Resources Depletion Attack

An attacker depletes a resource to the point that the target’s functionality is affected. Virtually any resource necessary for the target’s operation can be targeted in this attack. The result of a successful resource depletion attack is usually the degrading or denial of one or more services offered by the target. Resources required will depend on the nature of the resource to be depleted, the amount of the resource the target has access to, and other mitigating circumstances such as the target’s ability to shift load, detect and mitigate resource depletion attacks, or acquire additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker will need to have at their disposal.

Resource depletion can target endpoint hosts like servers and workstations as well as network resources like processing capability or memory consumption for normal operation. Resource Depletion can also target exhaustion of bandwidth capabilities but the final goal is to make a DoS attack to the service.

Mitigation

To prevent resource depletion you should monitor normal network activity and disable unnecessary services that could be used for undesired network device utilization. To avoid bandwidth exhaust you should configure QoS at the perimeter of your WAN network to prioritize important traffic. If the network is at the edge of its capabilities because of bottlenecks in your network you should consider upgrading the weakest nodes or increasing the available bandwidth.

Threshold Notifications and Resource Reservation

Memory Threshold Notification generates a log message in order to indicate that free memory on a device has fallen lower than the configured threshold. CPU Thresholding Notification feature allows you to detect and be notified when the CPU load on a device crosses a configured threshold. When the threshold is crossed, the device generates and sends an SNMP trap message.

QoS

QoS refers to the ability of a network to provide improved service to selected network traffic over various underlying technologies including Frame Relay, ATM, Ethernet and 802.1 networks, SONET, and IP-routed networks.

Certain types of attacks on network security affect application performance – and ensuring application performance is the main mission of QoS. Quality of Service can be used to mitigate DoS/Worm Attacks.

IP Options Filtering

Cisco IOS Software Release 12.3(4)T added support for the use of ACLs to filter IP packets based on the IP options that are contained in the packet. IP options present a security challenge for network devices because these options must be processed as exception packets. This requires a level of CPU effort that is not required for typical packets that traverse the network. The presence of IP options within a packet can also indicate an attempt to subvert security controls in the network or otherwise alter the transit characteristics of a packet. It is for these reasons that packets with IP options must be filtered at the edge of the network.

Disable IP Source Routing

IP source routing leverages the Loose Source Route and Record Route options in tandem or the Strict Source Route along with the Record Route option to enable the source of the IP datagram to specify the network path a packet takes. This functionality can be used in attempts to route traffic around security controls in the network.

If IP options have not been completely disabled via the IP Options Selective Drop feature, it is important that IP source routing is disabled.

Filter IP Fragments

The filtering of fragmented IP packets can pose a challenge to security devices. This is because the Layer 4 information that is used in order to filter TCP and UDP packets is only present in the initial fragment. Cisco IOS software uses a specific method to check non-initial fragments against configured access lists. Cisco IOS software evaluates these non-initial fragments against the ACL and ignores any Layer 4 filtering information. This causes non-initial fragments to be evaluated solely on the Layer 3 portion of any configured ACE.

Due to the nonintuitive nature of fragment handling, IP fragments are often inadvertently permitted by ACLs. Fragmentation is also often used in attempts to evade detection by intrusion detection systems. It is for these reasons that IP fragments are often used in attacks, and why they must be explicitly filtered at the top of any configured iACLs. This example ACL includes comprehensive filtering of IP fragments.

Enable CEF

Cisco Express Forwarding (CEF) is an advanced layer 3 switching technology used to enhance the overall network performance. CEF is mainly used to increase packet switching speed by reducing the overhead and delays introduced by other routing techniques.

Netflow Traffic Monitoring

NetFlow enables you to monitor traffic flows in the network. NetFlow can also be used in order to show flow information on a router. This capability allows you to see what traffic traverses the network in real time.

NetFlow identifies anomalous and security-related network activity by tracking network flows. NetFlow data can be viewed and analyzed via the command line interface (CLI), or the data can be exported to a commercial or freeware NetFlow collector for aggregation and analysis.