Denial Of Service Attack - Cisco ASR 1000 Series Configuration Manual

Denial of Service Attack

Denial of Service Attack
Denial of service has become a growing concern, especially when considering the associated costs of such
an attack. DoS attacks can decrease the performance of networked devices, disconnect the devices from the
network, and cause system crashes. When network services are unavailable, enterprises and service providers
suffer the loss of productivity and sales.
The objective of a DoS attack is to deprive a user or organization access to services or resources. If a Website
is compromised by a DoS attack, millions of users could be denied access to the site. DoS attacks do not
typically result in intrusion or the illegal theft of information. Instead of providing access to unauthorized
users, DoS attacks can cause much aggravation and cost to the target customer by preventing authorized
access. Distributed DoS (DDoS) attacks amplify DoS attacks in that a multitude of compromised systems
coordinate to flood targets with attack packets, thereby causing denial of service for users of the targeted
systems.
A DoS attack occurs when a stream of ICMP echo requests (pings) are broadcast to a destination subnet. The
source addresses of these requests are falsified to be the source address of the target. For each request sent by
the attacker, many hosts on the subnet will respond flooding the target and wasting bandwidth. The most
common DoS attack is called a "smurf" attack, named after an executable program and is in the category of
network-level attacks against hosts. DoS attacks can be easily detected when error-message logging of the
ICMP Unreachable Destination Counters feature is enabled.
Path MTU Discovery
The software supports the IP Path MTU Discovery mechanism, as defined in RFC 1191. IP Path MTU
Discovery allows a host to dynamically discover and cope with differences in the maximum allowable maximum
transmission unit (MTU) size of the various links along the path. Sometimes a router is unable to forward a
datagram because it requires fragmentation (the packet is larger than the MTU you set for the interface with
the ip mtu interface configuration command), but the "don't fragment ? (DF) bit is set. The software sends
a message to the sending host, alerting it to the problem. The host will need to fragment packets for the
destination so that they fit the smallest packet size of all the links along the path. This technique is shown in
the figure below.
Figure 1: IP Path MTU Discovery
IP Path MTU Discovery is useful when a link in a network goes down, forcing the use of another, different
MTU-sized link (and different routers). As shown in the figure above, suppose a router is sending IP packets
over a network where the MTU in the first router is set to 1500 bytes, but the second router is set to 512 bytes.
IP Application Services Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
4
Configuring IP Services