How Routers Prevent Network Attacks

Viruses and attacks of all kinds are rampant and unchecked across the network today, causing significant damage. As a result, more and more routers come equipped with firewall capabilities. For high-end routers, administrators can further configure the device using commands to minimize the losses caused by viruses and attacks. This article uses H3C routers as an example to explain how to prevent DDoS attacks.

1. Use ip verify unicast reverse-path to check every data packet passing through the router. If there is no route for the packet’s source IP address among all the routing entries of the network interface it arrived on, the router will discard the packet. Strict Unicast Reverse Path Forwarding (uRPF) is implemented at the ISP level to stop SMURF attacks and other attacks based on IP address spoofing, protecting the network and customers from threats originating elsewhere on the Internet.

2. Using Unicast RPF requires enabling the router’s CEF (Cisco Express Forwarding) switching option. It is not necessary to configure the input interface as a CEF switched interface; as long as CEF is enabled globally on the router, all individual network interfaces can be configured for other switching modes. Reverse Path Forwarding is an input-side feature activated on a network interface or sub-interface to process packets received by the router.

3. Use an Access Control List to filter all the listed addresses

interface xy

ip access-group 101 in

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 permit ip any any

4. The ISP’s edge border router should only accept traffic with source addresses belonging to the client’s network, while the client network should only accept traffic with source addresses that are not filtered by the client network.

access-list 190 permit ip {client network} {client network mask} any

access-list 190 deny ip any any [log]

interface {internal network interface} {network interface number}

ip access-group 190 in

5. If CEF is enabled, using Strict Unicast Reverse Path Forwarding can significantly shorten the length of access control lists and improve router performance. To support Unicast RPF, you only need to fully enable CEF on the router; the network interface on which this feature is enabled does not need to be a CEF switched interface.

6. If the burst rate is set to exceed 30%, many legitimate SYN packets may be lost. Use the show interfaces rate-limit

Leave a Comment

Your email address will not be published.