These are suggested methods to prevent distributed denial of service attacks.

  1. Use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.

    This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.

    The effect of Unicast RPF is that zona it stops SMURF attacks (and other attacks that depend on source IP address spoofing) at the ISP’s POP (lease and dial-up). This protects your network and customers, Ray Ban sale as well as the rest of the Internet. To use unicast RPF, enable “CEF switching” or “CEF distributed switching” in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured Cheap nfl Jerseys with other switching modes. RPF is an input side function that enabled on an interface or sub-interface and operates on packets received by the router.

    It is very important for CEF to be turned on in the router. RPF does not work without CEF. Unicast RPF is not supported in any 11.2 or 11.3 images. Unicast RPF is included in 12.0 on platforms that support CEF, wholesale nfl jerseys which includes the AS5800. Hence, unicast RFP can be configured on the PSTN/ISDN dial-up interfaces on the AS5800.

  2. Filter all RFC-1918 address space using Access Control Lists (ACLs).

    Refer to this example:

    access-list 101 deny ip Cheap Ray Ban Sunglasses any
    access-list 101 deny ip Fake Oakleys any
    access-list 101 deny Cheap nba Jerseys ip any
    access-list 101 permit ip any any
    interface xy
       ip access-group 101 in

    Another source of information about special use IPv4 address space that can be oakley outlet filtered is the (now expired) IETF draft ‘Documenting Special Use IPv4 Address Blocks that have cheap jordans online been registered with IANA .’

  3. Apply ingress and egress filtering using ACLs.

    Refer to this example:

         { ISP Core } -- ISP Edge Router -- Customer Edge Router -- { Customer network }

    The ISP edge router should only accept traffic with source addresses belonging to the customer network. The customer network should only accept traffic with source addresses other than the customer network block. This is a sample ACL for an ISP edge router:

    access-list 190 permit ip {customer network} {customer network mask} any 
    access-list 190 deny ip any any [log] 
    interface {ingress interface} {interface #} 
    	ip access-group 190 in

    This is a sample ACL for a customer edge router:

    access-list 187 deny ip {customer network} {customer network mask} any 
    access-list 187 permit ip any any 
    access-list 188 permit ip {customer network} {customer network cheap nba jerseys mask} any 
    access-list 188 deny ip any any 
    interface {egress interface} {interface #} 
    	ip access-group 187 in 
    	ip access-group 188 out

    If you are able to turn cheap jerseys wholesale on Cisco Express Forwarding (CEF), the length on the ACLs can be substantially reduced and thus increase performance by enabling unicast reverse path forwarding. In order to support unicast reverse path forwarding, you only need to be able to enable CEF on the router as a whole; the interface on which the feature is enabled does not need to be a CEF switched interface.

  4. Use CAR to rate limit ICMP packets.

    Refer to this example:

    interface xy 
     rate-limit output access-group 2020 3000000 512000 786000 conform-action 
    transmit exceed-action drop 
    access-list 2020 permit icmp any cheap nba jerseys any echo-reply
  5. Configure rate limiting for SYN packets.

    Refer to this example:

    access-list 152 permit tcp any host eq www 
    access-list 153 permit tcp any host eq www established 
    interface {int} 
    	rate-limit output access-group 153 45000000 Cheap Jordans 100000 100000 
    conform-action transmit exceed-action drop 
     	rate-limit output access-group 152 1000000 100000 100000 
    conform-action transmit exceed-action drop

    In the previous example, replace:

    Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. In order to get an idea vulputate of where to set the burst rate, use the show interfaces rate-limit command in order to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.

Tags: , , , , , ,

Categories: Hardware Toubleshooting ,Hosting ,Security ,Security Threats ,Tips ,Troubleshooting

Comments are closed.