As e-commerce continues to proliferate and deliver profitable results, more business is being done online. The growing adoption of online retailing, Internet banking, cloud-based data storage and other commercial services represents a natural evolution of Internet use. For online businesses, however, any downtime can dramatically impact the bottom line. As a result, the growing scale and frequency of Distributed Denial of Service (DDoS) attacks are taking a toll on these businesses. While DDoS attacks may have been driven by non-economic reasons in the past, they now have monetary drivers including extortion, competitive advantage and corporate revenge.

When it comes to DDoS protection, many enterprises and Internet data center (IDC) operators have a false sense of security. They think they have secured their key services against DDoS attacks simply by deploying intrusion prevention system (IPS) devices or firewalls in front of their servers. Unfortunately, such deployments can actually expose these organizations to service outages and irate customers. When business-critical services are not available, enterprises and IDC operators lose money and damage important customer relationships. What’s more, when services are unavailable due to external attacks, it can be sensational and unwelcome front-page news—especially when the damages could have been easily prevented.

This article examines why IPS devices and firewalls fail to stop DDoS threats. It also describes how an intelligent DDoS mitigation system (IDMS) offers an ideal solution by enabling a layered defense strategy to combat both volumetric and application-layer DDoS attacks.

Why IPS Devices and Firewalls Can’t Stop DDoS Attacks

IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products.

IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality”, they fail to address a fundamental concern regarding DDoS attacks—“network availability”. What’s more, IPS devices and firewalls are stateful, inline solutions,
which means they are vulnerable to DDoS attacks and often become the targets themselves.

How to fight DDoS Attacks

The ideal solution is an Intelligent DDoS Mitigation System (IDMS) that can stop both volumetric and application-layer DDoS attacks. It must also be deployable in the ISP network (in cloud) and at the enterprise or data-center edge.

Key Features of an IDMS

The limitations in IPS devices and firewalls reveal the key attributes required in an IDMS solution. An IDMS must be “stateless,” in other words, it must not track state for all connections. As mentioned earlier, a stateful device is vulnerable to DDoS and will only add to the problem. The IDMS solution must also support various deployment configurations; most importantly, it must allow for out-of-band deployments when needed. This deployment flexibility can increase the scalability of the solution, which is a requirement as the size of DDoS attacks continues to increase.

To truly address “distributed” DoS attacks, an IDMS must be a fully integrated solution that supports a distributed detection method. IPS devices leveraging single segment-based detection will miss major attacks. Moreover, an IDMS solution must not depend on signatures created after the attack has been unleashed on the targets; rather, it must support multiple attack countermeasures.

Finally, the IDMS must provide comprehensive reporting and be backed by a company that is a known industry expert in Internet-based DDoS threats. The key features of IDMS are:

- Stateless
- Inline and Out-of-Band Deployment Options
- Scalable DDoS Mitigation
- Ability to Stop “Distributed” DoS Attacks
- Multiple Attack Countermeasures
- Comprehensive Reporting
- Industry Track Record and Enterprise

Summary

To summarize, the security of a network depends on different elements which have their own purpose and scope. Network Firewalls and Intrusion Prevention Systems (IPS) are the cornerstone of the security of any network. They are excellent in enforcing the security policy and mitigating threats against unauthorized access, network integrity and confidentiality. However, they can not stop a Distributed Denial of Service attack. For this threat a more suitable defense mechanism is to use an Intelligent DDoS Mitigation System (IDMS) which detects those distributed attacks and takes proper action to stop them.

If you have your own Cisco switch equipment at your home lab or at your work environment you might have encountered the situation that you want to completely erase the whole switch configuration including any Vlans that are already configured on the switch. In a Cisco switch, erasing the switch startup configuration is one thing and erasing the vlans that exist on the switch is another thing.

It is a good practice to completely erase everything on a switch (both switch configuration and switch Vlans) before using the switch in another part of your network. This is important in order to avoid any network conflicts because of any old configuration settings that are already configured on the switch.

Now let us see how to delete the configuration and Vlans from a Cisco switch.

1) Deleting the switch configuration

This is the easy part. It’s the same as deleting the configuration from any other Cisco network IOS device. Basically you need to delete the “startup-configuration” and then reboot the switch.

Switch#erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue?

