Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module 백서
The DoS Project's "trinoo" distributed denial of service attack tool
The "Tribe Flood Network" distributed denial of service attack tool
The "stacheldraht" distributed denial of service attack tool
Additional information regarding DDoS tools and their variants can be found at the Packet Storm web site's
Index of Distributed Attack Tools
Index of Distributed Attack Tools
.
Prevention
These are suggested methods to prevent distributed denial of service attacks.
Use the ip verify unicast reverse−path interface command on the input interface on the router at the
upstream end of the connection.
upstream end of the connection.
This feature examines each packet received as input on that interface. If the source IP address does
not have a route in the CEF tables that points back to the same interface on which the packet arrived,
the router drops the packet.
not have a route in the CEF tables that points back to the same interface on which the packet arrived,
the router drops the packet.
The effect of Unicast RPF is that it stops SMURF attacks (and other attacks that depend on source IP
address spoofing) at the ISP's POP (lease and dial−up). This protects your network and customers, as
well as the rest of the Internet. To use unicast RPF, enable "CEF switching" or "CEF distributed
switching" in the router. There is no need to configure the input interface for CEF switching. As long
as CEF is running on the router, individual interfaces can be configured with other switching modes.
RPF is an input side function that enabled on an interface or sub−interface and operates on packets
received by the router.
address spoofing) at the ISP's POP (lease and dial−up). This protects your network and customers, as
well as the rest of the Internet. To use unicast RPF, enable "CEF switching" or "CEF distributed
switching" in the router. There is no need to configure the input interface for CEF switching. As long
as CEF is running on the router, individual interfaces can be configured with other switching modes.
RPF is an input side function that enabled on an interface or sub−interface and operates on packets
received by the router.
It is very important for CEF to be turned on in the router. RPF does not work without CEF. Unicast
RPF is not supported in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that
support CEF, which includes the AS5800. Hence, unicast RFP can be configured on the PSTN/ISDN
dial−up interfaces on the AS5800.
RPF is not supported in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that
support CEF, which includes the AS5800. Hence, unicast RFP can be configured on the PSTN/ISDN
dial−up interfaces on the AS5800.
1.
Filter all RFC−1918
address space using Access Control Lists (ACLs).
Refer to this example:
access−list 101 deny ip 10.0.0.0 0.255.255.255 any
access−list 101 deny ip 192.168.0.0 0.0.255.255 any
access−list 101 deny ip 172.16.0.0 0.15.255.255 any
access−list 101 permit ip any any
interface xy
ip access−group 101 in
Another source of information about special use IPv4 address space that can be filtered is the (now
expired) IETF draft 'Documenting Special Use IPv4 Address Blocks that have been registered with
IANA
expired) IETF draft 'Documenting Special Use IPv4 Address Blocks that have been registered with
IANA
.'
2.
Apply ingress and egress filtering (see RFC−2267
) using ACLs.
Refer to this example:
{ ISP Core } −− ISP Edge Router −− Customer Edge Router −− { Customer network }
The ISP edge router should only accept traffic with source addresses belonging to the customer
network. The customer network should only accept traffic with source addresses other than the
network. The customer network should only accept traffic with source addresses other than the
3.