limes102 — 2010-08-15T17:03:28-04:00 — #1
At the company I work for, we have two ADSL lines going into a Vigor 2820. This works really well to be fair, but the company seems to be prone to DoS attacks, unfortunately.
The fact that the connection is down doesn't bother us too much, but the router actually crashes. Once the DoS attack has gone, we can still access the Internet, but some of the NAT goes a bit wrong, and the telnet and web administration doesn't work.
Can any one offer an alternative to the DrayTek? I do like it but I think we might need something a little faster
Thanks for any help you can provide
xhtmlcoder — 2010-08-17T09:21:15-04:00 — #2
Hmm, I've configured various virtualised Cisco Routers and Switches via CLI but not I've done an awful lot to do with configuring advanced IOS security commands unfortunately.
Your 'Security Audit' seems like it has quite a few serious holes, or is being weakly implemented. Also it doesn't sound like you are making full use of the router security protocols or using the 'weaker' or default router security protocols.
I assume you have tried debugging the NAT and that you are using a VLAN and have enabled port security on each individual Switch port in use and assigned the MAC addresses correctly. Obviously I suspect you'll have packet-filters in place.
anthonysterling — 2010-08-15T18:50:00-04:00 — #3
Ideally you need to be able to drop any requests from certain addresses dynamically, Building up these rules/behaviour isn't something that can be done on a whim. Most certainly not on a site providing live services.
Given your requirements, we do have a few Cisco 887Vs out in the field which could suit but you'll probably find the device you have already suits.
Dig a little deeper into the devices capabilities, focus on intrusion detection, and see if there is anything that you can configure to drop repeated requests.
I wish there was more I could help you with, but if security was easy, we'd all be safe.
limes102 — 2010-08-15T18:37:05-04:00 — #4
Well, we have about 8 routed IP addresses, and we have SMTP, HTTPS and HTTP open, and a couple of others which are fairly bespoke.
When I do a port scan, all the other ports report as closed.
You can do a lot of stuff with the router, I think DrayTek define it as a security router... The firewall seems to be pretty good, but still, these occasional DoS attacks aren't good!
I have looked at a couple of Cisco routers, but I know nothing about Cisco...
limes102 — 2010-08-15T18:19:01-04:00 — #5
The company is based in a relatively rural area, but we have several email servers, it would cost too much to have email hosting for the level of email we receive.
Although, this obviously doesn't help with the attack thing.
We do have DoS defence enable on the router, and ping disable, but it doesn't do much.
Because the router crashes, it always fails to give us a report of the DoS attack...
Is that the kind of info you wanted? I don't really know what else to give you
anthonysterling — 2010-08-15T18:14:23-04:00 — #6
Can you provide more information about the DoS attack? This probably be something you should be addressing at the network level, more information would be great to help us determine how to proceed.
anthonysterling — 2010-08-15T18:32:55-04:00 — #7
Well, if the router is crashing and therefore cannot review the logs we're in a bit of pickle.
What external ports are listening for connections without prior internal invocation? Ideally, you'd be wanting to drop all requests on any non-auth'd or already open ports, does the device allow this level of granularity?
limes102 — 2010-08-15T18:52:27-04:00 — #8
I have like every security defence checked
There are some evil people out there
Thanks for your help though!