1. Home
  2. Networking
  3. Router firewall security

Chapter 17. DoS Protection

Of the three categories of attacks?reconnaissance, access, and denial-of-service (DoS)?DoS attacks are the easiest to implement yet the hardest to defeat. DoS attacks are based on packet flooding, which uses up bandwidth, CPU, and memory resources on not just the victim device, but also intervening devices, such as routers, switches, and firewalls.

When you are experiencing a DoS attack, one of the first things you need to do is find out the actual kind of DoS attack that is affecting your network. As you will see in the first section of this chapter, a variety of options are available to you, including examining the CPU utilization of your routers, using ACL statements with logging parameters, and using NetFlow.

When you know the kind of DoS attack directed at your network, you can implement an appropriate solution. The remaining sections in this chapter focus on these solutions, including TCP Intercept, CBAC, and rate limiting. Of course, you always can use an ACL to block offending traffic; however, this might introduce other problems, such as the blocking of legitimate traffic. Therefore, in many cases, you need to use other tools, such as the ones discussed in the last half of this chapter, to deal with DoS issues.



    		Part I: Security Overview and Firewalls
    		Part II: Managing Access to Routers
    		Part III: Nonstateful Filtering Technologies
    		Part IV: Stateful and Advanced Filtering Technologies
    		Part V: Address Translation and Firewalls
    		Part VI: Managing Access Through Routers
    		Part VII: Detecting and Preventing Attacks
    		Chapter 16. Intrusion-Detection System
    		Chapter 17. DoS Protection
    		Detecting DoS Attacks
    		CEF Switching
    		TCP Intercept
    		CBAC and DoS Attacks
    		Rate Limiting
    		Summary
    		Chapter 18. Logging Events
    		Part VIII: Virtual Private Networks
    		Part IX: Case Study