Denial of Service (DoS) Detection And Prevention
DoS attack may be launched against a network in many different ways. Some of the most common DoS attacks that can be mitigated by CBAC are discussed in the sections that follow.
TCP Syn Flood and DoS Attack Launched by UDP
For a normal TCP connection to be considered established, TCP three-way handshakes must be completed (SYN, SYN-ACK, and ACK). For UDP, you need both REQUEST and REPLY packets to establish the connection. While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Because the SYN ACK is destined for an incorrect or non-existent host, the last part of the "three-way handshake" is never completed, and the entry remains in the connection queue until a timer expires. By generating invalid TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users. This affects the router's performance, which can result in the slowness of legitimate traffic and sometimes packet drops due to shortage of memory and high CPU utilization. It is not very easy to mitigate these types of attack. However, CBAC has a couple mechanisms to deal with these types of attacks:
-
Timeout values CBAC has different timeout values to clear up the unnecessary sessions that use up a lot of memory and buffer. To choose timeout values carefully, you must baseline your network under normal conditions. Selecting appropriate timeouts can help to mitigate the stress on the router and on the victim hosts from DoS attacks. Here are the timeout values available on the CBAC router: