Security Basics mailing list archives
Re: Cisco IOS to defend against dod/ddos
From: "Michael Condon" <admin () singulartechnologysolutions com>
Date: Mon, 20 Oct 2008 12:48:53 -0500
I'm not sure what percentage of companies manage their own routers - I've seen it done both ways at a variety of sites. I agree it would be best that the ISP control the traffic, but is it or is it not preferable to have the controls enforced locally as well? ----- Original Message ----- From: "Richard Golodner" <rgolodner () infratection com>
To: "'Michael Condon'" <admin () singulartechnologysolutions com> Sent: Monday, October 20, 2008 12:06 PM Subject: RE: Cisco IOS to defend against dod/ddos
Most of us manage our own routers. I would not want Sprint or AT&T managing my router or knowing my enable passwords. Are you familiar with access control lists, also known as ACL's? These are applied onto the interface where traffic is ingressing your network. Let's say you have a 1.5 meg pipe and it is filled with DDoStraffic, even if you drop the packets arriving at your network, your pipe isstill full with garbage packets, leaving you still without access to your pipe. In this case it is best to talk to your ISP and have them mitigate the attack further up the pipe, where they have some more space and a more powerful set of options, such as null routing. most sincerely, Richard -----Original Message----- From: Michael Condon [mailto:admin () singulartechnologysolutions com] Sent: Monday, October 20, 2008 11:51 AM To: Richard Golodner Cc: security-basics () securityfocus com Subject: Re: Cisco IOS to defend against dod/ddos What about the case where the client operates their own router instead of having a managed router? Or are you saying that this should be implemented further downstream?----- Original Message ----- From: "Richard Golodner" <rgolodner () infratection com>To: "'Michael Condon'" <admin () singulartechnologysolutions com> Sent: Monday, October 20, 2008 11:11 AM Subject: RE: Cisco IOS to defend against dod/ddosMichael, Cisco builds DDoS mitigation hardware, but it is very expensive. Your best bet is to speak with your upstream providers in order to stop this type of attack. The packet is dropped at your router's interface when using ACL's which means you are already DDossed. most sincerely, Richard -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Saturday, October 18, 2008 9:56 PM To: security-basics () securityfocus com Subject: Cisco IOS to defend against dod/ddos Does anyone have examples of Cisco IOS that will defend against dos/ddos/malformed packet attacks by denying access to the sending IP address(es)? Can this also be done for port scans? Can it be done on Routers, PIX Firewalls/Cisco ASA?
Current thread:
- Nessus / TSS alternatives Ray Van Dolson (Oct 17)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- Re: Cisco IOS to defend against dod/ddos ॐ aditya mukadam ॐ (Oct 21)
- Message not available
- Re: Cisco IOS to defend against dod/ddos Gareth Fletcher (Oct 20)
- Storing Windows Event Logs. Nick Vaernhoej (Oct 21)
- Cisco IOS to defend against dod/ddos Michael Condon (Oct 20)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 21)
- Re: Cisco IOS to defend against dod/ddos Michael Condon (Oct 22)
- RE: Cisco IOS to defend against dod/ddos David Gillett (Oct 22)