- Posts: 145
- Thank you received: 0
Denial of Service Attacks & DSLAMS
18 years 5 months ago #14988
by Ranger24
Patience - the last reserve of the any engineer
Denial of Service Attacks & DSLAMS was created by Ranger24
Hi Guys,
This one is aimed as you security experts - Sahir come out of hiding!
The question is: How could an IP DSLAM protect it's end customers from DoS attacks?
I know the kit I work on doesn't have any DoS prevention measures as it has been developed (as it should be) as a transport device. Now that DSLAMs are moving from ATM to IP and including basic routing functions and/or switching functions more operators are asking security related questions. DoS look set to be the next small challenge.
Background:
DSLAM connect multiple xDSL customers to a single Gigabit Ethernet uplink in to a switched metro ethernet. The connection accross the DSLAM can be:
- Bridged 1-2-1
- Bridged Group (many - 2 - 1)
- Routed - using a simple routing table.
DSLAM supports ICMP, IGMP & DHCP relay.
I suppose there are 2 parts to this. Firstly CAN a DSLAM prevent DoS attacks as these will typically be targetted at the end customers of the DSLAM and not the dslam its self. And secondly if it can prevent DoS what measures would have to be implemented at the DSLAM?
Thanks for you comments,
R
This one is aimed as you security experts - Sahir come out of hiding!
The question is: How could an IP DSLAM protect it's end customers from DoS attacks?
I know the kit I work on doesn't have any DoS prevention measures as it has been developed (as it should be) as a transport device. Now that DSLAMs are moving from ATM to IP and including basic routing functions and/or switching functions more operators are asking security related questions. DoS look set to be the next small challenge.
Background:
DSLAM connect multiple xDSL customers to a single Gigabit Ethernet uplink in to a switched metro ethernet. The connection accross the DSLAM can be:
- Bridged 1-2-1
- Bridged Group (many - 2 - 1)
- Routed - using a simple routing table.
DSLAM supports ICMP, IGMP & DHCP relay.
I suppose there are 2 parts to this. Firstly CAN a DSLAM prevent DoS attacks as these will typically be targetted at the end customers of the DSLAM and not the dslam its self. And secondly if it can prevent DoS what measures would have to be implemented at the DSLAM?
Thanks for you comments,
R
Patience - the last reserve of the any engineer
18 years 5 months ago #14993
by havohej
Replied by havohej on topic Re: Denial of Service Attacks & DSLAMS
Dont know if dslams provide support for QoS as Cisco MQC does.
In the third generation of QoS you can stop DoS attacks marking them as scavenger traffic for entirely dropping the network as a whole, or by PHB Per Hop Behavior. so you can inmediately identify, classify, and police as marking down, by Cos or DSCP or dropping itself for the suspicious flows, or packets considered "out of profile" from the normal network behavior defined int the baseline.
In the third generation of QoS you can stop DoS attacks marking them as scavenger traffic for entirely dropping the network as a whole, or by PHB Per Hop Behavior. so you can inmediately identify, classify, and police as marking down, by Cos or DSCP or dropping itself for the suspicious flows, or packets considered "out of profile" from the normal network behavior defined int the baseline.
18 years 5 months ago #14996
by Ranger24
Patience - the last reserve of the any engineer
Replied by Ranger24 on topic Re: Denial of Service Attacks & DSLAMS
Sounds like a nice idea... however DSLAM QoS is really limited compared to routers.
Examination of QoS, remarking and limited queue / bandwidth management is possible. But there is no scope for managing traffic in terms of analysing behaviour etc.
In the DSLAM access network this tends to be the responsibility of the BRAS (Broadband Remote Access Server = which is really clever edge router).
R
Examination of QoS, remarking and limited queue / bandwidth management is possible. But there is no scope for managing traffic in terms of analysing behaviour etc.
In the DSLAM access network this tends to be the responsibility of the BRAS (Broadband Remote Access Server = which is really clever edge router).
R
Patience - the last reserve of the any engineer
18 years 5 months ago #15010
by havohej
Replied by havohej on topic Re: Denial of Service Attacks & DSLAMS
Thats what I was thinking, but as you mention, try to set up QoS or DoS mitigation policies in the edge customer routers, only letting the dslam for forwarding duties.
Time to create page: 0.119 seconds