Cisco Systems SRW248G4PK9NA User Manual
Security
Denial of Service Prevention
Cisco Small Business 300 Series Managed Switch Administration Guide
340
17
Denial of Service Prevention
A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable
to its users.
to its users.
DoS attacks saturate the device with external communication requests, so that it
cannot respond to legitimate traffic. These attacks usually lead to a device CPU
overload.
cannot respond to legitimate traffic. These attacks usually lead to a device CPU
overload.
Secure Core Technology (SCT)
One method of resisting DoS attacks employed by the device is the use of SCT.
SCT is enabled by default on the device and cannot be disabled.
SCT is enabled by default on the device and cannot be disabled.
The Cisco device is an advanced device that handles management traffic,
protocol traffic and snooping traffic, in addition to end-user (TCP) traffic.
protocol traffic and snooping traffic, in addition to end-user (TCP) traffic.
SCT ensures that the device receives and processes management and protocol
traffic, no matter how much total traffic is received. This is done by rate-limiting
TCP traffic to the CPU.
traffic, no matter how much total traffic is received. This is done by rate-limiting
TCP traffic to the CPU.
There are no interactions with other features.
SCT can be monitored in the Denial of Service > Denial of Service Prevention >
Security Suite Settings page (Details button).
Security Suite Settings page (Details button).
Types of DoS Attacks
The following types of packets or other strategies might be involved in a Denial of
Service attack:
Service attack:
•
TCP SYN Packets—These packets often have a false sender address. Each
packets is handled like a connection request, causing the server to spawn a
half-open connection, by sending back a TCP/SYN-ACK packet
(Acknowledge), and waiting for a packet in response from the sender
address (response to the ACK Packet). However, because the sender
address is false, the response never comes. These half-open connections
saturate the number of available connections that the device is able to
make, keeping it from responding to legitimate requests.
packets is handled like a connection request, causing the server to spawn a
half-open connection, by sending back a TCP/SYN-ACK packet
(Acknowledge), and waiting for a packet in response from the sender
address (response to the ACK Packet). However, because the sender
address is false, the response never comes. These half-open connections
saturate the number of available connections that the device is able to
make, keeping it from responding to legitimate requests.
•
TCP SYN-FIN Packets—SYN packets are sent to create a new TCP
connection. TCP FIN packets are sent to close a connection. A packet in
which both SYN and FIN flags are set should never exist. Therefore these
packets might signify an attack on the device and should be blocked.
connection. TCP FIN packets are sent to close a connection. A packet in
which both SYN and FIN flags are set should never exist. Therefore these
packets might signify an attack on the device and should be blocked.