Salaams all of you guys out there...
The concern today is, many of Pakistani Official Web site had been hacked down using a variant of 'Yaha' on 29 april. It was DDoS attack.
Now the point is, how one should guard his web servers against such DDoS attacks. I am not some official, but my network's security is my concern.
I ask for complete working methodology of such attacks and counter measures. Does IP spoofing supports? I don't think so. Firewalls protects? To some extent, I should admit!
What's the real solution?
Strike back guys...

well the best protection is good firewalling. iptables on a linux box would be ideal. limit icmp packets, block portscans. another big thing would to not give out lots of important information. for example
Server: Apache/1.3.26 (Unix) (Technologue/Linux) mod_ssl/2.8.9 OpenSSL/0.9.6 mod_layout/3.2
that is way to much information. a better solution would to be make the server just give out
Server: Apache
this is simple to do and only requires a small look into the apache configuration file. but why do this? simple.....some dos attacks are because of buffer overflows in the programs that require them to crash. giving out less information will stop attackers from gathering the required information to carry out this type of dos attack.

I cant comment much on this topic but I would like to mention, The Web Server software I use called KeyFocus Web Server www.keyfocus.net has a new feature called sin bin where if a client makes malisious type requests to the server, and reaches a threshold limit, they will be entered into a sin bin where he/she will no longer be able to visit my site.

Aditionaly it has a built in feature that will detect brute force atacks on passwords, where if the user fails to enter the password 5 times, they will be locked out for 1 hour. As well it limits the amount of simultanious conections a visitor may make at a time. And the amount of special characters that can be entered in a get request.

So though this does not realy answer your question of how to protect against DDoS atacks, your server software may have built in features. You may want to check it out.,

The point of concern is, I am talking about zombies, not that buffer overflows in the programs. I'll definitely check out Key focus web server - thanks for that

The attack on the Paki servers was launched from zombies. It was spreaded by mail, capable to mail itself by picking the contacts from the address book and messenger lists of the infected system. When executed it launched the attacked on predefined paki web sites. This is second time in a row - launched

You got the idea? How would you differ from a legitimate user and a fake one? configuring firewalls on an ISP's setup can quite cumbersome keeping into account their services...

How one can detect such attacks and counter them?
thanks

Hi,
What OS do you have?
FreeBSD/*nix have anti-ddos utilities to avoid ddos attack you can install ..like tripwire,aide or yafic.
To detect and scan ddos, FreeBSD have tools call : dds, find_ddos and Zombiezapper (to clean it).

But well..that's all I know at the moment :)

Cheerss

What I've learnt from your replies (thanks, they helped!), some certain questions in my mind...

1. doesn't IDS - intrusion detection systems can be used to stop DDoS?
2. Does sniffers help in any way?
3. Solutions for other OS(es) other than FreeBSD, including windows 2000
4. Not just detect, how to guard against them?
5. Firewalls? which ones? any kerberoes?

I think guarding a system asks for 24 dedication from your side. Doesn't it?

Well, in order to prevent the most common DDoS attacks (SYN flood), I see some ways. Here are some of them:

* If you are under Windows 200, you can enable/create a registry key related to this problem in \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
If you give the value "0" to the key: it will be disabled.
"1". a basic protection is enabled: time to SYN/ACK replies will be quicker than by default and an entry in the route cache will be created only after the three handshake had been totally done.
"2". the basic protection is enabled, and moreover informations about the connections will be send to WinSock drivers only after the three handshake had been totally done.

This key is disabled or even doesn't exist by default.

* If you are under Linux, you can enable SYN cookies with a recompilation of your Kernel.

* Some firewalls (AppSafe, NetScreen...) can act like proxies during the begining of the connection in order to reduce problems linked to DDoS attacks. But it can only help to solve the problem and it make connections longer.

* Some IDS can detect flooding and send RST to the target in order to limit the number of half-open connections which are generally what make the servers slow down during such an attack.

I hope it will help you.

KC

and if he wanted to even survive a ddos he wouldnt be using windows in the first place....windows is more prone to dos attacks than other oses

An abstract on DDoS survival for web servers that I think you might find helpful. :)

Okay, got the point on SYN flooding...
what are the measures for other attacks? like ICMP floods/IGMP floods etc...
- leaving a platform is not a solution. how one can be a geek without learning one the most widely used servers around. what would you do if you have to work to with win2k?

also check out this...
http://pakiblues.proboards9.com/index.cgi?board=HackingB&action=display&num=1052066001

I wouldn't suggest leaving your platform, I know the article I posted discusses Linux, many of the themes are still applicable.

There are two main types of DDoS attacks:

1. Those that just plain consum all of your bandwidth.
2. Those that exploit a developed latency.

#1 cannot be defended against at your end, so no point in worrying about it, that is your ISP's job. #2 is dealt with by patching against known exploits like SYN flooding which has already been covered, load balancing if possible to keep a single system from being overwhelmed with cpu/memory intensive processes, disable all unused protocols (under advanced TCP/IP settions > options > TCP/IP filtering), and lastly an NIDS/Firewall that learns and when it sees what looks like an attack from a system, that system's future requests are ignored for X time. There are many ways to do this depending on your budet and particular needs.

One more thing, as an NT web server admin, I think you might find this software handy:
https://www.argus-systems.com/catalogue/protector/

Argus is the same company that makes Pittbull/LX which is a wonderful trusted operating system that uses DBAC to manage it's labeled security. This DBAC technology has now been slightly extended to NT. You can completely compromise the admin or system account or whatever, but if you know anything about labeled security you will know that you cannot escape you label so no permissions are gained even with a system shell. :)

A DoS attack can virtually be done in each way of comunication. But the TCP flood is generally the more efficient if your systems are well patched and configured.
For UDP and ICMP floods, the most common attacks are probably Smurf and Fraggle attacks.
The principle of the Smurf attack is to send an icmp-echo (ie. a ping) to the broadcast adress of a network with the source adress of the target. The replies from all others computers will flood the targeted computer. The Fraggle is nearly the same thing with UDP and a port like echo.

I know that Windows 2k and FreeBSD are configured by default in order to avoid Smurf attacks but I'm not sure for Fraggle.

Anyway, if the attacker can deploy a bigger bandwith than you, so he can consume all your bandwith. And you will never be able to avoid this risk.

KC

there is no perfect way to stop a strong DDoS attack, plane and simple

PakiBlue;
in the known world there no solution to prevent DDOS and especially DrDOS for ppl or corporation.
As far as I know, the only way to solve the problem is a global agreement btw all world ISP, let's say that's almost an utopie.
Few weeks ago I posted a referenced news about Pakistan ISP wanting to tackle the threat but to have it efficient a cooperation with all others ISP is required. Maybe Paki will be the start of the internet ISP revolution... who knows!

http://www.antionline.com/showthread.php?s=&threadid=242960&highlight=DOS

At your point the only thing u can do is to advice to corporation simple rules like antivirii updates, anti spoofing ACLs, IDS & firewall (to fight zombies) in order to avoid their IP host to participate in a DDoS attack, but not to protect themselves.
For the precise DDoS pb I don't think that any financial will accept to pay for measures that prevent its cie to attack a remote victim without getting the insurance to be protected....

it seems that we'll have to live with DDoS for still a long time