Sometimes attackers try to undermine network security by denying legitimate users access to the network. Learn about two techniques that you can implement to defend your network against these denial of service attacks: flood guard and loop prevention.
- [Teacher] Sometimes, attackers try to undermine network security by denying legitimate users access to the network. Let's take a look at two techniques you can implement to defend your network against availability based attacks. Many denial of service attacks rely upon flooding devices with traffic until they are overwhelmed. One example of this type of attack is the SYN flood. You may recall that in a SYN flood attack, the attacker creates thousands of partially open TCP connections to a device by sending SYN packets, but never answering the SYN ACK packet to complete the three-way handshake.
This is one example of flooding, and there are many similar attacks in the attacker's toolkit. Another example, MAC flooding, occurs when attackers send large numbers of different MAC addresses to a switch, hoping to overflow the switch's MAC address table, and cause it to forget where devices are, and then flood traffic out to every switch port, allowing the attacker to eavesdrop on sensitive communications. Network devices often offer flood guard protection designed to watch for these attacks in progress, and limit their effectiveness.
Flood guard works by controlling the number of open connections that each source system may have. Standard security controls also protect against these attacks. For example, enabling port security protects switches against MAC flooding attacks. Now, let's turn our attention to a second network availability issue, routing loops. Routing loops occur when there are multiple physical paths between two network devices, and the devices mistakenly begin routing broadcast traffic in a redundant fashion.
If this happens, the network quickly fills up with these broadcast messages, and no capacity is left for legitimate use. This condition is known as a broadcast storm. The solution to routing loops is to use routing protocols that include loop protection, such as the Spanning Tree Protocol. These protocols allow multiple physical connections between devices, but restrict logical connections to remove the final links that would allow a loop. Broadcast storms can't occur in this case, but the network still benefits from the redundant links because, if an outage occurs, the routing protocol can recompute network paths to cut out the dead device and make use of redundant links.
Using flood guards and loop prevention helps administrators maintain secure, highly available networks.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security
Skill Level Advanced
CISSP Cert Prep: 2 Asset Securitywith Mike Chapple58m 11s Advanced
1. TCP/IP Networking
2. Network Security Devices
3. Designing Secure Networks
4. Specialized Networking
5. Secure Network Management
6. Virtualized Networks
Port isolation1m 47s
7. Network Attacks
8. Transport Encryption
9. Wireless Networking
10. Host Security
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.