How to use router to prevent DoS attacks

[Kallol]

Hi all,

Denial of Service (DoS) attack is now widely used by hackers as a means of attack, through an exclusive network resources, so that other hosts can not be a normal visit, resulting in downtime or network paralysis. DoS attacks can be divided into Smurf, SYN Flood, and Fraggle three kinds, in the Smurf attack, the attacker using the ICMP packet blocking servers and other network resources. So i want to know that how to use router to prevent DoS attacks. Please suggest.

[Milton.J]

Extended access lists are an effective tool for preventing DoS attacks. It can be used to detect the type of DoS attacks, but also can prevent DoS attacks. Show IP access-list command to display the matching extended access lists for each packet, according to the type of packet, the user can determine the types of DoS attacks. If the network appears in a large number of established TCP connection requests, which shows that the Internet has been SYN Flood attacks, then the user can change the access list configuration, to prevent DoS attacks. Check and reply.

[Steve123]

Reverse Forwarding (RPF) is an input function of the router, this feature is used to check the router interface for each received packet. If the router receives a source IP address 10.10.10.1 packets, but the CEF (Cisco Express Forwarding) routing table for the IP address does not provide any routing information, the router will discard the packet, it can prevent the Smurf reverse forwarding attacks and other attacks based on IP address masquerading. Check and reply.

[Shen]

RPF feature will need to use the router set to fast-forward mode (CEF switching), and the RPF feature enabled can not be configured for CEF switching interface. RPF to prevent IP address spoofing than the access list has the advantage, first of all it can dynamically accept dynamic and static routing table changes; second RPF less operation and maintenance needs; 3rd RPF as an anti-fraud tools, the performance of the router itself generated impact is much smaller than the use of access list. All the best.

[Big Fish]

In the TCP connection request to reach the target host before, TCP intercept through the interception and validation to prevent such attacks. TCP intercept in intercept and monitor the work of two modes. In intercept mode, the router to intercept TCP simultaneous arrival of the request and on behalf of the server and client to establish the connection, if the connection is successful, on behalf of the client to establish connection with the server, and merge the two connections and transparent. During the entire link, the router will always be to intercept and send data packets. For the illegal connection request, the router provide a more rigorous time-out for the half-open limit in order to prevent their resources from being depleted SYN attack. In the surveillance mode, the router passively observe the connection requests flowing through the router, if the connection exceeds the configured set-up time, the router will shut down the connection. All the best.

[Zachary]

Routers within the enterprise network, the first protective barrier, but also an important objective of hackers, if the router can easily be compromised, then the internal network security does not arise, so the router to take appropriate measures to prevent a variety of DoS attack is very necessary. Users need to note that the above described several ways to deal with different types of DoS attacks, the ability is different from the router CPU and memory resources, there are also great differences in occupation, in a real environment, You need based on their circumstances and routers performance to choose the appropriate way. All the best.