How to stop a DoS attack against a key server
I run a certain key server, and a former user in our organization is now conducting a denial-of-service against this particular asset. I managed to find out the source IP address. How can I effectively mitigate the denial-of-service( DoS) attack? Can I also report the incident to law enforcement?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

In this particular case, since it is a limited denial-of-service (DoS) attack (i.e., single source), the quickest way to mitigation would be to enforce a shun or a drop on your edge appliance. This could take the form of an access control list (ACL) on your edge router or firewall, which is a relatively simple configuration change.

If you see persistent DoS attacks from multiple IP addresses, a more systemic solution might be required. A number of ISPs provide distributed denial-of-service (DDoS) mitigation in the cloud (Cisco Systems Inc. Guards or Arbor Networks TMS) as a service to their customers. These services can filter DDoS traffic quite a few hops beyond the enterprise network's border router, thereby protecting the network. Another option for how to stop a DoS attack might be to purchase a traffic anomaly detection appliance and deploy it in front of your border routers. In this case, mitigation will still work, but, as the appliance is much closer to the network, it could potentially be less effective. The reason for this is that bandwidth saturation, due to the DDoS attack, has propagated to the last hop where available bandwidth is limited. Addressing this at the ISP's cleaning centers avoids this limitation.

As to contacting law enforcement, organizations in the U.S. interested in an investigation of a DoS attack can contact their local FBI field office for guidance and information.

This was first published in July 2010

Back to top