Preventing DoS Attacks

Previous page
Table of content
Next page
 < Day Day Up > 

Prevention really is the key to protection against DoS attacks. If you can minimize your attack surface, you significantly reduce your chance of being affected by DoS. However, you cannot prevent all attacks. All you can realistically do is harden your security and hope for the best. A basic list of tasks that network administrators should perform as a matter of course to mitigate vulnerability to attack is as follows:

  • Apply service packs and host fixes.

  • Run only necessary services.

  • Install firewalls.

  • Install IDS systems.

  • Install antivirus software.

  • Disable ICMP across routers and firewalls.

By installing service packs, you can minimize your chances of being affected by some application or protocol attack. A case in point is Microsoft, which puts out service packs and hot fixes on a continuous basis to address security "holes" in its software.

Hardening

Hardening of network devices and applications can lessen your chances of being a victim. You can break down this task into two main sections:

  • Network hardening

  • Application hardening

Network Hardening

Network devices such as firewalls can greatly assist in preventing unwanted packets from the outside world from entering your network and should, without a doubt, be installed. By default, firewalls come preconfigured with security in mind, but you can gain further protection by staying up to date with current and ever-changing hardening techniques.

Although routers typically do a fine job of passing data around your network (which, of course, is their purpose), they can unwittingly be assistants for DoS and especially DDoS-type attacks if you do not harden them properly. As a start, you should lock down your routers by applying access control lists (ACLs) to the external interface to help prevent IP spoofing. You can accomplish this using ACLs that prevent private IP addresses or loopback addresses from passing in and out of your router's interface on the Internet or ISP side. Example 15-2 demonstrates just such an access list.

Example 15-2. Preventing IP Spoofing with ACLs
access-list 100 deny ip 0.0.0.0          0.255.255.255    any access-list 100 deny ip 10.0.0.0         0.255.255.255    any access-list 100 deny ip 127.0.0.0        0.255.255.255    any access-list 100 deny ip 169.254.0.0      0.0.255.255      any access-list 100 deny ip 172.16.0.0       0.15.255.255     any access-list 100 deny ip 192.0.2.0        0.0.0.255        any access-list 100 deny ip 192.168.0.0      0.0.255.255      any access-list 100 deny ip 224.0.0.0        15.255.255.255   any access-list 100 deny ip 240.0.0.0        7.255.255.255    any access-list 100 deny ip 248.0.0.0        7.255.255.255    any access-list 100 deny ip 255.255.255.255  0.0.0.0          any access-list 100 permit ip any any ! Apply on the outbound interface for traffic coming into your network interface serial 0/0  ip access-group 100 in

You should also configure your router to block LAND attacks. LAND attacks occur when a ping is sent out that has the same spoofed source and destination address. This type of attack is commonly performed against gateway devices such as routers, so take cautionary measures to ensure that your router is not susceptible to this kind of attack. If the Ethernet address of your router is 10.0.0.1, your ACL would look like Example 15-3.

Example 15-3. Using an Access List to Block LAND Attacks
access-list 101 deny host ip 10.0.0.1 any access-list 101 permit ip any any ! Apply on your Ethernet interface interface fastethernet 0/0  ip access-group 101 in

Note

For more detail, see http://www.sans.org/dosstep/cisco_spoof.php and "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www.rfc-editor.org/rfc/rfc2267.txt.


Note

Cisco IOS Software Release 11.2 and later handle LAND attacks internally, so make sure you always use the latest software. See Cisco.com for more details at http://www.cisco.com/warp/public/770/land-pub.shtml.


Next, you should disable directed broadcasts from passing across your routers. This helps prevent attacks such as Smurfs and Fraggles from passing into your network. In Cisco IOS Software Release 12.0 and later, this is disabled by default; however, it is always a good idea to check your existing system. The command you use to lock down an individual interface on a Cisco router is this:

  no ip directed-broadcast

If you do require ICMP on your network but still want to prevent ICMP-based DoS attacks, you should consider shaping your ICMP traffic so that it does not saturate your network. For example, suppose that you want to shape your ICMP traffic so that it does not take more than 128 K. You can accomplish this using the Cisco modular quality of service command-line interface (MQC), as demonstrated in Example 15-4.

