LAN layer
At the LAN layer, network administrators can take many precautions. For example, although it is almost impossible to completely eliminate IP packet counterfeiting, network administrators can build filters that can effectively reduce internal counterfeit IP attacks by limiting data input traffic. The filter can also limit the flow of external IP packets, preventing DoS attacks that fake IP from being treated as intermediate systems.
Other methods include: closing or restricting specific services, such as limiting UDP services is only allowed in the intranet for network diagnostic purposes.
Unfortunately, these restrictions may have negative effects on legal applications such as RealAudio, which uses UDP as the transmission mechanism. If the attacker can coerce the victim from using IP services or other legitimate applications, then these hackers have achieved the purpose of DoS attacks.
Network Transport Layer
The following control of the network transmission layer can supplement the above shortcomings.
1. Layer-independent linear quality of service (QoS) and access control
The emergence of line-speed multilayer switches with configurable intelligent software, layer-independent QoS and access control functions has improved the ability of network transmission devices to protect data flow integrity.
In traditional routers, authentication mechanisms (such as filtering out fake packets with internal addresses) require traffic to reach the router edge and to match the standards in a specific access control list. However, maintaining access control lists is not only time consuming, but also greatly increases router overhead.
In contrast, line-speed multilayer switches can flexibly implement various policy-based access controls.
This layer-independent access control capability completely separates security decisions from network structure decisions, allowing network administrators to effectively deploy DoS prevention measures without having to adopt suboptimal routing or switching topology. As a result, network administrators and service providers can seamlessly integrate policy-based control standards in the entire metropolitan area network, data center or enterprise network environment, regardless of whether they use complex router-based core services or relatively simple layer-second switching. In addition, line-speed processing data authentication can be performed in the background without basically any performance delay.
2. Customizable filtering and "trust neighbor" mechanism
Another advantage of intelligent multi-layer access control is that it can easily implement customized filtering operations, such as customizing the granularity of the system response to specific standards. Instead of making simple "pass" or "drop" decisions for groups that may be DoS attacks, multi-layer switching can push packets to specific QoS profiles with specified maximum bandwidth limitations. This method can not only prevent DoS attacks, but also reduce the risk of discarding legitimate data packets.
Another advantage is that it can customize routing access policies, support "trusted neighbor" relationships between specific systems, and prevent unauthorized use of internal routing.
Take Jijin Networks' ExtremeWare suite software as an example, which maps and covers IEEE 802.1p and DiffServ tags, allowing all switches to ignore, observe or process any DiffServ tags sent from "Distrusted Neighbors". These mechanisms allow system administrators to adjust internal routing policies based on traffic from specific neighbors.
3. Customize network login configuration
Network login uses a unique username and password to authenticate the identity before the user is allowed to enter. Network login is submitted by the user's browser to the switch. The switch captures the user's identity, sends a request to the RADIUS server, and performs identity authentication. Only after authentication will the switch allow the packet traffic sent by the user to flow through the network.
It has been stipulated in the draft IEEE 802.1 that the network login mechanism can control user access to the switch, minimizing the risk of direct DoS attacks. At the same time, network login provides a robust mechanism for managing and tracking internal users.
At the LAN layer, network administrators can take many precautions. For example, although it is almost impossible to completely eliminate IP packet counterfeiting, network administrators can build filters that can effectively reduce internal counterfeit IP attacks by limiting data input traffic. The filter can also limit the flow of external IP packets, preventing DoS attacks that fake IP from being treated as intermediate systems.
Other methods include: closing or restricting specific services, such as limiting UDP services is only allowed in the intranet for network diagnostic purposes.
Unfortunately, these restrictions may have negative effects on legal applications such as RealAudio, which uses UDP as the transmission mechanism. If the attacker can coerce the victim from using IP services or other legitimate applications, then these hackers have achieved the purpose of DoS attacks.
Network Transport Layer
The following control of the network transmission layer can supplement the above shortcomings.
1. Layer-independent linear quality of service (QoS) and access control
The emergence of line-speed multilayer switches with configurable intelligent software, layer-independent QoS and access control functions has improved the ability of network transmission devices to protect data flow integrity.
In traditional routers, authentication mechanisms (such as filtering out fake packets with internal addresses) require traffic to reach the router edge and to match the standards in a specific access control list. However, maintaining access control lists is not only time consuming, but also greatly increases router overhead.
In contrast, line-speed multilayer switches can flexibly implement various policy-based access controls.
This layer-independent access control capability completely separates security decisions from network structure decisions, allowing network administrators to effectively deploy DoS prevention measures without having to adopt suboptimal routing or switching topology. As a result, network administrators and service providers can seamlessly integrate policy-based control standards in the entire metropolitan area network, data center or enterprise network environment, regardless of whether they use complex router-based core services or relatively simple layer-second switching. In addition, line-speed processing data authentication can be performed in the background without basically any performance delay.
2. Customizable filtering and "trust neighbor" mechanism
Another advantage of intelligent multi-layer access control is that it can easily implement customized filtering operations, such as customizing the granularity of the system response to specific standards. Instead of making simple "pass" or "drop" decisions for groups that may be DoS attacks, multi-layer switching can push packets to specific QoS profiles with specified maximum bandwidth limitations. This method can not only prevent DoS attacks, but also reduce the risk of discarding legitimate data packets.
Another advantage is that it can customize routing access policies, support "trusted neighbor" relationships between specific systems, and prevent unauthorized use of internal routing.
Take Jijin Networks' ExtremeWare suite software as an example, which maps and covers IEEE 802.1p and DiffServ tags, allowing all switches to ignore, observe or process any DiffServ tags sent from "Distrusted Neighbors". These mechanisms allow system administrators to adjust internal routing policies based on traffic from specific neighbors.
3. Customize network login configuration
Network login uses a unique username and password to authenticate the identity before the user is allowed to enter. Network login is submitted by the user's browser to the switch. The switch captures the user's identity, sends a request to the RADIUS server, and performs identity authentication. Only after authentication will the switch allow the packet traffic sent by the user to flow through the network.
It has been stipulated in the draft IEEE 802.1 that the network login mechanism can control user access to the switch, minimizing the risk of direct DoS attacks. At the same time, network login provides a robust mechanism for managing and tracking internal users.