Detecting DoS Attacks

The detection of DoS attacks is often straightforward, but at other times, these attacks are difficult to identify initially. The telltale symptoms are these:

• High network activity

• High CPU activity

• No responses from computer

• Computers crashing at random times

As you saw earlier, DoS attacks are essentially trying to tie up services in an effort to prevent legitimate user access to whatever the desired resources are. To detect these attacks, you can employ a range of devices, such as these:

• Firewalls

• Host-based IDS

• Signature-based network IDS

• Network anomaly detectors

Appliance Firewalls

Appliance firewalls are typically configured to provide basic signature IDS features that can assist in defending against simple DoS or DDoS attacks. The Cisco PIX Firewall helps to defend against TCP SYN flood attacks with a feature called Flood Defender. Flood Defender works by limiting the amount of unanswered SYN (embryonic) connections to a specific server. When the limit is reached, all other connections are blindly dropped to try to protect the internal servers from a TCP SYN attack. The PIX supports this feature in a variable parameter called em_limit located within the nat and static commands. The following example displays the PIX syntax and location of the embryonic limit:

  nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq]   static [(internal_if_name, external_if_name)] global_ip local_ip [netmask    network_mask][max_conns [em_limit]] [norandomseq]

Other than the em_limit parameter, the basic PIX Firewall can protect your network only from unrequested packets, although this is useful if all incoming ports are shut off.

Host-Based IDS

Host-based IDS and host-based firewalls can aid in detecting DoS attempts by monitoring and blocking unrequested packets. However, implementation of hundreds of host-based IDS devices, although desirable, can be impractical. The amount of time it takes to install, configure, and constantly monitor these devices can be beyond the capabilities of a small IT shop. At a minimum, it is recommended that any servers located within the DMZ be configured with some form of software-based firewall to assist in preventing DoS attempts or other attacks made on a server.

Signature-Based Network IDS

By using signature-based network IDS devices, traffic on the network can be analyzed and reviewed for possible DoS-type attacks. These are common tools that monitor known DoS attacks and can be particularly effective in alarming when such an attack takes place. The Cisco IDS 4200 series sensor contains several types of DoS signatures out of the box. For example, using the tool Hgod, send a TCP SYN attack to a host and, monitoring the network with the IDS, you can see that it starts to trigger an alarm signature 3050. (See Figure 15-10.)

Figure 15-10. TCP SYN Attack Detected

As a further example, using a packet builder, you can send ICMP Smurf packets to a directed network broadcast destination. The IDS picks up two signatures, ICMP Flood and ICMP Smurf Attack, as shown in Figure 15-11.

Figure 15-11. ICMP Flood and Smurf Attacks

Next, you can use a packet builder to manually create a packet containing the same source and destination IP and port numbers, thus creating a LAND attack. The IDS picks up this packet right away with signature number 1102 labeled "Impossible IP Packet." In the description of the signature, it mentions that this packet is impossible to create and is known as a LAND attack. Figure 15-12 displays the IDS Event Viewer alarm triggered.

Figure 15-12. LAND Attack

The next example shows the detection of some famous DDoS tools on the network: Stacheldraht, Tribe Flood Network, and Trinoo. These DDoS tools tend to be the ones responsible for taking down several large websites. Figure 15-13 displays the IDS sensor detecting communication between a handler and a DDoS client.

Figure 15-13. DDoS Tools Detected

Using a tool called DDoSPing from Foundstone, you can scan a network for DDoS client software (zombies) listening on the common ports waiting to be instructed to attack. Figure 15-14 displays a picture of the DDoS software detection tool as it scans a network attempting to detect DDoS tools that are installed on hosts.

Network Anomaly Detectors

Although signature-based network IDS systems can be used against common DoS attacks, they tend to be ineffective against new day zero-type attacks. This is where network anomaly detectors come in. Network anomaly detectors are designed to watch for uncommon network traffic when compared to a baseline. If traffic is found to be out of tolerance, an alarm is raised and possible corrective action against the traffic is triggered. One such detector is the Cisco Traffic Anomaly Detector XT appliance, which is designed to monitor network traffic patterns for symptoms of DDoS attacks. For example, if a high rate of UDP requests is coming from a single host, this might trigger an alarm. Although this in itself is useful, the appliance can also be coupled with a second appliance called the Cisco Guard XT to help thwart the DDoS attack. After an attack is detected, all traffic is redirected to the Guard appliance. The Cisco Guard XT attempts to filter out all DDoS traffic while allowing standard traffic to pass to the original server requested. Network anomaly detectors are costly and complicated to install; however, without such devices, detecting unknown DDoS attacks would be considerably more difficult.