Security
Denial of Service Prevention
Denial of Service Prevention
A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable to its users.
DoS attacks saturate the device with external communication requests, so that it cannot respond to
legitimate traffic. These attacks usually lead to a device CPU overload.
Secure Core Technology (SCT)
One method of resisting DoS attacks employed by the device is the use of SCT. SCT is enabled by default
on the device and cannot be disabled.
The Cisco device is an advanced device that handles management traffic, protocol traffic and snooping
traffic, in addition to end-user (TCP) traffic.
SCT ensures that the device receives and processes management and protocol traffic, no matter how
much total traffic is received. This is done by rate-limiting TCP traffic to the CPU.
There are no interactions with other features.
SCT can be monitored in the Denial of Service > Denial of Service Prevention > Security Suite Settings
page (Details button).
Types of DoS Attacks
A Denial of Service attack can be caused in the following ways (among others):
•
TCP SYN Packets—A flood of TCP SYN packets, often with a false sender address, can signify an
attack. Each of these packets causes the device to spawn a half-open connection, by sending back a
TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address
(response to the ACK Packet). However, because the sender address is false, the response never
comes. These half-open connections saturate the number of available connections the device is able
to make, keeping it from responding to legitimate requests. In addition, the potential number of
packets to the CPU is limited and the attack traffic might consume this number of packets.
These packets can be blocked in the SYN Protection page.
•
TCP SYN-FIN Packets— SYN packets are sent to create a new TCP connection. TCP FIN packets are
sent to close a connection. A packet in which both SYN and FIN flags are set should never exist.
Therefore these packets might signify an attack on the device and should be blocked.
A definition of what constitutes a SYN attack can be set in the SYN Protection page. When the device
identifies such an attack on an interface, it is reported in this page.
Cisco Small Business 200 Series Smart Switch Administration Guide
19
263