|
When many people think about denial-of-service attacks (DoS), they unfortunately think of only the standard SYN flood attack. This is where an attacker transmits a large number of SYN packets with the goal of overloading the target system with half-open connections. However, many new DoS attacks actually complete their three-way handshake and make a legitimate application request, such as an HTTP GET request, making it difficult to discern between good traffic and malicious traffic.
For large enterprise networks that are unable to tolerate downtime resulting from a DoS attack, I'd suggest researching anti-DoS products, such as those offered by Mazu Networks Inc., Prolexic Technologies Inc. and Cisco Systems Inc. Many of these products attempt to identify and exclude malicious traffic by creating a baseline of "normal" traffic, then comparing normal traffic patterns with traffic spikes that may be an indication of a DoS attack. They also do some interesting detection of DoS traffic by trying to find patterns in Time To Live (TTL) values, hashing payload data, and looking for other TCP/IP patterns that may be indicative of a DoS attack.
Unfortunately, no matter how effective these products are, it may be possible for an attacker to overwhelm an organization's incoming network bandwidth. This is why I strongly recommend becoming familiar with the security point of contact with your ISP. Having a good relationship with the security contact can mean the difference between getting help in the event of an incident or being forwarded on to sales to purchase additional bandwidth.
More information:
|
