Conﬁguring Denial-of-Service Security Features
This chapter describes how to protect your network against some of the wellknown denial-of-service (DoS) attacks. You will learn how to conﬁgure your router to protect TCP servers from directed broadcasts; IP source routing; ICMP redirects; and TCP SYN-ﬂooding attacks, a type of denial-of-service attack. Also, you will learn how to prevent packet ﬂooding through queuing and trafﬁc policing.
Understanding Denial-of-Service You are watching the World Series and Matt Williams of the Diamondbacks is at bat. The count is 3-2, 2 out, and the bases are loaded. The phone rings and the ring indicates a long-distance call. Obviously, the caller is not watching the game. You answer the phone, only to ﬁnd no one there. You curse and slam down the phone. Several seconds later, it happens again. You repeat the process. This series
of events occurs several more times until, out of frustration, you turn off the ringer and let all the calls go to voicemail. At work the next morning, your buddy says, “Where were you? I tried to call last night to make sure you were watching the game.” (If you are a Canadian, substitute Stanley Cup ﬁnals for World Series, Mats Sundin for Matt Williams, and Toronto Maple Leafs for Diamondbacks, etc. If you live anywhere else, substitute World Cup, Reynaldo, etc.) The point is that the unknown caller was tying up your phone line and denying your buddy access to you. It got so bad you had to take your phone off-line. You can see that it is very difﬁcult to protect against this type of attack, save going off-line. Well, you could take this story and create a simple analogy using your router. Someone starts ﬂooding your router or network with dubious packets. The packets cause the system to crash or consume all available resources. Your legitimate clients cannot get through or do anything. When someone hits your router with a denialof-service attack, they hold up critical resources by blocking the door to lawful business activity. A denial-of-service (DoS) attack is an attack against your network availability.