The following Cisco features can be used to increase the basic security measures related to the way in which the router forwards IP packets.
An IP directed broadcast is a datagram sent to the subnet broadcast address. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it’s converted into a link-layer broadcast. Only the last router, the one directly connected to the target subnet, can positively identify a directed broadcast.
IP directed broadcasts are used in smurf DoS attacks, in which the attacker sends ICMP echo requests from a falsified source address to a directed broadcast address. This causes all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of these requests, the attacker can create a much larger stream of replies, burying the smurfed host and their link to their ISP.
The no ip directed-broadcast command on an interface causes discards directed broadcasts, such as 192.168.12.255, that would otherwise “explode” into link-layer broadcasts at that interface. The no ip directed-broadcast command is the default in Cisco IOS software version 12.0 and later.
As you saw in Chapter 1, many DoS attacks rely on floods of useless packets that congest network links, slow hosts, and overloaded routers. Being aware of where performance bottlenecks lie is important in flood management. If a DoS flood is burying a T1 line, then filtering the flood at the source end router can help, while filtering at the destination end will have little or no effect.
If an “underpowered” router is the bottleneck, then adding additional filtering will probably make things worse. In this case, increasing memory or replacing the device might have to be part of the solution.
In some cases, Cisco’s quality of service (QoS) features can be used against some kinds of floods on serial links. Using weighted fair queuing (WFQ), the default for low-speed serial lines in recent versions of Cisco IOS software, has proven effective against ping floods, but less effective against SYN floods. A ping flood appears to WFQ as a single traffic flow, whereas each packet in a SYN flood generally appears as a separate flow. A smurf reply stream falls somewhere between the two. Cisco QoS features are covered extensively on Cisco’s web site.
The TCP Intercept feature is designed specifically to reduce the impact of SYN flooding attacks on hosts. TCP Intercept is available in some IOS versions for many routers with model numbers of 4000 or greater. A device supporting TCP Intercept can literally step in as a proxy and handle TCP session requests for a server that is under attack or heavy load. The device attempts to complete the TCP 3-way handshakes, forwarding successful attempts to the server and discarding the rest.
Cisco IOS versions that support Cisco Express Forwarding (CEF) can have the router check the source address of any packet against the interface through which the packet entered the router. If, according to the routing table, the input interface isn’t a feasible path to the source address, the packet is then dropped. The feature is known as a reverse path forwarding (RPF) check and is enabled with the command ip verify unicast rpf.