Prevention Techniques (cont’d)
Technical help tips for Cisco routers
Stories from the field
Network Operations Centers should publish proper procedures for getting filters put in place and tracing started
- Cisco bugfixes which address some of the problems related to protection against Denial of Service attacks:
- BugID CSCdj35407 - “fast drop” ACL code - integrated in 11.1(14)CA
- This fix decreases the load on the router’s CPU when a packet matches an ACL “deny” line. Previously, the processor would place every denied packet through the slow switching path in order to send the appropriate ICMP unreachable messages. With this fix, only 2 packets per second go to the slow path in order to process those messages.
- BugID CSCdj35856 - ACL logging throttles - integrated in 11.1(15)CA
- This fix introduced a command “ip access-list logging interval” to set the interval between syslog notifications as a result of a “log” keyword in an ACL.
- Unicast RPF checking insures that packets aren’t source-spoofed by ensuring that the packet came in on the same interface as the path back to the source address. This is disabled by default, as there are configurations in which it would prevent legitimate traffic from flowing (multi-homed environments). However, for stub networks (those with only one entry/exit point), this command ensures that there are no source-spoofed packets with bogus source addresses.
- For the Internet, inter-provider cooperation in tracking down attacks is essential. NOCs are encouraged to have published procedures/policies for engaging a technical team capable of tracking such attacks.