For large enterprise networks that are unable to tolerate downtime resulting from a DoS attack, I'd suggest researching anti-DoS products, such as those offered by Mazu Networks Inc., Prolexic Technologies Inc. and Cisco Systems Inc. Many of these products attempt to identify and exclude malicious traffic by creating a baseline of "normal" traffic, then comparing normal traffic patterns with traffic spikes that may be an indication of a DoS attack. They also do some interesting detection of DoS traffic by trying to find patterns in Time To Live (TTL) values, hashing payload data, and looking for other TCP/IP patterns that may be indicative of a DoS attack.
Unfortunately, no matter how effective these products are, it may be possible for an attacker to overwhelm an organization's incoming network bandwidth. This is why I strongly recommend becoming familiar with the security point of contact with your ISP. Having a good relationship with the security contact can mean the difference between getting help in the event of an incident or being forwarded on to sales to purchase additional bandwidth.
- DoS attacks can affect a DNS server. Learn how to minimize the security risks.
- Prevent DoS attacks with application-level firewalls.
This was first published in July 2008