?
Solved

Anti-Dos precedures.

Posted on 2003-03-21
8
Medium Priority
?
407 Views
Last Modified: 2008-01-09
My comerades run a web-hosting service....seen here <br />
<A HREF="http://www.l33t.ca">L33t.ca</a><br />
anyways they have been having quite a bit of difficulty from a individual, or possibly a group (im unsure i still have yet to examine the logs) with dos.  I know how to deal with syn/ syn/ack based attacks, and other than that ddos is simple enough to deal with,  but supposing their using the least likely (icmp ip rebroadcast dos) i was wondering how to deal with an attack like that.
I plan to set a strict set of rules at the router, and i may only allw icmp from trusted networks... only if it comes to that.

thanks for your help.
~sarevok9~
 
0
Comment
Question by:sarevok9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8183410
What kind of router do you have?
0
 
LVL 24

Accepted Solution

by:
SunBow earned 336 total points
ID: 8184093
I'm sure you know (?)
that when it comes to individuals, IP blocking is definitely in order.
IMO, for valid 'attack', IPs of zombies should be blocked as well. Even if surrogate or dhcp-shared address, either their ISP should head them off at the pass, or, the ISP itself is contributing to problem and demonstates no need to permit their addresses access to the public. Many ISPs do disconnect their abusers if they fail to behave, knowledgable or not.

For ICMP, I see no need to permit the traffic from untrusted networks, so that's a good beggining for you.
0
 

Author Comment

by:sarevok9
ID: 8184966
well we use the razor-team's ddos tracker to stop the mass ddos movement.  as for blocking the isp:  thats entirely out of the question,  if you viewed the site itself you would have noted its a web host and banning the entirety of an isp would not only make us lose customers it would limit current customers potential growth... hence why i am in a bit of a bind.  unless i block individual ip's (which are nearly limitless) im out of options m i not?.
0
 
LVL 8

Assisted Solution

by:ViRoy
ViRoy earned 332 total points
ID: 8184971

www.l33t.ca huh
as in 31337 h4x0r im betting
makes a great target for blackhats especially since the domain name implys being hackers.

my best reccomendation would be to prepare bigtime, most likely that webserver will be attacked repeatedly.
i would definatley start off with stopping ALL ICMP traffic. this will help prevent ddos attacks, however its possible that someone can spoof your trusted domains and get away with a wide variety of DOS attacks wether they be distributed or not. and in some cases a trusted domain can lead to a priveledge escelation attack which i assure you is much worse than a DOS attack ;)

i would reccomend using an IDS (Intrusion detection system) in combination with a Padded Cell System.
first off the IDS sits outside the router and does nothing more than watch for known attack patterns... when it recognizes suspicious activity, it can activley inject reset packets and effectivley terminate a remote connection. you can also set rules such as banning ip's that attack the servers.

if you want to be even more sly, an IDS can be used in conjunction with whats called a "padded cell system"
what happens here is, when the IDS discovers attack patterns, it will trigger the padded cell system to hijack the connection from whatever server is being attacked, to the padded cell system.
the padded cell system is nothing more than a fake server with all kinds of good looking fake info that a hacker would view as a successfull attack. the attacker then does whatever they do and leave... you can then use the padded cell system to not only tell exactly what the attacker did and how to prevent it in the future... but also can be used as evidence incase of any legal action needed to be taken.

this is a common practice in larger corporations and high stakes servers.
i would reccomend starting with www.snort.org - snort is free and open source which means your more likely to secure yourself from newly discovered attacks rather than waiting for a software corp to update their IDS software.
quite easy to setup and understand as well.

0
 
LVL 3

Assisted Solution

by:cduke250
cduke250 earned 332 total points
ID: 8187198
Make sure you do not allow directed broadcast messages from the Internet.

There are two types of defense against DDoS attacks.  Defending against a flood and keeping zombies off your system.  Make sure your system is up-to-date with all your hardware and software.  You also must employ egress anti-spoof filters on your external router or firewall.  Since DoS attacks almost always involve some spoofed packets, egress anti-spoof filters help a lot.

The best defense I know of against an attack is fast detection and the ability to get the incident response forces moving at your ISP.  You need to employ IDS tools that can quickly alert you when a DDOS attack starts.  When you are alerted, you should immediately call a member of the incident response team of your ISP.  They will be able to block the flood traffic at the points where it enters their network.

SYN flooding defense can be helped by having larger connection queues and SYN cookies. SYN cookies can be activated on a Linux machine by adding  echo 1 > /proc/sys/net/ipv4/tcp_syncookies  to your boot sequence.  Also, a Linux machine can be configured as a proxy firewall that will add SYN cookie protection to an entire network.  To do this visit www.bronzesoft.org/projects/scfw/doc.html#dl However, if a flood attack does occur, you will need to quickly redirect critical traffic through another path, so redundant communication links are required. Another good idea would be to have 2 or more different ISP's for particularly sensitive systems.
A list of different vendor approaches and patches to this can be found at www.nation-wide.net/~aleph1 .

It would also be a good idea to create static ARP tables on your most sensitive networks to make sure no one can alter IP-to-MAC address mappings on your LANS.  Although this will make managing the network more difficult, it is a good idea.


If you suspect one of your systems has been compromised and is running a zombie, check out the free tool called "Find DDOS" distributed by the National Infrastucture Protection Center.  This will scan your Linux and Solaris systems.  www.nipc.gov/warnings/advisories/2000/00-44.htm.  
Also, if you find a zombie you can put them to sleep with Zombie Zapper at razor.bindview.com/tools/ZombieZapper_form.shtml

I would also disallow ICMP Echo Replies.  It is usually allowed so that inside users can ping outside of the network and receive a response.  This MUST be checked.

You can test your network to see if it can/is being used as a Smurf amplifier by visiting www.powertech.no/smurf/ and use their online form to test your system.
If your network is vulnerable, you must stop directed broadcast packets at your border router or firewall.


Some good reading for your pleasure...

Craig A. Huegen's paper on Smurf defenses located at www.pentics.net/denial-of-service/white-papers/smurf.cgi

Mixter's paper titled "TFN3K" located at packetstorm.securify.com/distributed/tfn3k.txt
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question