SkyHi_Bill
asked on
What type of firewall do i need to stop DOS attacks?
I operate a wireless ISP (WLAN) and have a fiber-optic backbone that provides service to a couple hundred subscribers. A few months ago, my provider (Surewest) called to tell me about a DOS attack that was coming through on my ip address. I use a Linksys RV016 router, which handled the traffic on the network very well prior to the DOS attack. Now, the DOS attack is overwhelming the router and causing a degredation in performance on my WLAN.
I know the attack is coming from the outside and the Linksys hardware firewall is doing okay, but i want to keep the attack from even getting to the router. I was looking at getting a Sonic Firewall, but my provider said that may stop some but it still may not be able to completely prevent the attack from overwhelming the router.
Is there a solution that anyone can recommend to prevent DOS attacks from overwhelming the router?
FYI- I do have public ip addresses and i use NAT. Ive tried to configure the firewall to "deny" certain port access and leaving just the basic ones open, like 80, 8080, etc. HOwever, it didnt seem to stop the attack. For example, in the log: "connection refused - policy violation TCP 71.115.41.177:50554->66.60
Any insight would be greatly appreciated.
I know the attack is coming from the outside and the Linksys hardware firewall is doing okay, but i want to keep the attack from even getting to the router. I was looking at getting a Sonic Firewall, but my provider said that may stop some but it still may not be able to completely prevent the attack from overwhelming the router.
Is there a solution that anyone can recommend to prevent DOS attacks from overwhelming the router?
FYI- I do have public ip addresses and i use NAT. Ive tried to configure the firewall to "deny" certain port access and leaving just the basic ones open, like 80, 8080, etc. HOwever, it didnt seem to stop the attack. For example, in the log: "connection refused - policy violation TCP 71.115.41.177:50554->66.60
Any insight would be greatly appreciated.
What you need is deep packet inspection, also referred to as Intrusion Prevention System (IPS). Cisco units can offer this feature using their Intrusion Prevention System (IPS) in either the ASA firewall line or the Cisco IOS Router with Firewall Feature Set. The IOS and ASA offer IPS capabilities, but you'll want to load the device with as much RAM as you can because IPS features will eat as much of it as it can and has been known to crash the firewall if too many signatures are active. SonicWALL has similar features with their IPS implementation. In either case you'll need to pay a yearly subscription to keep up the signature updates. Using IPS you can configure violations to drop, reset, or alert a logging server. If you're providing ISP services to companies, it would be worth your while to monitor your firewall for attacks like this.
Shouldnt Surewest block this attack for you ?
They should be able to block the packets even before reaching your border router, of course depends on how BIG is this attack...
Anyway getting better equipement is a must have ...
They should be able to block the packets even before reaching your border router, of course depends on how BIG is this attack...
Anyway getting better equipement is a must have ...
Any firewall with stateful inspection properties would prevent the DOS for you. Now what it means is the firewall will take the hit. Look for TCP sync cookie in google for more information.
Cheers,
Rajesh
Cheers,
Rajesh
In addition to the above advice,I wish to add that your provider may be correct to some extent, sometimes you can not stop or recover from DOS attacks 100% without disrupting your service, if the attacks were executed properly , there are some advanced DDOS attacks, that if executed by attackers on a large scale could take down pretty much any host, something like distributed reflected denial of service (DRDOS) comes to mind, I have only seen this exploited by attackers twice , but I assure you it is happening, so as advised above one can only do as much, practice due diligence , invest in Infrastructure upgrades, optimize firewalls & IPS rules ,hire security professionals,etc.. .
further reading below
http://staff.washington.edu/dittrich/misc/ddos/
http://palisade.plynt.com/issues/2006Apr/ddos-reflection/
hope this helps.
further reading below
http://staff.washington.edu/dittrich/misc/ddos/
http://palisade.plynt.com/issues/2006Apr/ddos-reflection/
hope this helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Additionally, I know that Microsofts ISA 2006 can detect dos attacks and block traffic from those ip addresses temporarily.