Protecting against DoS attacks
The huge hubbub over the recent attacks on major Web sites, such as Yahoo and eBay, brings on a renewed sense of urgency about appropriate security measures in our wired world. But for all the current fuss, DoS (denial of service) attacks are certainly not a new phenomenon.
In fact, the incidents we've recently seen are but one form of a DoS attack. According to the definition provided by the Computer Emergency Response Team (Cert) - "A denial of service attack is characterised by an explicit attempt by attackers to prevent legitimate users of a service from using that service."
One example of DoS attack modes (and the kind used in the most recent attacks) includes flooding a network with bogus traffic, which prevents legitimate users from accessing the service. Other examples of DoS attacks include attempts to disrupt traffic between two explicit machines, attacks that prevent a particular individual from accessing a network or a service, or activities that shut down services on a specific system.
Sound scary? You can take action to prevent DoS attacks. Consider implementing router-based filtering that prevents the 'flooding' type of attacks. This will reduce exposure while helping prevent your systems from unknowingly aiding such an attack.
Moreover, check to see if any patches that prevent TCP SYN flooding are available for your systems. Inspect the network services you currently have activated and disable any services that are unused or unneeded. Attackers often use these backdoors' to leverage your systems as part of the execution of a DoS attack.
You might also implement quotas (such as disk quotas) for all accounts on all your systems. And you might consider partitioning systems to separate critical business functions from other services. Keep a close eye on system performance metrics and determine normal operating activity for disk, CPU, and network traffic. If possible, implement real-time monitoring to detect any deviation from your normal activity.
Other simple steps include regular examination of physical security, such as wiring closets, and implementing tools that can detect changes to system configuration files. Be sure to have hot spare' systems available for critical business functions so you can swap servers in the event of an attack. Redundant network configurations should also be considered. Double-check your backup policies and make sure you're safeguarding important configuration information. Finally, be vigilant about password policies and limiting access to administrator accounts.
Here's an at-a-glance checklist of some steps that can decrease the chances of becoming a DoS victim* Implement router-based filtering* Check to see if TCP SYN flooding patches are available for your system* Consider implementing quotas and partitioning* Monitor systems' performance* Deploy detection software that checks for system configuration changes* Check that your backup policy includes protection for configuration information