Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Denial of Service Attacks & DSLAMS

Denial of Service Attacks & DSLAMS 12 years 2 weeks ago #14988

  • Ranger24
  • Ranger24's Avatar Topic Author
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 145
  • Thank you received: 0
Hi Guys,

This one is aimed as you security experts - Sahir come out of hiding!

The question is: How could an IP DSLAM protect it's end customers from DoS attacks?

I know the kit I work on doesn't have any DoS prevention measures as it has been developed (as it should be) as a transport device. Now that DSLAMs are moving from ATM to IP and including basic routing functions and/or switching functions more operators are asking security related questions. DoS look set to be the next small challenge.

Background:

DSLAM connect multiple xDSL customers to a single Gigabit Ethernet uplink in to a switched metro ethernet. The connection accross the DSLAM can be:
- Bridged 1-2-1
- Bridged Group (many - 2 - 1)
- Routed - using a simple routing table.

DSLAM supports ICMP, IGMP & DHCP relay.

I suppose there are 2 parts to this. Firstly CAN a DSLAM prevent DoS attacks as these will typically be targetted at the end customers of the DSLAM and not the dslam its self. And secondly if it can prevent DoS what measures would have to be implemented at the DSLAM?

Thanks for you comments,

R

Please Log in to join the conversation.


Patience - the last reserve of the any engineer

Re: Denial of Service Attacks & DSLAMS 12 years 2 weeks ago #14993

Dont know if dslams provide support for QoS as Cisco MQC does.

In the third generation of QoS you can stop DoS attacks marking them as scavenger traffic for entirely dropping the network as a whole, or by PHB Per Hop Behavior. so you can inmediately identify, classify, and police as marking down, by Cos or DSCP or dropping itself for the suspicious flows, or packets considered "out of profile" from the normal network behavior defined int the baseline.

Please Log in to join the conversation.

Re: Denial of Service Attacks & DSLAMS 12 years 2 weeks ago #14996

  • Ranger24
  • Ranger24's Avatar Topic Author
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 145
  • Thank you received: 0
Sounds like a nice idea... however DSLAM QoS is really limited compared to routers.

Examination of QoS, remarking and limited queue / bandwidth management is possible. But there is no scope for managing traffic in terms of analysing behaviour etc.

In the DSLAM access network this tends to be the responsibility of the BRAS (Broadband Remote Access Server = which is really clever edge router).

R

Please Log in to join the conversation.


Patience - the last reserve of the any engineer

Re: Denial of Service Attacks & DSLAMS 12 years 2 weeks ago #15010

Thats what I was thinking, but as you mention, try to set up QoS or DoS mitigation policies in the edge customer routers, only letting the dslam for forwarding duties.

Please Log in to join the conversation.

  • Page:
  • 1
Time to create page: 0.140 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup