Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

Anti-Dos precedures.

My comerades run a web-hosting service....seen here <br />
<A HREF="http://www.l33t.ca">L33t.ca</a><br />
anyways they have been having quite a bit of difficulty from a individual, or possibly a group (im unsure i still have yet to examine the logs) with dos.  I know how to deal with syn/ syn/ack based attacks, and other than that ddos is simple enough to deal with,  but supposing their using the least likely (icmp ip rebroadcast dos) i was wondering how to deal with an attack like that.
I plan to set a strict set of rules at the router, and i may only allw icmp from trusted networks... only if it comes to that.

thanks for your help.
3 Solutions
What kind of router do you have?
I'm sure you know (?)
that when it comes to individuals, IP blocking is definitely in order.
IMO, for valid 'attack', IPs of zombies should be blocked as well. Even if surrogate or dhcp-shared address, either their ISP should head them off at the pass, or, the ISP itself is contributing to problem and demonstates no need to permit their addresses access to the public. Many ISPs do disconnect their abusers if they fail to behave, knowledgable or not.

For ICMP, I see no need to permit the traffic from untrusted networks, so that's a good beggining for you.
sarevok9Author Commented:
well we use the razor-team's ddos tracker to stop the mass ddos movement.  as for blocking the isp:  thats entirely out of the question,  if you viewed the site itself you would have noted its a web host and banning the entirety of an isp would not only make us lose customers it would limit current customers potential growth... hence why i am in a bit of a bind.  unless i block individual ip's (which are nearly limitless) im out of options m i not?.

www.l33t.ca huh
as in 31337 h4x0r im betting
makes a great target for blackhats especially since the domain name implys being hackers.

my best reccomendation would be to prepare bigtime, most likely that webserver will be attacked repeatedly.
i would definatley start off with stopping ALL ICMP traffic. this will help prevent ddos attacks, however its possible that someone can spoof your trusted domains and get away with a wide variety of DOS attacks wether they be distributed or not. and in some cases a trusted domain can lead to a priveledge escelation attack which i assure you is much worse than a DOS attack ;)

i would reccomend using an IDS (Intrusion detection system) in combination with a Padded Cell System.
first off the IDS sits outside the router and does nothing more than watch for known attack patterns... when it recognizes suspicious activity, it can activley inject reset packets and effectivley terminate a remote connection. you can also set rules such as banning ip's that attack the servers.

if you want to be even more sly, an IDS can be used in conjunction with whats called a "padded cell system"
what happens here is, when the IDS discovers attack patterns, it will trigger the padded cell system to hijack the connection from whatever server is being attacked, to the padded cell system.
the padded cell system is nothing more than a fake server with all kinds of good looking fake info that a hacker would view as a successfull attack. the attacker then does whatever they do and leave... you can then use the padded cell system to not only tell exactly what the attacker did and how to prevent it in the future... but also can be used as evidence incase of any legal action needed to be taken.

this is a common practice in larger corporations and high stakes servers.
i would reccomend starting with www.snort.org - snort is free and open source which means your more likely to secure yourself from newly discovered attacks rather than waiting for a software corp to update their IDS software.
quite easy to setup and understand as well.

Make sure you do not allow directed broadcast messages from the Internet.

There are two types of defense against DDoS attacks.  Defending against a flood and keeping zombies off your system.  Make sure your system is up-to-date with all your hardware and software.  You also must employ egress anti-spoof filters on your external router or firewall.  Since DoS attacks almost always involve some spoofed packets, egress anti-spoof filters help a lot.

The best defense I know of against an attack is fast detection and the ability to get the incident response forces moving at your ISP.  You need to employ IDS tools that can quickly alert you when a DDOS attack starts.  When you are alerted, you should immediately call a member of the incident response team of your ISP.  They will be able to block the flood traffic at the points where it enters their network.

SYN flooding defense can be helped by having larger connection queues and SYN cookies. SYN cookies can be activated on a Linux machine by adding  echo 1 > /proc/sys/net/ipv4/tcp_syncookies  to your boot sequence.  Also, a Linux machine can be configured as a proxy firewall that will add SYN cookie protection to an entire network.  To do this visit www.bronzesoft.org/projects/scfw/doc.html#dl However, if a flood attack does occur, you will need to quickly redirect critical traffic through another path, so redundant communication links are required. Another good idea would be to have 2 or more different ISP's for particularly sensitive systems.
A list of different vendor approaches and patches to this can be found at www.nation-wide.net/~aleph1 .

It would also be a good idea to create static ARP tables on your most sensitive networks to make sure no one can alter IP-to-MAC address mappings on your LANS.  Although this will make managing the network more difficult, it is a good idea.

If you suspect one of your systems has been compromised and is running a zombie, check out the free tool called "Find DDOS" distributed by the National Infrastucture Protection Center.  This will scan your Linux and Solaris systems.  www.nipc.gov/warnings/advisories/2000/00-44.htm.  
Also, if you find a zombie you can put them to sleep with Zombie Zapper at razor.bindview.com/tools/ZombieZapper_form.shtml

I would also disallow ICMP Echo Replies.  It is usually allowed so that inside users can ping outside of the network and receive a response.  This MUST be checked.

You can test your network to see if it can/is being used as a Smurf amplifier by visiting www.powertech.no/smurf/ and use their online form to test your system.
If your network is vulnerable, you must stop directed broadcast packets at your border router or firewall.

Some good reading for your pleasure...

Craig A. Huegen's paper on Smurf defenses located at www.pentics.net/denial-of-service/white-papers/smurf.cgi

Mixter's paper titled "TFN3K" located at packetstorm.securify.com/distributed/tfn3k.txt

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now