cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
578
Views
0
Helpful
8
Replies

Port Flooding Controls to filter DoS

srberg5219
Level 1
Level 1

I own a small regional webhosting company. I recently purchased some "real" equipment which included a Cisco 2924-XL-EN 24 port switch running Cisco IOS 12.0(5.2)XU Enterprise Edition.

A few months ago I had to drop my FTP server for the fact I was receiving 7500 brute force/DoS attempts every hour from some "nice people" in China.

Is there a way to utilize the managed part of this switch to help filter these attacks? I am new to the managed switch world, but noticed on the VSM there was an option for "Flooding Controls" when I right clicked on a specific port...

Or am I misconstruing what the flooding controls are for?

Also, I have searched Cisco to high heaven for some basic level tutorials on managed switches..any recommendations? The manulas I have been able to locate are just a hair above my head...

1 Accepted Solution

Accepted Solutions

bjw
Level 4
Level 4

Well with a straight ADsl and no router/firewall to setup you are really wide open to pretty much most kinds of Internet ne'er-do-wells.

Port flood controls at your FTP server port, in your situation would just ramp down pretty much "everyone's" remote access levels to the affected port/server.

I would get with the check writers in your org and explain that you should either contract/SLA with you ISP for L3/4 security, or understand that the situation cannot be reasonably band-aided until your router/firewall is received.

Good Luck

View solution in original post

8 Replies 8

bjw
Level 4
Level 4

Hi,

So what do you have on your front-end? A router/PIX/ASA appliance? If not what does your ISP provide? Denial of service attacks are a big issue, a DoS101 guide won't do DoS mitigation justice.

Here's a basic link, but it's "router" centric.

http://www.cisco.com/en/US/customer/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

Currently my ISP's provided ADSL router...Fairly generic. from there I port forward. I know this is a pretty "Mickey Mouse" setup on the front-end,(Speedstream 5200).

bjw
Level 4
Level 4

Flooding controls are used to rate limit, or disallow unknown broadcast/unicast messages. The problem you've described warrants attention at Layer 3/4 Router/Fire-Wall.

I have a PIX coming March 8th...

bjw
Level 4
Level 4

Well with a straight ADsl and no router/firewall to setup you are really wide open to pretty much most kinds of Internet ne'er-do-wells.

Port flood controls at your FTP server port, in your situation would just ramp down pretty much "everyone's" remote access levels to the affected port/server.

I would get with the check writers in your org and explain that you should either contract/SLA with you ISP for L3/4 security, or understand that the situation cannot be reasonably band-aided until your router/firewall is received.

Good Luck

My gratitude for your time...

bjw
Level 4
Level 4

Cool,

In the meantime, maybe you want to get a head start and become familiar with the following docs.

I'm sure there are alot of people on this forum, me included, that can help when your gear arrives.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/index.htm

http://nsa2.www.conxion.com/cisco/download.htm

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca604.html

Looks like I'll have plenty of good reading...I'll look you guys up...

(Thanks for remembering when you were learning...)

THANKS!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: