How to prevent being victim to DOS attack?

We had an issue on or network recently that was described as a DOS attack because someone was playing with a program and didn't realize what they were doing. My question is just how does a DOS attack work and how can yo prevent it from taking down your network?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

DOS stands for Denial of Service and it can be hard to protect against them because it make use of the fact that your computers are offering a service or at least running some. It basically works through a person rendering a system unusable or slowing down a system to a crawl by overloading the resources so no one else can access them. It can happen because someone wants it to or it can happen as in your case by accident. Just about every piece of equipment pc’s, routers and everything that has to process packets at some level are vulnerable to DOS attacks. It’s hard to protect against them, however by restricting access to critical accounts, resources, and files and protecting them from unauthorized users can help hinder many DOS attacks. If you are connected to the Internet there is always a chance that an attacker may send you too much data that you are not able to process.

Remember a little while back when Amazon and Ebay and a bunch of other big sites claimed they were being attacked and you couldn’t get to them for a while? This is what was happening to them, although that is more classified as a DDOS (distributed denial of service) because the attack was coming from more then just one machine.

In it’s simplest form a DOS can result from a barging of ICMP echo replies which is what caused the problem mentioned above. Someone had compromised many machines within a universities network. These machines were going out on that network and pinging all of the other machines continuously but making it look as if those pings were coming from Yahoo. So when these machines were replying, “yea I’m here” they were doing so back to Now were talking about hundreds of machines here all continuously telling Yahoo that they were alive at the same time. Well yahoo couldn’t process all of those packets quick enough so it was overflowing there receive buffer. It appeared that Yahoo was offline but it was just too busy to answer your request for its webpage because it was processing all of those packets. Sometimes this can cause a machine to crash sometimes it can just tie it up.

We used to have fun back in the NT4 days with similar programs and pinging the NETBIOS ports would cause a machine to blue screen. This was before they fixed the problem with a service pack. Used to have tons of fun on AOL back when it was version 3 using similar toolz as well, lol.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
As you've experienced, a DOS attack doesn't have to be malicious, come from the internet or take advantage of a vulnerability.

There are two aspects in gurading the network, proactive and reactive.
The proactive aspects involve keeping things patched up, having policies and educating users, setting up firewalls and setting appropriate packet filters.
The reactive approach is network monitoing, usually done with snmp and IDS. You need both Intrusion Detecton and snmp monitoring and alerting to be truly safe (but remember you're always one step behind the script kiddies.) The first monitors for known worms and other vulnerability probes, the second keeps an eye on network traffic rates, failed equipment and connections and would have picked up a bad nic, some goofball who set his laptop address to the broadcast address, rougue servers and wireless connection, misbehaving applications (and users), etc.
One way to stop an attack would be to identify the ip addys, subnets or ports and use IPSEC policy to block the activity.
Did any of my links not useful at all ?

Well if it's any consolation I found your links to be informative Sunray. How do you do one of those assists where you can split the points? Or I could just post some to couldn't I?

EmO, did you not look at the web pages that were posted from sunray?
Thanks Toolkoolkris..  My idea is if links can give information what is the big deal if it is going to be  useful ..

I think you should be knowing this . You can post a link saying "points for sunray" and I can comment in that and you can accept my answer..

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.