Defense Against Dos Attacks - Cisco SF500-24 Administration Manual
Esw2 series advanced switches
Hide thumbs
Also See for SF500-24:
- Administration manual (477 pages) ,
- Quick start manual (72 pages) ,
- Quick start manual (25 pages)
Table of Contents
Advertisement
Security
Denial of Service Prevention
Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3
•
Martian Addresses—Martian addresses are illegal from the point of view of
the IP protocol. See
•
ICMP Attack—Sending malformed ICMP packets or overwhelming number
of ICMP packets to the victim that might lead to a system crash.
•
IP Fragmentation—Mangled IP fragments with overlapping, over-sized
payloads are sent to the device. This can crash various operating systems
due to a bug in their TCP/IP fragmentation re-assembly code. Windows 3. 1 x,
Windows 95 and Windows NT operating systems, as well as versions of
Linux prior to versions 2.0.32 and 2. 1 .63 are vulnerable to this attack.
•
Stacheldraht Distribution—The attacker uses a client program to connect to
handlers, which are compromised systems that issue commands to zombie
agents, which in turn facilitate the DoS attack. Agents are compromised via
the handlers by the attacker.
Using automated routines to exploit vulnerabilities in programs that accept
remote connections running on the targeted remote hosts. Each handler can
control up to a thousand agents.
•
Invasor Trojan—A trojan enables the attacker to download a zombie agent
(or the trojan may contain one). Attackers can also break into systems using
automated tools that exploit flaws in programs that listen for connections
from remote hosts. This scenario primarily concerns the device when it
serves as a server on the web.
•
Back OrifaceTrojan—This is a variation of a trojan that uses Back Oriface
software to implant the trojan.
Defense Against DoS Attacks
The Denial of Service (DoS) Prevention feature assists the system administrator
in resisting such attacks in the following ways:
•
Enable TCP SYN protection. If this feature is enabled, reports are issued
when a SYN packet attack is identified, and the attacked port can be
temporarily shut-down. A SYN attack is identified if the number of SYN
packets per second exceeds a user-configured threshold.
•
Block SYN-FIN packets.
•
Block packets that contain reserved Martian addresses (Martian Addresses
page)
Martian Addresses
for more details.
20
406
Hide quick links:
Advertisement
Table of Contents
