10 Proposed 'first-aid' security measures
Results 1 to 4 of 4

Thread: 10 Proposed 'first-aid' security measures

  1. #1
    Banned
    Join Date
    Mar 2004
    Posts
    12

    10 Proposed 'first-aid' security measures

    10 Proposed 'first-aid' security measures
    against Distributed Denial Of Service attacks
    -----------------------------------------------

    To say the least, coping with all the causes and security vulnerabilities
    that can be exploited for compromising hosts and launching Denial Of Service
    from them is very complex. In the long term, there is no simple, single method
    for protecting against such attacks; instead, extensive security and protection
    measures will have to be applied. For everyone whose systems are currently at
    risk, or who is generally worried, I am compiling a small list of easy and fast
    to implement methods to protect against those attacks.

    - f

    Important things to do as a current or potential
    victim of packet flooding Denial Of Service:

    1) Avoid FUD
    FUD stands for fear, uncertanity, and doubt. The recent attacks have
    obviously been launched with provocating hysteria and overreactions in mind,
    due to the victims that have been targeted. It is very important to
    realize, that only a small amount of companies and hosts do have to
    fear becoming a victim of Denial Of Services. Those include top-profile
    sites like search engines, the most popular e-commerce and stock companies,
    IRC chat servers, as well as news magazines (for obvious purposes). If you are
    not amongst them, there is little reason for you to worry about becoming a
    direct target of DoS attacks.

    2) Arrange with your Internet uplink provider(s)
    It is very important that you have the assistance and cooperation from your
    direct backbone and uplink network providers. The bandwidth used in DDoS
    attacks is so major, that your own network probably cannot handle it,
    regardless of what you try. Talk to your uplinks, and make sure that they
    agree to helping you with implementing routing access control that limits
    the amount bandwidth and different source addresses that are let through
    to your network at once. Ideally, your uplink should be willing to monitor
    or let you access their routers in the case of an actual attack.

    3) Optimize your routing and network structure
    If you don't have only a host, but a bigger network, then tune your
    routers to minimize the impact of DoS attacks. To prevent SYN flooding
    attacks, set up the TCP interception feature. Details about this can be
    found at http://www.cisco.com or at your router manufacturer's hotline.
    Block the kinds of UDP and ICMP messages that your network doesn't require
    to operate. Especially permitting outgoing ICMP unreach messages could
    multiply the impact of a packet flooding attack.

    4) Optimize your most important publically accessible hosts
    Do the same on the hosts that can be potential targets. Deny all traffic
    that isn't explicitly needed for the servers you run. Additionally,
    multi-homing (assigning many different IPs to the same hostname), will
    make it a lot harder for the attacker. I suggest that you multi-home your
    web site to many physically different machines, while the HTML index site
    on those machines may only contain a forwarding entry to the pages on
    your actual, original web server.

    5) During ongoing attacks: start countermeasures as soon as possible
    It is important that you start the backtracking of packets as soon as
    possible, and contact any further uplink providers, when traces indicate
    that the packet storm came over their networks. Don't rely on the source
    addresses, as they can be practically be chosen arbitrarily in DoS
    attacks. The overall effort of being able to determine origins of spoofed
    DoS attacks depends on your quick action, as the router entries that allow
    traffic backtracking will expire a short time after the flood is halted.

    Important things to do as a current or potential victim
    of security compromise, break-in, and flood agent installation.

    6) Avoid FUD
    As a potential victim of a compromise, you should as well try not to
    overreact, instead take rational and effective actions fast. Note that the
    current Denial Of Service Servers have only proven to be written for and
    installed on Linux and Solaris systems. They are probably portable to
    *BSD* systems, but since those are usually more secure, it should not be
    a big problem.

    7) Assure that your hosts are not compromised and secure
    There are many recent vulnerability exploits, and a lot more of older
    exploits out. Check exploit databses, for example at securityfocus.com,
    or packetstorm.securify.com, to make sure that the versions of your server
    software are not proven to be vulnerable. Remember, intruders HAVE TO use
    existent vulnerabilities to be able to get into your systems and install
    their programs. You should be reviewing your server configuration,
    looking for security glitches, running recently updated software versions,
    and, this is most important, be running the minimum of services that you
    really need. If you follow all of these guidelines, you can consider yourself
    to be secure and protected from compromises to a reasonable extent.

    8) Audit your systems regularly
    Realize that you are responsible for your own systems, and for what is
    happening with them. Learn sufficiently enough about how your system and
    your server software operates, and review your configuration and the security
    measures that you apply frequently. Check full disclosure security sites
    for new vulnerabilities and weaknesses that might be discovered in the
    future in your operating system and server software.

    9) Use cryptographic checking
    On a system, on which you have verified that it has not already been
    broken into, or compromised, you are urged to set up a system that generates
    cryptographic signatures of all your binary and other trusted system files,
    and compare the changes to those files periodically. Additionally, using a
    system where you store the actual checksums on a different machine or
    removable media, to which a remote attacker cannot have access, is
    strongly recommended. Tools that do this, e.g. tripwire, can be found on
    security sites, like packetstorm.securify.com, and most public open source
    ftp archives. Commercial packages are also available, if you prefer them.

    10) During ongoing attacks: shut down your systems immediately and investigate
    If you detect an attack emerging from your networks or hosts, or if you
    are being contacted because of this, you must immediately shut down your
    systems, or at least disconnect any of the systems from any network. If
    such attacks are being run on your hosts, it means that the attacker has
    almost-full control of the machines. They should be analyzed, and then
    reinstalled. You are also encouraged to contact security organisations, or
    emergency response teams. CERT (www.cert.org) or SANS (www.sans.org) are some
    places where you can always request assistance after a compromise. Also
    keep in mind, that providing these organisations the data from your
    compromised machine(s) left by the attacker is important, because it will
    help them tracking down the origin of the attacks.


    Foxdie
    Share on Google+

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage
    Share on Google+

  3. #3
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    *tisk tisk* Always quote your sources young man!! Kudo's to Ms Mitten's for catching it
    Space For Rent.. =]
    Share on Google+

  4. #4
    Ah thank heavens for MsMittens, without here wit we woulda never caught on that this was another "Cut n paste" job..
    kudos to you MsMittens.

    and no kudos to you foxdie, in the future if you find something interesting on the net, by all means share it with the community, but PLEASE always include the link to were you gathered the information from.
    Just a gentle reminder for next time..

    cheers
    .:front2back:.
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •