This chapter showed you the basics of dealing with DoS attacks. If you suspect that you are under a DoS attack, examine your router's CPU and memory utilization, and look for abnormalities. You also can examine your ACL counters to see if a specific kind of traffic is increasing in an unusual manner. You can use ACL logging to gather more information about the attack, but this is process intensive for the router. In this situation, I recommend using NetFlow to gather information about the attack.

For TCP SYN flood attacks, you can use the router's TCP Intercept feature. However, if you already have the Cisco IOS Firewall feature set installed on your router, use CBAC's timeouts and thresholds to limit the effectiveness of a DoS attack.

In many cases, you need to limit the amount of traffic generated by the DoS attack, to allow legitimate traffic while you track down the culprit of the attack. For ICMP attacks, you can use ICMP rate limiting. You also can use CAR or NBAR.

Next up is Chapter 18, which shows you how to configure your router to produce logging information, as well as how to examine this information.