1. Home
  2. Networking
  3. Integrated cisco and unix network architectures

Withstanding a (D)DoS Attack

In light of recent Internet attacks, whether a sound HA architecture should withstand a massive (distributed) denial-of-service ([D]DoS) attack or be able to mitigate its effects has become a legitimate question. From my point of view, a state-of-the-art HA architecture should have some inherent self-healing capabilities; HA architects should also add another line of defense to assist in at least crippling or weakening (D)DoS attacks and their progeny. Several, sometimes complementary and orthogonal, lines of defense are crucial to prevent (D)DoS attacks, as they are to overall security architectures.

HA in terms of almost 100 percent service availability within strict service level agreements (SLAs) and monitored key performance indicators (KPIs) represents a significant challenge for today's finest engineers and designers. The problem with any (D)DoS defense is that every system's strength defines its weaknesses, too. For example, handing over control of a firewall ruleset to a network intrusion detection system (NIDS) means that any successful trigger of this defense mechanism (spoofing) effectively locks out legitimate networks from crucial services. Therefore, a system designed to protect or prevent might become the perfect DoS trap.

NOTE

Recent hostile activities on the Internet have proven to me that, in general, operational staff are overwhelmed by and overburdened with reactive actions because of weak underlying network design and planning.




    		Command Syntax Conventions
    		Chapter 1. Operating System Issues and Features-The Big Picture
    		Chapter 2. User-Space Routing Software
    		Chapter 3. Kernel Requirements for a Full-Featured Lab
    		Chapter 4. Gateway WAN/Metro Interfaces
    		Chapter 5. Ethernet and VLANs
    		Chapter 6. The Analyzer Toolbox, DHCP, and CDP
    		Chapter 7. The UNIX Routing and ARP Tables
    		Chapter 8. Static Routing Concepts
    		Chapter 9. Dynamic Routing Protocols-Interior Gateway Protocols
    		Chapter 10. ISP Connectivity with BGPv4-An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing
    		Chapter 11. VPN Technologies, Tunnel Interfaces, and Architectures
    		Chapter 12. Designing for High Availability
    		Increasing Availability
    		Withstanding a (D)DoS Attack
    		Network HA Approaches
    		Simple but Effective Approaches to Server HA
    		DNS Shuffle Records and Round-Robin (DNS RR)
    		Dynamic Routing Protocols
    		Firewall Failover
    		Clustering and Distributed Architectures
    		The Service Routing Redundancy Daemon (SRRD)
    		IPv4/IPv6 Anycast
    		A Few Words About Content Caches and Proxies
    		Load Balancing
    		Cisco HA and Load-Balancing Approaches
    		VRRP
    		OpenBSD CARP
    		IRDP
    		Summary
    		Recommended Reading
    		Endnotes
    		Chapter 13. Policy Routing, Bandwidth Management, and QoS
    		Chapter 14. Multicast Architectures
    		Chapter 15. Network Address Translation
    		Appendix A. UNIX Kernel Configuration Files
    		Appendix B. The FreeBSD Netgraph Facility