124 Chapter 4 Cisco Perimeter Router Problems and Solutions

Lab_B(config-key)#key 1

Lab_B(config-key)#key-string 4444444444

Lab_B(config-key)#^Z

Lab_B#

Of course, the neighbor router Lab_A needs to be configured as well.

When your problem is rerouting attacks, Cisco says your solution is to use MD5 authentication.

Fighting Denial-of-Service Attacks

I first brought up denial-of-service (DoS) attacks back in Chapter 1, so let’s take a second for a short review. These are the steps that occur in a normal TCP three-way handshake:

The first host sends a request to speak (SYN).

The receiving host responds by acknowledging the request and allocating resources for the conversation (SYN-ACK).

The first host recognizes the acknowledgment (ACK).

These two hosts have established a TCP connection and can now exchange data.

One type of DoS attack is called a SYN flood attack. Let’s say I send your server a SYN request with a make-believe source address. What do you think your server will do? It’ll probably respond to my request with a SYN-ACK and allocate resources for this conversation. With nothing ever being free, a small amount of RAM on your server has now been consumed. No worries, right? But what if I send your server 100 bogus SYN requests from 100 fake addresses? Your server will send out 100 SYN-ACKs and allocate enough resources for 100 conversations. What if I send 100 more SYN requests, all from fake addresses, per second? How about 1000 per second? Now how is your server doing? My guess is not good. The server has probably run out of resources and either has crashed or is hanging there, overwhelmed and exhausted. And as a result, it could very well be open to exploitation.

In addition, you can’t stop me from sending SYN requests to your server unless you don’t want the server available for legitimate use. Even finding me is difficult, because I always lie about my origin address. But there is hope for you: TCP Intercept.

TCP Intercept on a perimeter router running Cisco IOS Firewall software can run in two modes: intercept and monitor. In intercept mode, the router won’t immediately forward a SYN request to the server; it will proxy-answer the request (SYN-ACK) to verify that the request is valid instead. If the requesting host does not ACK back, the router never notifies the server of the connection attempt. Requests proven to be genuine are eventually handed off to the server. So if a bad guy sends hundreds or thousands of SYN requests per second, it won’t matter because your server won’t even see any of them. DoS attack thwarted!