Solved: Re: Port Flooding Controls to filter DoS

srberg5219 · ‎02-21-2007

I own a small regional webhosting company. I recently purchased some "real" equipment which included a Cisco 2924-XL-EN 24 port switch running Cisco IOS 12.0(5.2)XU Enterprise Edition.

A few months ago I had to drop my FTP server for the fact I was receiving 7500 brute force/DoS attempts every hour from some "nice people" in China.

Is there a way to utilize the managed part of this switch to help filter these attacks? I am new to the managed switch world, but noticed on the VSM there was an option for "Flooding Controls" when I right clicked on a specific port...

Or am I misconstruing what the flooding controls are for?

Also, I have searched Cisco to high heaven for some basic level tutorials on managed switches..any recommendations? The manulas I have been able to locate are just a hair above my head...

bjw · ‎02-21-2007

Well with a straight ADsl and no router/firewall to setup you are really wide open to pretty much most kinds of Internet ne'er-do-wells.

Port flood controls at your FTP server port, in your situation would just ramp down pretty much "everyone's" remote access levels to the affected port/server.

I would get with the check writers in your org and explain that you should either contract/SLA with you ISP for L3/4 security, or understand that the situation cannot be reasonably band-aided until your router/firewall is received.

Good Luck

View solution in original post

bjw · ‎02-21-2007

Hi,

So what do you have on your front-end? A router/PIX/ASA appliance? If not what does your ISP provide? Denial of service attacks are a big issue, a DoS101 guide won't do DoS mitigation justice.

Here's a basic link, but it's "router" centric.

http://www.cisco.com/en/US/customer/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

srberg5219 · ‎02-21-2007

Currently my ISP's provided ADSL router...Fairly generic. from there I port forward. I know this is a pretty "Mickey Mouse" setup on the front-end,(Speedstream 5200).

bjw · ‎02-21-2007

Flooding controls are used to rate limit, or disallow unknown broadcast/unicast messages. The problem you've described warrants attention at Layer 3/4 Router/Fire-Wall.

srberg5219 · ‎02-21-2007

I have a PIX coming March 8th...

bjw · ‎02-21-2007

Well with a straight ADsl and no router/firewall to setup you are really wide open to pretty much most kinds of Internet ne'er-do-wells.

Port flood controls at your FTP server port, in your situation would just ramp down pretty much "everyone's" remote access levels to the affected port/server.

I would get with the check writers in your org and explain that you should either contract/SLA with you ISP for L3/4 security, or understand that the situation cannot be reasonably band-aided until your router/firewall is received.

Good Luck

srberg5219 · ‎02-21-2007

My gratitude for your time...

bjw · ‎02-21-2007

Cool,

In the meantime, maybe you want to get a head start and become familiar with the following docs.

I'm sure there are alot of people on this forum, me included, that can help when your gear arrives.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/index.htm

http://nsa2.www.conxion.com/cisco/download.htm

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca604.html

srberg5219 · ‎02-21-2007

Looks like I'll have plenty of good reading...I'll look you guys up...

(Thanks for remembering when you were learning...)

THANKS!

Port Flooding Controls to filter DoS

FTD: DoS/DDoS 攻撃からの保護方法

Cisco Secure Access : Application Group Filter について

ACI Bridge Domain ,L2 Unknown Unicast: Hardware Proxy vs Flooding

Troubleshooting unicast flooding

C9800 Wireless Controller Local Mac-filterを適用する手順