Sources: (Carnegie Mellon Software Engineering Institute Article, Computerworld Article, EarthWeb Article, Secure Dynamic White Paper, The Encyclopedia of Computer Security Article)
Coping with a distributed denial-of-service (DDoS) attack, like the one that MyDoom executed on The SCO Group Inc.'s Web site, continues to be a major challenge for companies. If a DDoS attack is large enough, there are no silver bullet tactics to protect your systems. Familiarize yourself with precautions to take in order to prevent smaller attacks, and be aware of the resources available to help cope with larger ones.
Types of DDoS Attacks
In a distributed denial of service attack, systems that have been compromised by a hacker are used to attack a single target. The aim is to make the attacked system incapable of performing its regular service functions. There are a number of different methods used to conduct a DDoS attack. Here are the main ones:
Type of What Happens Suggested Fix Attack The Ping of Formerly a long-standing No modern operating Death problem with UNIX systems. system should have Occurs when the attacker this problem. creates an IP packet that exceeds the standard maximum byte size (fat packet). When this packet arrives, it crashes systems that are using a vulnerable TCP/IP stack. The Teardrop An old attack still seen Today, most systems Attack today that works by can deal with interfering with how stacks Teardrop, and reassemble IP packet firewalls can block fragments. This attack teardrop packets. relies on poor TCP/IP implementation. SYN Flood When two Internet-aware You can set your applications start a work firewall to block all session, there is a protocol incoming packets from handshake that has to take bad external IP place. This attack works by addresses. overwhelming that handshake. Smurf Attack Internet Control Message Set your firewall to Protocol (ICMP) echoes a ignore ICMP requests particular type of ping and your router to packet that overwhelms your ignore broadcast router. Each packet's addressing. destination IP address is spoofed to be your local broadcast address. UDP (User When the victim system Block all non-service Diagram receives a UDP packet from UDP services requests Protocol) an attacker, it will for your network. Flood determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered, the system will go down. Source: EarthWeb
Action Plan
Listed below are some options and resources that will help you deal with DDoS attacks.
1. Take proactive steps. Do what you can to prepare your systems for smaller, more common types of attacks. Here are some measures that you can take:
* Revisit security basics. Make sure you have a firewall set-up that aggressively keeps everything out except legal traffic. Keep your anti-virus software and security patches up to date.
* Set aside extra server processing capacity and network bandwidth. Ensure your systems will be more capable of dealing with sudden surges in Internet traffic. Keep in mind that implementing extra server processing capacity to handle an attack can be quite costly and might make more sense for larger companies only.
* Purchase a back-up domain name. Purchase this domain name prior to an attack because having it allows you to swiftly retreat and park your Web site at this back-up address while an attack plays out. Post a notice on your site that informs users of the temporary move.
* Distribute Web servers geographically. This allows for normal traffic to be redirected to other servers even if one network segment is taken down by an attack.
* Negotiate with your ISP. Require your Internet service provider (ISP) to offer some sort of guarantee against DDoS attacks--they are in a better position than you are to detect and choke off traffic directed at a specific IP address. Include DDoS protection language into your service-level agreements with data center hosting companies and ISPs.
2. Investigate service providers. The following companies offer solutions that help protect your systems from DDoS attacks.
* Network-level defenses that detect and stop floods:
* Riverhead.
* Arbor Networks.
* Mazu Networks.
* Captus Networks.
* Host-level defenses that detect and stop handler/agent installation:
* Tripwire.
* McAfee Entercept.
3. Keep yourself current on DDoS developments. Keep the following resources at hand, to help you fight the war against DDoS attacks.
* This resource from the University of Washington provides links to analyses and discussions on attack tools, defense tools, advisories, mitigation, plus much more.
* By signing up with DDoS World, you will receive incident alerts, article announcements, searched archived results, and be able to view past survey results.
* Contact security organizations, or emergency response teams at the CERT Coordination Center or SANS Institute, to report and request assistance after a system compromise.
* This list of other CERT resources will also be useful:
* "Trends in Denial of Service Attack Technology."
* "Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues."
* Papers on the topic of Survivability, which are best practices that involve making computers and networks more resilient in the face of an attack.
Bottom Line
Stay on top of the latest news and developments in an effort to minimize your exposure to DDoS attacks. Although there isn't much that can save you from large DDoS attacks, there is plenty of information out there that will assist you in protecting your organization from smaller attacks.
Want to Know More?
* "MyDoom Lesson: Take Proactive Steps to Prevent DDoS Attacks," Computerworld.
* "What is a Distributed Denial of Service (DDoS) Attack and What Can I Do About It?" Carnegie Mellon Software Engineering Institute.
* "Understanding and Preventing DDoS Attacks," EarthWeb.
* "10 Proposed 'first-aid' security measures against Distributed Denial of Service Attacks," Secure Dynamic Whitepaper.
* "Distributed Denial Of Service: Protecting Critical Systems," The Encyclopedia of Computer Security.
No comments:
Post a Comment