I’m using NFP concept in designing of security in networks. It consist of 3 elements – protecting of Data plane (forwarding of packets), Control plane (routing protocols management layer), Management plane (access to device, administration layer). Below is a basic mindmap where were put technologies I’m going to explain in further topics.
Also it’s needed to secure Network Services in security design. Best practices for secure network services are :
- Disable CDP and LLDP, especially on uplinks
- Use SSH instead of telnet
- Use HTTPS instead of plain HTTP
- Disable unused services on routers (tcp/udp-small-servers, finder, config etc.)
I will start security topics with Data plane protection, next topic will be about TCP intercept, the way how to prevent TCP SYN flood. But first of all I want to share one interesting table. Let’s take a look on DDOS types because it’s the most popular attack on data plane now. Nice table of DDOS attack types is below :
| Name of attack | OSI level | Type of attack | Explanation of attack principle |
|---|---|---|---|
| ICMP Echo Request Flood | L3 | Resource | Also called Ping Flood, mass sending of packets implicating the response of the victim, which has the same content as the original packet. |
| IP Packet Fragment Attack | L3 | Resource | Sending of IP packets that voluntarily reference other packets that will never be sent, which saturates the victims memory. |
| SMURF | L3 | Bandwidth | ICMP broadcast attack usurping the source address to redirect multiple responses to the victim |
| IGMP Flood | L3 | Resource | Mass sending of IGMP packets (multi-cast management protocol) |
| Ping of Death | L3 | Exploit | Sending of ICMP packets which exploit an implementation bug in certain operating systems |
| TCP SYN Flood | L4 | Resource | Mass sending of TCP connections requests |
| TCP Spoofed SYN Flood | L4 | Resource | Mass sending of TCP connections requests to usurp the source address |
| TCP SYN ACK Reflection Flood | L4 | Bandwidth | Mass sending of TCP connections requests to a large number of machines, usurping the victim's source address. The bandwidth of the victim will be saturated by the responses to these requests. |
| TCP ACK Flood | L4 | Resource | Mass sending of TCP segment delivery receipts |
| TCP Fragmented Attack | L4 | Resource | Sending of TCP segments that voluntarily reference other segments that will never be sent, which saturates the victim's memory |
| UDP Flood | L4 | Bandwidth | Mass sending of UDP packets (not requiring a previously-established connection) |
| UDP Fragment Flood | L4 | Resource | Sending of UDP datagrams that voluntarily reference other datagrams that will never be sent, which saturates the victim's memory |
| Distributed DNS Amplification Attack | L7 | Bandwidth | Mass sending of DNS requests usurping the source address of the victim, to a large number of legitimate servers. As the response is more voluminous than the question, an amplification of the attack follows |
| DNS Flood | L7 | Resource | Attack of a DNS server by mass sending of requests |
| HTTP(S) GET/POST Flood | L7 | Resource | Attack of a web server by mass sending of requests |
| DDoS DNS | L7 | Resource | Attack of a DNS server by mass sending of requests from a large set of machines which are under the attacker's control |