Impact of an Internet Worm Attack

Systems, Inc. All rights reserved

The figure illustrates the impact that a worm can cause due to its speed of propagation, resulting in a DoS as it consumes network resources.

In the example, a worm is introduced into the network via a laptop PC, which in turn infects an e-mail server, which results in the e-mail server infecting other servers, while the worm is propagated to all ends of the enterprise network. Without a QoS mitigation strategy, this example is very likely to happen.

QoS Tools and Tactics for Security

This topic describes the QoS tools that can be used to defend networks.

This topic describes the QoS tools that can be used to defend networks.

You can use these three QoS tools to mitigate the impact of out-of-profile traffic flows, including the mitigation of DoS attacks:

■ Control Plane Policing (CPP [or CoPP for the Catalyst 6500 implementation]): The majority of traffic travels through the router via the data plane; however, a Route Processor must handle certain packets, such as routing updates, keepalives, and network management. This is often referred to as control and management plane traffic. Because the Route Processor is critical to network operations, any service disruption to the Route Processor or the control and management planes can result in business-impacting network outages. A DoS attack targeting the Route Processor, which can be perpetrated either inadvertently or maliciously, typically involves high rates of traffic that result in excessive CPU utilization on the Route Processor.

CPP addresses the need to protect the control and management plane, ensuring routing stability, availability, and packet delivery. It uses a dedicated control-plane configuration via the Modular QoS command-line interface (CLI), or MQC, to provide filtering and rate-limiting capabilities for control plane packets. Because CPP filters traffic destined to the Route Processor, it is important to understand the legitimate traffic destined for the Route Processor prior to deployment. Configuring CPP policies without this knowledge may result in the blockage of critical traffic.

■ Data plane policing: Data plane policing is the actual policing of data traffic. Understanding what is a normal profile behavior for users and servers is key to setting up policers to re-mark and drop packets. Out-of-profile behavior could be an increase in data traffic while a worm is being propagated over the enterprise network. Normal profile behavior is characterized by what is expected from end-user and server traffic.

■ NBAR known-worm policing: NBAR can detect known worms and, by marking down the traffic, drop the traffic generated by the intruder. There are only a few actual worms that can be identified by NBAR. After traffic has been generated by a known worm, it can be dropped immediately on a branch router or LAN edge.

Control Plane Policing

This topic describes CPP.

Control Plane Policing

The figure shows how, to protect the Control Plane (CP) on a router from a DoS attack, the CPP feature treats the CP as a separate entity with its own ingress (input) and egress (output) ports. Because CPP treats the CP as a separate entity, a set of rules can be established and associated with the ingress and egress ports. When configured, these rules are applied after the packet has been determined to have the CP as its destination or when a packet exits from the CP. You can configure a service policy to prevent unwanted packets from progressing after a specified rate limit has been reached; for example, you can limit all SYN packets under TCP that are destined for the CP to a maximum rate of one megabit per second.

To further understand these concepts and to configure CPP, refer to Control Plane Policing at


Was this article helpful?

0 0

Post a comment