[confirm]

[OK]

Erase of nvram: complete

Switch#reload

2) Deleting the switch Vlans

The strange part is that after deleting the switch configuration you will notice that the Vlans are still there.

Switch#show vlan brief

2   VLAN0002                         active
3   VLAN0003                         active
4   VLAN0004                         active

By executing the command “show vlan brief” you can see that there are 3 vlans configured on the switch. These vlans are stored in a file in flash memory called “vlan.dat”. You can see this file if you read what is stored in the flash:

Switch#show flash:

Directory of flash:/

1  -rw-     4414921          <no date>  c2960-lanbase-mz.122-25.FX.bin

2  -rw-         616          <no date>  vlan.dat

64016384 bytes total (59600847 bytes free)

As you can see from output above, the file “vlan.dat” is stored in flash. You have to delete this file in order to completely erase all vlans on the switch.

Switch#delete vlan.dat

Delete filename [vlan.dat]?

Delete flash:/vlan.dat? [confirm]

Switch#sh flash

Directory of flash:/

1  -rw-     4414921          <no date>  c2960-lanbase-mz.122-25.FX.bin

64016384 bytes total (59601463 bytes free)

Switch#reload

After executing the command “delete vlan.dat” just hit enter twice and it will be gone. Then you have to reload the switch.

In my opinion, the Cisco switches are the best in the market. Versatile, reliable, flexible and powerful, the Cisco switch product line (such as the 2960, 3560, 3750, 4500, 6500 etc) offer unparalleled performance and features.

Although a Cisco switch is a much simpler network device compared with other devices (such as routers and firewalls for example), many people have difficulties to configure a Cisco Catalyst Switch. Unlike other lower class switch vendors (which are plug-and-play), the Cisco switch needs some initial basic configuration in order to enable management, security and some other important features.

In this article I will describe the basic steps needed to configure a Cisco switch from scratch. I don’t like graphical GUI or web management at all, so I will show you command line configuration which is much more powerful and makes the administrators learn what they are doing on the device.

STEP1: Connect to the device via console

Use a terminal emulation software such as PuTTY and connect to the console of the switch. You will get the initial command prompt “Switch>”

Type “enable” and hit enter. You will get into privileged mode (“Switch#”)

 Now, get into Global Configuration Mode:

Switch# configure terminal
Switch(config)#

STEP2: Set up a hostname for the particular switch to distinguish it in the network

Switch(config)# hostname access-switch1
access-switch1(config)#

STEP3: Configure an administration password (enable secret password)

access-switch1(config)# enable secret somestrongpass

STEP4: Configure a password for Telnet access

access-switch1(config)# line vty 0 15
access-switch1(config-line)# password strongtelnetpass
access-switch1(config-line)# login
access-switch1(config-line)# exit
access-switch1(config)#

STEP5: Define which IP addresses are allowed to access the switch via Telnet

access-switch1(config)# ip access-list standard TELNET-ACCESS
access-switch1(config-std-nacl)# permit 10.1.1.100
access-switch1(config-std-nacl)# permit 10.1.1.101
access-switch1(config-std-nacl)# exit

!Apply the access list to Telnet VTY Lines
access-switch1(config)# line vty 0 15
access-switch1(config-line)# access-class TELNET-ACCESS in
access-switch1(config-line)# exit
access-switch1(config)#

STEP6: Assign IP address to the switch for management

!Management IP is assigned to Vlan 1 by default
access-switch1(config)# interface vlan 1
access-switch1(config-if)# ip address 10.1.1.200 255.255.255.0
access-switch1(config-if)# exit
access-switch1(config)#

STEP7: Assign default gateway to the switch

access-switch1(config)# ip default-gateway 10.1.1.254

STEP8: Disable unneeded ports on the switch

! This step is optional but enhances security
! Assume that we have a 48-port switch and we don’t need ports 25 to 48

access-switch1(config)# interface range fe 0/25-48
access-switch1(config-if-range)# shutdown
access-switch1(config-if-range)# exit
access-switch1(config)#

STEP9: Save the configuration

access-switch1(config)# wr

The above are some steps that can be followed for basic set-up of a Cisco switch. Of course there are more things you can configure (such as SNMP servers, NTP, AAA etc) but those depend on the requirements of each particular network.