Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Corrective Actions
DoS attacks are notoriously difficult to prevent, but some tools are available that can mitigate their effects. Currently, there really are no ways of either tracking down the perpetrators or of preventing similar attacks in the near future. The best defense against attacks like these is egress and ingress traffic filtering:
Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Right now, well-administered networks practice this strategy at their borders. If all networks were so well-administered, these attacks could be dealt with relatively quickly. When inbound traffic is filtered, a single attack would notify the victim of the addresses of all the conquered machines. With this information, the owners of the infected machines could be notified and filters could be put in place near the machines to block the attacks while the machines were being shut down and fixed.
Egress filtering prevents the use of spoofed addresses and other methods used by crackers to try to cover their tracks.
Neither of these types of filtering would in any way interfere with the proper and lawful use of an Internet connection.
Of course, the long-term solution is to develop techniques for rapidly tracking these attacks to their source and then notifying the people who have been infected to secure their broken servers, or notifying the ISPs to put blocks in place to shut down an attack at its many sources.
Following are some steps to consider when mitigating a DoS attack, many of which are recommended on CERT's Denial-of-Service Attacks web page and the SANS Institute web page:
Implement router filters and install patches to guard against TCP SYN flooding. This will lessen your exposure to certain DoS attacks. It will also aid in preventing users on your network from effectively launching certain DoS attacks. This will substantially reduce your exposure to these attacks but may not eliminate the risk entirely.
As CERT states, "Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system. The half-open connection's data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative."
On Cisco routers, use the ip verify unicast reverse-path and no-ip-directed-broadcast interface commands or equivalent on the input interface on other routers at the upstream end of the connection. This prevents your network from being used as an amplifier for attacks like Smurf, PapaSmurf, and Fraggle that are classic examples of UDP/ICMP style DoS tools.
Filter all inbound/outbound RFC1918 address space using access control lists on your edge routers. These addresses ranges are 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12.
Apply ingress and egress filtering using RFC2267–referenced ACLs. As stated in the RFC, "It is the responsibility of all network administrators to ensure [that] they do not become the unwitting source of an attack of this nature."
If possible, capture packet samples for analysis. We recommend the tcpdump program. Preserve these logs as evidence for law enforcement.
Disable any unused or unneeded network services to limit what an intruder can take advantage of to execute a denial-of-service attack.
Enable quota systems (if available ) on your operating system to prevent a disk space denial-of-service attack.
Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic. Unauthorized transfers usually show up as unexplained high bandwidth use during off-peak hours.
Use Tripwire or a similar tool to detect changes in configuration information or other files. Other tools at your disposal include the denial-of-service tools that you can use for testing your own machines. Use of these tools on a test network is the one way to build a stable network-enabled product that won't crash under the load of a distributed packet flood.
Invest in and maintain "hot spares"—machines that can be placed into service quickly in the event that a similar machine is disabled or to add to a cluster so load can be distributed during the attack.
Invest in redundant and fault-tolerant network configurations to make it harder for an attacker to saturate your bandwidth links.
Using available tools, make sure that systems on your LAN belong there and have not been compromised by known exploits.
Finally, if you're attacked and want to seek an investigation, contact your local FBI field office for guidance and information. For contact information see the FBI web page. Non–U.S. sites should discuss the attack with your local law enforcement agency.