Table of Contents
Advertisement
Chapter 21 – Advanced Denial of Service
Protection
This chapter describes the Advanced Denial of Service (DoS) protection features that can be used to
prevent a wide range of network attacks. The commands to execute these features are located in
the Security menu, and are enabled via a separately purchased license key.
Note:
If you purchased the Advanced DoS protection option, enable it by typing
entering its software key.
•
Background, page
601—Describes the rationale for providing Advanced DoS protection and how
it can assist traditional firewalls in preventing malicious network attacks.
•
IP Address Access Control Lists, page
IP addresses.
•
Protection Against Common Denial of Service Attacks, page
common DoS attacks from entering ports that are connected to unsafe networks.
•
Protocol-Based Rate Limiting, page
or TCP traffic within a configurable time window.
•
Protection Against UDP Blast Attacks, page
UDP ports to a maximum number of connections per second.
•
TCP or UDP Pattern Matching, page
embedded in IP packets, and combine them into pattern groups which can be applied to a filter
to deny traffic containing those patterns.
Background
The Advanced DoS feature set extends the Alteon functionality to act as an application-intelligent
firewall. You can use these features to perform deep inspection and blocking of malicious content.
For example, many newer viruses, worms, malicious code, applications with security bugs, and
cyber attacks have targeted application and protocol weaknesses by tunneling through a firewall
over HTTP port 80, or by encapsulating attacks into SSL tunnels. Such packets can pass undetected
through standard network firewalls, which are configured only to open or close access to HTTP port
80. Many of the attacks (such as nullscan, xmascan, scan SYNFIN) are created with purposely
malformed packets that include illegal fields in the IP headers.
Security Inspection Workflow
A typical Alteon workflow to handle security inspection is as follows:
1. Alteon is configured with a predefined set of rules.
To increase the performance of the inspection, complex pattern inspection rules can be defined
with an offset value so that the inspection engine can go directly to the location to be inspected.
A virus pattern often is a combination of multiple patterns within the IP payload. Alteon can be
configured to inspect multiple patterns and locate them at different offsets within the payload.
2. Packets enter Alteon.
3. Alteon inspects the packet by comparing the rules to the content of the packet.
Document ID: RDWR-ALOS-V2900_AG1302
602—Describes how to setup blocking of large ranges of
611—Explains how to monitor and limit incoming UDP, ICMP
617—Describes how to monitor and limit traffic on
618—Describes how to match on binary or ASCII patterns
/oper/swkey
604—Explains how to prevent
and
601
- Quick Links:
- Part 1-Basic Features
Hide quick links:
Advertisement
Table of Contents
