April 3rd, 2004, 08:06 PM
10 Proposed 'first-aid' security measures
10 Proposed 'first-aid' security measures
against Distributed Denial Of Service attacks
To say the least, coping with all the causes and security vulnerabilities
that can be exploited for compromising hosts and launching Denial Of Service
from them is very complex. In the long term, there is no simple, single method
for protecting against such attacks; instead, extensive security and protection
measures will have to be applied. For everyone whose systems are currently at
risk, or who is generally worried, I am compiling a small list of easy and fast
to implement methods to protect against those attacks.
Important things to do as a current or potential
victim of packet flooding Denial Of Service:
1) Avoid FUD
FUD stands for fear, uncertanity, and doubt. The recent attacks have
obviously been launched with provocating hysteria and overreactions in mind,
due to the victims that have been targeted. It is very important to
realize, that only a small amount of companies and hosts do have to
fear becoming a victim of Denial Of Services. Those include top-profile
sites like search engines, the most popular e-commerce and stock companies,
IRC chat servers, as well as news magazines (for obvious purposes). If you are
not amongst them, there is little reason for you to worry about becoming a
direct target of DoS attacks.
2) Arrange with your Internet uplink provider(s)
It is very important that you have the assistance and cooperation from your
direct backbone and uplink network providers. The bandwidth used in DDoS
attacks is so major, that your own network probably cannot handle it,
regardless of what you try. Talk to your uplinks, and make sure that they
agree to helping you with implementing routing access control that limits
the amount bandwidth and different source addresses that are let through
to your network at once. Ideally, your uplink should be willing to monitor
or let you access their routers in the case of an actual attack.
3) Optimize your routing and network structure
If you don't have only a host, but a bigger network, then tune your
routers to minimize the impact of DoS attacks. To prevent SYN flooding
attacks, set up the TCP interception feature. Details about this can be
found at http://www.cisco.com or at your router manufacturer's hotline.
Block the kinds of UDP and ICMP messages that your network doesn't require
to operate. Especially permitting outgoing ICMP unreach messages could
multiply the impact of a packet flooding attack.
4) Optimize your most important publically accessible hosts
Do the same on the hosts that can be potential targets. Deny all traffic
that isn't explicitly needed for the servers you run. Additionally,
multi-homing (assigning many different IPs to the same hostname), will
make it a lot harder for the attacker. I suggest that you multi-home your
web site to many physically different machines, while the HTML index site
on those machines may only contain a forwarding entry to the pages on
your actual, original web server.
5) During ongoing attacks: start countermeasures as soon as possible
It is important that you start the backtracking of packets as soon as
possible, and contact any further uplink providers, when traces indicate
that the packet storm came over their networks. Don't rely on the source
addresses, as they can be practically be chosen arbitrarily in DoS
attacks. The overall effort of being able to determine origins of spoofed
DoS attacks depends on your quick action, as the router entries that allow
traffic backtracking will expire a short time after the flood is halted.
Important things to do as a current or potential victim
of security compromise, break-in, and flood agent installation.
6) Avoid FUD
As a potential victim of a compromise, you should as well try not to
overreact, instead take rational and effective actions fast. Note that the
current Denial Of Service Servers have only proven to be written for and
installed on Linux and Solaris systems. They are probably portable to
*BSD* systems, but since those are usually more secure, it should not be
a big problem.
7) Assure that your hosts are not compromised and secure
There are many recent vulnerability exploits, and a lot more of older
exploits out. Check exploit databses, for example at securityfocus.com,
or packetstorm.securify.com, to make sure that the versions of your server
software are not proven to be vulnerable. Remember, intruders HAVE TO use
existent vulnerabilities to be able to get into your systems and install
their programs. You should be reviewing your server configuration,
looking for security glitches, running recently updated software versions,
and, this is most important, be running the minimum of services that you
really need. If you follow all of these guidelines, you can consider yourself
to be secure and protected from compromises to a reasonable extent.
8) Audit your systems regularly
Realize that you are responsible for your own systems, and for what is
happening with them. Learn sufficiently enough about how your system and
your server software operates, and review your configuration and the security
measures that you apply frequently. Check full disclosure security sites
for new vulnerabilities and weaknesses that might be discovered in the
future in your operating system and server software.
9) Use cryptographic checking
On a system, on which you have verified that it has not already been
broken into, or compromised, you are urged to set up a system that generates
cryptographic signatures of all your binary and other trusted system files,
and compare the changes to those files periodically. Additionally, using a
system where you store the actual checksums on a different machine or
removable media, to which a remote attacker cannot have access, is
strongly recommended. Tools that do this, e.g. tripwire, can be found on
security sites, like packetstorm.securify.com, and most public open source
ftp archives. Commercial packages are also available, if you prefer them.
10) During ongoing attacks: shut down your systems immediately and investigate
If you detect an attack emerging from your networks or hosts, or if you
are being contacted because of this, you must immediately shut down your
systems, or at least disconnect any of the systems from any network. If
such attacks are being run on your hosts, it means that the attacker has
almost-full control of the machines. They should be analyzed, and then
reinstalled. You are also encouraged to contact security organisations, or
emergency response teams. CERT (www.cert.org) or SANS (www.sans.org) are some
places where you can always request assistance after a compromise. Also
keep in mind, that providing these organisations the data from your
compromised machine(s) left by the attacker is important, because it will
help them tracking down the origin of the attacks.
April 3rd, 2004, 08:46 PM
April 3rd, 2004, 09:23 PM
*tisk tisk* Always quote your sources young man!! Kudo's to Ms Mitten's for catching it
April 4th, 2004, 12:55 AM
Ah thank heavens for MsMittens, without here wit we woulda never caught on that this was another "Cut n paste" job..
kudos to you MsMittens.
and no kudos to you foxdie, in the future if you find something interesting on the net, by all means share it with the community, but PLEASE always include the link to were you gathered the information from.
Just a gentle reminder for next time..