Example 15-4. Shaping ICMP Traffic to Prevent ICMP-Based DoS Attacks
interface fastethernet 0/0  service-policy input ICMP-RATE-LIMIT ip access-list extended ICMP-ACL  permit icmp any any class-map match-all ICMP-CLASS  match access-group name ICMP-ACL policy-map ICMP-RATE-LIMIT  class ICMP-CLASS   police cir 128000 bc 1000 be 1000    conform-action transmit    exceed-action drop

For more detail, see http://www.sans.org/dosstep/cisco_bcast.php.

You can also choose to deny ICMP from traveling across your network. ICMP tools such as ping and trace route are good network testing tools, but does every IP host need them? By turning off ICMP, you can prevent a lot of network scanning and even DoS-type attacks. Example 15-5 demonstrates how to prevent ICMP protocols from passing though a router.

Example 15-5. Preventing ICMP Protocols from Traversing a Router
access-list 100 deny icmp any anyaccess-list 100 permit ip any any ! applied on all interfaces interface fastethernet 0/0  ip access-group 100 in interface serial 0/0  ip access-group 100 in

Not all DoS attacks use ICMP, however. SYN attacks, for example, use TCP. The command sequence in Example 15-6 prevents TCP SYN attacks on the 10.0.0.0/8 network.

Example 15-6. Preventing TCP SYN Attacks on a Given Network
ip tcp intercept mode intercept ip tcp intercept list 100 access-list 100 permit ip any 10.0.0.0 0.255.255.255

Application Hardening

Application hardening covers more than just programs; it also includes operating systems. As a standard, it is recommended that you apply service packs and hot fixes to your systems. Even Cisco IOS is vulnerable to DoS attacks. Cisco, like Microsoft and others, has to continuously update its software when new exploits arise. Microsoft, Apple, and others have implemented automatic update servers and clients within their own products to automate this process to a degree. When a new patch or service pack becomes available, the client can automatically update itself. This helps vendors to secure their software even when users and customers are too busy to monitor all the update bulletins.

Other considerations to help prevent DoS are to run as few programs and applications as possible, because this narrows what can actually be attacked. Next, employ or enable a local host-based firewall on the clients wherever you can.

Note

To harden Windows manually, look at "How to Harden the TCP/IP Stack Against Denial of Service Attacks in Windows 2000" at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315669.


Intrusion Detection Systems

As shown in the previous section, an IDS device can significantly increase the likelihood of detecting DoS and even DDoS attacks on your network and inherently help to prevent them from succeeding. As an example, if you are alerted that DoS attacks are being sent into the network across a router, your IDS did its job in detection, and it is up to you to harden the router or firewall. When an IDS is configured in an active mode, you can instruct it to help stop an attack by sending blocking or shun commands to routers or firewalls. The Cisco 4200 series sensors are fully capable of integrating with several Cisco products and accomplish this exact task, making it a great addition to your prevention plans.

Anomaly IDS systems can actually be a good prevention system. Although they are expensive and time consuming initially, they can save you the embarrassment and potential loss of business that a DDoS attack would cause. They typically work based on the concept of a detector product and a guard like Cisco Traffic Anomaly Detector XT appliance and Cisco Guard XT. When an attack is detected, traffic is forwarded to Cisco Guard XT for further inspection of the packets. If the packets are clean and are not dropped, they continue to the server. For more information, see http://www.cisco.com/en/US/products/ps5888/products_data_sheet0900aecd800fa55e.html.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209
    Authors: Andrew Whitaker, Daniel Newman
    BUY ON AMAZON
    SQL Tips & Techniques (Miscellaneous)
    Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
    Cisco IOS in a Nutshell (In a Nutshell (OReilly))
    Cisco Voice Gateways and Gatekeepers
    Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
    Java All-In-One Desk Reference For Dummies
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy