12-18-2019 02:10 PM
Hi guys,
As per my understanding a good way to protect an internal network from a syn attack ( not directed to the switch / router ) to another network client on the same subnet is using tcp intercept.
What can I do if on my switches ( 9300 / 2960-XR ) if that function is not available? If I well understood CoPP is only for packet handled by switch CPU not for packet directed to another device on the net.
Thanks
Solved! Go to Solution.
12-19-2019 01:56 AM
Internal expect to be trusted network, and all the devices are maintained with Antivirus - you have good perimeter FW which blocks any malicious content coming into your devices.
If any device has compromised internally, you need to have control and notification of visibility.
this can only be possible kind of product available in the network like IDS/ IPS / Stealth watch. to get a notification.
12-19-2019 07:42 AM
Hi,
If the attacks are internal and if you have monitoring devices in place, you should be able to see the amount of traffic from a particular user to a particular internal server, you than need to have your security people notify the person and to make him/her stop doing that.
HTH
12-18-2019 08:16 PM
Hi,
tcp syn attack can not protected by CoPP. For DDoS prevention and mitigation, you can talk to your service provider or talk to 3rd party cloud based solution like Akamai. Usually the service provider can redirect your traffic to their site, mitigate the DDOS and than send you the clean traffic. Service provider solutions are usually much cheaper than using 3rd party vendors.
HTH
12-18-2019 10:25 PM
@Reza Sharifi wrote:Hi,
tcp syn attack can not protected by CoPP. For DDoS prevention and mitigation, you can talk to your service provider or talk to 3rd party cloud based solution like Akamai. Usually the service provider can redirect your traffic to their site, mitigate the DDOS and than send you the clean traffic. Service provider solutions are usually much cheaper than using 3rd party vendors.
HTH
Hi Sharifi,
I forgot to say that I'm trying to block this kind of attack on an internal network by an internal attacker prior reaching any firewall interface.
Thanks
12-19-2019 01:56 AM
Internal expect to be trusted network, and all the devices are maintained with Antivirus - you have good perimeter FW which blocks any malicious content coming into your devices.
If any device has compromised internally, you need to have control and notification of visibility.
this can only be possible kind of product available in the network like IDS/ IPS / Stealth watch. to get a notification.
12-19-2019 07:42 AM
Hi,
If the attacks are internal and if you have monitoring devices in place, you should be able to see the amount of traffic from a particular user to a particular internal server, you than need to have your security people notify the person and to make him/her stop doing that.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide