New DOS attacks threaten wireless data networks

Forget spam, viruses, worms, malware and phishing. These threats are apparently old school when compared to a new class of denial-of-service (DOS) attacks that threaten wireless data networks.

The latest wireless network threats were outlined in a talk here Thursday by Krishan Sabnani, vice president of networking research at Bell Labs, at the Cyber Infrastructure Protection Conference at City College of New York.

Sabnani said the latest wireless data network threats are the result of inherent weaknesses in Mobile IP, a protocol that uses tunneling and complex network triangulation to allow mobile devices to move freely from one network to another.

“We need to especially monitor the mobile networks – with limited bandwidth and terminal battery—for DOS attacks,” Sabnani said.

Here are five wireless data network threats outlined by Sabnani:

1. Signaling DOS

2. Battery Drain

3. Peer-to-Peer Applications

4. Malfunctioning Air Card

5. Excessive Port Scanning

Read the full article on

Cisco: DoS protection using TCP Intercept

Every now and then, all network engineers have to deal with some kind of network attack.  Usually, the attack does not target the network devices, but the machines that provide services (e.g. www, database hosting…), because it’s more easy to find on the Internet a script that is probing port 80 for example, which by the way any kiddie can use, than to corrupt BGP in order to act as man-in-the-middle. Anyway, in front on the machine being attacked, there is a network device and even if the network component is not the target it can be affected (e.g. high traffic encounter during a denial-of-service attack). So, beside the fact that we have to protect the network components, we have the duty (at least moral) to help the team that is managing the servers to mitigate the attack.

For those of you who are not familiar I will explain shortly what is a Denial-of-Service (DoS) attack. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, web hosting and so on. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. This extreme external communications requests can be achieved using ICMP flood, peer-to-peer attack, teardrop attack, nuke, application level floor and many other (too many…) methods and the purpose of this is the consuming of resources on the target machine so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

On method to prevent DoS attacks is to limit on the network device ( network router) the amount of connection which is allowed to pass to a server by using  TCP Intercept. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

The main steps to enable TCP Intercept are:

1. Define an IP extended access list
Enable TCP intercept
3. Fine tune TCP intercept parameter

The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an ACK and SYN, then waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is set to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within a definite interval, the software sends a Reset to the server to clear up its state.

In the following topology we have the Server ( and the possible Attacker ( In the middle we have the router called R1 which is reponsible to mitigate the attack to port 80 on the Server. For this I would chose to apply the following configuration:

access-list 101 permit tcp any host eq 80

ip tcp intercept mode intercept
ip tcp intercept list 101
ip tcp intercept max-incomplete high 150
ip tcp intercept max-incomplete low 100
ip tcp intercept drop-mode oldest

Some explanation for the line above. We create an access-list matching the traffic from anywhere to the Server. We set the TCP intercept mode to intercept (this is not need actually, because it’s the default mode; I put it here just for the sanity of the example). When the connections are over 150 (…max-incomplete high 600) the router will start to drop connections starting with the oldest ones (..drop-mode oldest). As soon as the connection will be under 100, the router will cease to drop the connections. This are just values used for this example.

To check the TCP intercept you can use the following commands on the Cisco router:

show tcp intercept connections
show tcp intercept statistics

To check a live example of what you should see if your TCP Intercept configuration is working properly please click on the image below. The test is done in Dynamips environment with 2 VMware machines (client and server) using Ubuntu and a Cisco 3640 series router.

Cisco TCP Intercept

Cisco: 6 best practice security tips for BGP

As we all know, in today’s digital communication world, there is a very big possibility that your network is or was target for a malicious activity. BGP is one of the most targeted routing protocols when we are talking about network attacks.Why? This is quite simple. BGP is your connection to the exterior world (peer networks, Internet and everything which is outside your LAN/MAN), so it is somehow normal to be the main target of the conducted attacks. If in case of the WWW, DNS, E-mail services we can say that maybe an attack was not intentionally made (e.g. a user got infected with some trojan/malware/botnet tool that is attacking random destinations), in the case of BGP, you can be 90% sure that this is an intentionally conducted attack. The main scope of a BGP attack is to flood the network with false information (e.g. false network prefixes) in this way trying to direct interesting traffic to special destinations where this can be sniffed and decoded.

I will present here 6 tips that I’m using the most to protect BGP against malicious information. This is really easy to implement, if you have any basic idea about how to configure BGP protocol, but it can save you from hours of troubleshooting and investigation.

1. Limit the maximum number of prefixes that you learn from BGP peer, to avoid overload of your machine.
2. Deny updates that include a private AS number in the AS Path (64512 – 65535).
3. Use ACLs on your external interface to permit input/output BGP packets only from your defined source and destination
4. Limit TTL in BGP packets to limit the communication only with next-hop peers.
5. Use a password  to authenticate peer neighbors.
6. Limit the maximum length of  the AS path

Also here I would like to mention, not necessary as a security tip, but more like a best practice,  enable when it is possible logging. This can help you to observe some strange behavior that occur on your machines where you are not arround them.

There is no topology present for this tutorial, but we will assume that we have a point-to-point serial connection between 2 routers, R2 ( and R3 ( Please click the image below to view the tutorial:

BGP Security tips

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything  needed to implement BGP security tips presented above.