Detecting and Protecting Against DoS Attacks

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's ACLs to allow return traffic and additional data connections for permissible sessions.

Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides CBAC with the capability to detect and prevent certain types of network attacks, such as SYN flooding. TCP SYN messages are sent to servers from clients as a first step in a three-step process known as the TCP three-way handshake to establish a TCP session, as shown in Figure 15-1.

Figure 15-1. Three-Way TCP Handshake Process

Figure 15-1. Three-Way TCP Handshake Process

A SYN flood occurs when several hundred or thousand TCP SYN messages are sent to a server but never complete the TCP session. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called DoS attacks.

CBAC helps to protect against DoS attacks in other ways. CBAC inspects packet sequence numbers in TCP connections to see whether they are within expected ranges. You can also configure CBAC to drop half-open connections. Additionally, CBAC can detect unusually high rates of new connections and issue alert messages.

0 0

Post a comment