Filter
Top Products
DES-7200 Configuration Guide Chapter 8 DoS Protection Configuration
8-5
8.2 Ingress Filtering for DoS
Attack Protection
8.2.1 Overview
In recent years, the spread of various DoS (Denial of Service) attack messages over
Internet has brought about considerable troubles to Internet users. There are many
kinds of DoS attacks, while the basic form of DoS attack utilizes valid service
requests to occupy excessive service resources, thus making valid users unable to
get service response. The attack messages will mainly disguise the source IP to
avoid exposure.
In regard to this, RFC2827 has proposed to set up Ingress Filtering at network access
point to prevent messages with disguised source IP from accessing the network.
Such an approach puts emphasis upon the early stage of attack and overall
prevention of DoS attacks, and thus has satisfactory effects. Such filtering can also
help ISP and network administrator to accurately locate the attackers using true and
valid source IP addresses.
DES-7200 adopts RFC2827-based ingress filtering rules to defend against DoS
attacks. The filtering is achieved through the automatic generation of specific ACLs
by the switch itself, and will not pile any pressure on network forwarding.
Of course, you can also use the address binding or Dot1x function of DES-7200 to
achieve filtering effect, or by setting up ACLs.
8.2.2 Typical applications
A. ISP deploys ingress filtering on the access router to prevent messages with
disguised source IP from accessing ISP and Internet:
B. The enterprise network (campus network) deploys ingress filtering on layer-3
switch to prevent messages with disguised source IP from accessing enterprise
(campus) network: