |
TCP |
Repeatedly establishes and abandons TCP connections, enabling a malicious host to tie up significant resources on a server. |
|
UDP reflectors |
UDP |
All web servers, Domain Name System (DNS) servers, and routers are reflectors, because they will return SYN ACKs or RSTs in response to SYN or other TCP packets; query replies in response to query requests; or ICMP Time Exceeded or Host Unreachable in response to particular IP packets. By spoofing IP addresses from slaves, a massive DDoS attack can be arranged. |
|
URL attacks |
TCP |
Attempts to overload an HTTP server with HTTP bombing (continuous requests for the same homepage or large web page) or by requesting the page with REFRESH to bypass any proxy server. Many of these attacks are not zombie attacks but rather human executed—by hundreds simultaneously. |
|
Virtual Private Network (VPN) attacks |
TCP |
Using specially crafted Generic Routing Encapsulation (GRE) or IP in IP tunnel (IPIP) packets to attack the destination address of a VPN. |
Source: Cisco Systems, Inc.
To mitigate DDoS attacks, Cisco offers the Traffic Anomaly Detector and the Guard.
The Traffic Anomaly Detector learns what is a normal traffic pattern for a protected network area, or zone. After the Traffic Anomaly Detector establishes a network traffic baseline, DDoS mitigation policies are constructed and thresholds are tuned in order to configure the Traffic Anomaly Detector to react to various DDoS attack scenarios. In the event of a DDoS attack, the Traffic Anomaly Detector informs the Guard of the DDoS attack. The Guard diverts the traffic from the DDoS attack to the Guard. This DDoS attack diversion is typically implemented by updating the Border Gateway Protocol (BGP) routing table or by other mechanisms including static routes (manual IP routes) and policy-based routes (specific traffic forwarding based upon parameters including application and packet size).
The Guard's ability to update routing tables in the event of an attack allows the Guard to automatically scrub the DDoS attack traffic, while still forwarding or tunneling valid network traffic to the destination zone. The Traffic Anomaly Detector is often deployed upstream from the servers that are being protected in the data center. Figure 2-1 shows the Traffic Anomaly Detector and Guard appliances.
Figure 2-1
Traffic Anomaly Detector and Guard Appliances
Source: Cisco Systems, Inc.
- on-demand, instant resourcing: you can request 200 new compute instances and you can get them, there...- Craig Balding
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Simplify Your Branch Infrastructure
Learn how to simplify your branch infrastructure while dramatically increasing app performance with Citrix Branch Repeater.
Download the Free Info Kit
Next-Gen Load Balancing
Free Guide: “Next Gen Load Balancing: 8 Things You Need to Handle Today’s Network Traffic” shows you the functionality needed in your next load balancer.
Download the Free Guide
Accelerate Your Web Apps by up to 5x
Free Guide: “The Secret to Getting Maximum Speed from your Web Applications.” Learn how you can deliver Web apps up to 5x faster.
Download the Free Guide
Comment