Category: Security

Unidirectional communication filter between two VLANs

Block Traffic among two VLAN’s but only in one way, how to do that?

VLAN and VLAN configurations are very useful in all kinds of different ways. This configuration will be useful sooner or later for all network administrators out there.

UPDATE on 01 Sep 2017:
This article is about reflexive access-list which enable some sort of false statefulness for TCP traffic going through your router. After some feedbacks from my readers, I wrote another, a bit better article about reflexive access-list configuration so I suggest reading the other one as well.

It was a big challenge to resolve this tricky communication security requirement. The problem actually does not seem like a big deal but when you try to make it work you see that it is.

vlan-filter

The goal was to make unidirectional communication filter between two VLANs. The request was to allow VLAN 10 to access VLAN 20 but not the opposite. The computers from VLAN 10 needed to access resources in VLAN 20 normally but computers from VLAN 20 had to be prevented to access VLAN 10. 

How to prevent or stop DoS attacks?

application layer firewallThe response and prevention

In order to defend against Denial of Service attacks the combination of attack detection use is typically involved in it, classification of traffic as well as response tools, and the target is to block traffic if identified as illegal and permit the legal traffic only after identifying it. Below is a list of response tools as well as prevention:

Firewalls

The rules of firewalls are quite simple like to permit or not to permit ports, protocols, or IP addresses. There are some DoS attacks that are quite complicated for number of firewalls, for example if an attack occurs on port 80 (web service), it is not easy for the firewalls to differentiate between the bad traffic and the good traffic of DoS attack so the filter packet filter firewalls cannot prevent the attack. In addition, firewalls may be located too deeply in the network. Even before the traffic enters the firewall the affect on routers may take place. However, firewalls can play an effective role in preventing users from the launch of even simple flooding attacks that can occur from the machines behind the firewall.

DoS Methods – PDoS, Permanent DoS attacks

DoSA PDoS or permanent denial-of-service, also referred to as phlashing, is a severe attack that completely damage a system as a result of which the system’s reinstallation of hardware or replacement is required. A PDoS attack exploits the flaws of security which further permits the administration present far away on the hardware of the victim management interfaces, like printers, routers, or other hardware used for networking.

DoS Methods – ICMP and SYN flood, Teardrop and Low-rate DoS attacks

ICMP flood

Smurf attack is one specific form of a flooding DoS attack that occurs on the public Internet. It solely depends on incorrect configuration network equipments that permit packets that are supposed to be sent to all hosts of computer on a specific network not via any machine but only via network’s broadcast address. Then the network actually works or serves as a smurf amplifier. In an attack like this, the killers or the perpetrators will send IP packets in huge number displaying the fake source address as to show that it is a victim’s address.

DDoS – Distributed Denial of Service attack

When a number of systems i.e. one or more than one web server floods the resources and bandwidth of a targeted system then a distributed denial of service attack (DDoS) takes place, Different types of methods are used by attackers in order to compromise the systems.

It is the malware that can carry out the mechanisms of DDoS attack; its best example was MyDoom. The mechanism of its DoS was actually triggered on a specific time and date. The DDoS of this kind involves hardcoding of the target IP address before the release of malware and there was no need of communication for launching the attack.

It can also happen that the system may be compromised with a trojan, giving a permission to the attacker downloading a zombie agent (sometimes the trojan already contain one). Attackers can destroy the systems with the help of automated tools that exploit the faults present in programs and listen for connections from far away hosts. The primary concern of this scenario is that the systems start serving as web servers.

One of the classic examples of DDoS tool is Stacheldraht DDoS tool. A layered structure is used and the attacker make use of a client program for connecting to the handlers, and these are compromised systems that send commands to the zombie agents, which give rise to DDoS attack. The handlers can control the agents with the use of automated routines in order to exploit program’s vulnerabilities that accept the connections running far away on the targeted hosts. Every single handler has a capacity to control up to 1000 agents.

These systems compromisers are referred to as botnets. Still the DoS tools like Stacheldraht utilizes the classic method of DoS attack centered on IP spoofing as well as amplification like fraggle attacks and smurf attacks (also referred to as bandwidth consumption attacks). Sometimes the SYN floods or resource starvation attacks may be used too. For the purpose of DoS modern tools can utilize DNS servers.