Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Denial of Service Attacks & DSLAMS

Denial of Service Attacks & DSLAMS 10 years 6 months ago #14988

  • Ranger24
  • Ranger24's Avatar
  • Offline
  • Distinguished Member
  • Posts: 145
  • Karma: 0
Hi Guys,

This one is aimed as you security experts - Sahir come out of hiding!

The question is: How could an IP DSLAM protect it's end customers from DoS attacks?

I know the kit I work on doesn't have any DoS prevention measures as it has been developed (as it should be) as a transport device. Now that DSLAMs are moving from ATM to IP and including basic routing functions and/or switching functions more operators are asking security related questions. DoS look set to be the next small challenge.

Background:

DSLAM connect multiple xDSL customers to a single Gigabit Ethernet uplink in to a switched metro ethernet. The connection accross the DSLAM can be:
- Bridged 1-2-1
- Bridged Group (many - 2 - 1)
- Routed - using a simple routing table.

DSLAM supports ICMP, IGMP & DHCP relay.

I suppose there are 2 parts to this. Firstly CAN a DSLAM prevent DoS attacks as these will typically be targetted at the end customers of the DSLAM and not the dslam its self. And secondly if it can prevent DoS what measures would have to be implemented at the DSLAM?

Thanks for you comments,

R

Patience - the last reserve of the any engineer
The administrator has disabled public write access.

Re: Denial of Service Attacks & DSLAMS 10 years 6 months ago #14993

  • havohej
  • havohej's Avatar
  • Offline
  • Distinguished Member
  • Posts: 152
  • Karma: 0
Dont know if dslams provide support for QoS as Cisco MQC does.

In the third generation of QoS you can stop DoS attacks marking them as scavenger traffic for entirely dropping the network as a whole, or by PHB Per Hop Behavior. so you can inmediately identify, classify, and police as marking down, by Cos or DSCP or dropping itself for the suspicious flows, or packets considered "out of profile" from the normal network behavior defined int the baseline.
The administrator has disabled public write access.

Re: Denial of Service Attacks & DSLAMS 10 years 6 months ago #14996

  • Ranger24
  • Ranger24's Avatar
  • Offline
  • Distinguished Member
  • Posts: 145
  • Karma: 0
Sounds like a nice idea... however DSLAM QoS is really limited compared to routers.

Examination of QoS, remarking and limited queue / bandwidth management is possible. But there is no scope for managing traffic in terms of analysing behaviour etc.

In the DSLAM access network this tends to be the responsibility of the BRAS (Broadband Remote Access Server = which is really clever edge router).

R

Patience - the last reserve of the any engineer
The administrator has disabled public write access.

Re: Denial of Service Attacks & DSLAMS 10 years 6 months ago #15010

  • havohej
  • havohej's Avatar
  • Offline
  • Distinguished Member
  • Posts: 152
  • Karma: 0
Thats what I was thinking, but as you mention, try to set up QoS or DoS mitigation policies in the edge customer routers, only letting the dslam for forwarding duties.
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup