7.19. Configuring DDoS

Overview

Function Introduction

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management.

DDoS prevent is a feature which can protect our switch from follow kinds of denial-of-service attack and intercept the attack packets.

The flowing types are supported

  • ICMP flood: attackers overwhelm the victim with ICMP packets.

  • Smurf attack: attackers flood a target system via spoofed broadcast ping messages.

  • SYN flood: attackers send a succession of SYN requests to a target’s system.

  • UDP flood: attackers send a large number of UDP packets to random ports on a remote host.

  • Fraggle attack:attackers send a large number of UDP echo traffic to IP broadcast addresses, all fake source address.

  • Small-packet: attackers send a large number of small packets to the system utill the resource exhaust.

  • bad mac intercept: attackers send packets with same source and destination MAC address.

  • bad ip equal: attackers send packets with same source and destination IP address.

Principle Description

N/A

Configuration

image

Fig. 7.28 Topology for DDoS test

step 1 Enter the configure mode

Switch# configure terminal

step 2 Set DDoS

Enable ICMP flood intercept and set the max received ICMP packet rate 100 packets per-second:

Switch(config)# ip icmp intercept maxcount 100

Enable UDP flood intercept and set the max received UDP packet rate 100 packets per-second:

Switch(config)# ip udp intercept maxcount 100

Enable Smurf attack intercept:

Switch(config)# ip smurf intercept

Enable SYN flood intercept and set the max received SYN packet rate 100 packets per-second:

Switch(config)# ip tcp intercept maxcount 100

Enable Fraggle attack intercept:

Switch(config)# ip fraggle intercept

Enable Small-packet attack intercept and set the received packet length is be more than or equal to 32

Switch(config)# ip small-packet intercept maxlength 32

Enable packet source IP equals destination IP intercept

Switch(config)# ip ipeq intercept

Enable packet source MAC equals destination MAC intercept

Switch(config)# ip maceq intercept

step 3 Exit the configure mode

Switch(config)# end

step 4 Validation

Switch# show ip-intercept config
Current DDoS Prevent configuration:
 ============================================================
ICMP Flood Intercept :Enable Maxcount:500
UDP Flood Intercept :Enable Maxcount:500
SYN Flood Intercept :Enable Maxcount:500
Small-packet Attack Intercept :Enable Packet Length:45
Smurf Attack Intercept :Enable
Fraggle Attack Intercept :Enable
MAC Equal Intercept :Enable
IP Equal Intercept :Enable
Switch# show ip-intercept statistics
Current DDoS Prevent statistics:
 ============================================================
Resist Small-packet Attack packets number : 1730
Resist ICMP Flood packets number : 0
Resist SYN Flood packets number : 0
Resist Fraggle Attack packets number : 0
Resist UDP Flood packets number : 0
Current DDoS Prevent mgmt-if statistics:
 ============================================================
Resist ICMP Flood packets number : 0
Resist SYN Flood packets number : 0
Resist Fraggle Attack packets number : 0
Resist UDP Flood packets number : 0

Application cases

N/A