The secret to deflecting DoS attacks lies in cleverly configuring your firewalls and intrusion detection systems. But it's important to keep in mind that there are two closely related, but still very different, types of DoS attacks. Each attack requires a different approach to redirect and deflect. One is simple – it should never be said easy – and straightforward to defend against, while the other is much more complex and harder to evade.
The simple, plain vanilla DoS attack comes from a single malicious source or server. It's meant to take down a network with either an overload of ordinary traffic – spam e-mail or just bogus data, for example – or malformed TCP packets that fool routers into thinking it is legitimate traffic. This is the textbook
The classic DoS attack can be traced by firewalls, and intrusion detection and prevention systems (IDS/IPS). Monitors and logs should be set to check for unusual spikes in traffic at odd times and incomplete TCP handshakes showing up as fragments of packets. If either of these occurs, your incident response team should be alerted immediately and should check the IP address of the source of the offending traffic. IPSes should be set to divert any and all such traffic away from the network and into a separate subnet set up solely for accepting unwanted traffic. Alternatively, you can direct malicious traffic to a honeypot, but a special subnet is usually sufficient for a simple DoS attack. All traffic sent to the subnet should be completely and carefully logged for later forensics analysis and eventual tuning of routers and firewall rules to block traffic from that IP address.
Blocking DDoS attacks
Diverting traffic from a distributed denial-of-service (DDoS) attack isn't quite so simple. DDoS attacks are particularly insidious since they originate from multiple IP addresses simultaneously. The bad traffic can originate from thousands of compromised servers scattered around the Internet in a virtual army of zombies or a botnet. In this situation, blocking individual IP addresses is like trying to bat down a swarm of flies with a single flyswatter.
Unfortunately, unlike a single DoS attack, there is no single magic key to repelling these attacks. This doesn't mean you're defenseless, but you have to be more creative in your defensive strategy.
A single honeypot alone won't do the trick. What might do the trick is a defense-in-depth strategy with IPSes at different points in your network to divert suspicious DoS traffic to several honeypots. Here, again, there is no single answer or best topology. It depends on your individual network set up.
But it's vitally important to make sure your network defenders are hardened. It's tempting, since they're only meant to capture junk traffic, to be sloppy in configuring your honeypots. A sophisticated attacker can easily compromise any defensive hardware, including an IPS, and enlist it into its botnet army, turning it against your own network or into a jumping off point for an attack on somebody else's system. Egress filtering should be set up on your routers to prevent this.
Here are some of the old standbys that are still valid for blocking DoS attacks:
- Allow sufficient bandwidth to handle unexpected surges in traffic, a sign of possible malicious activity.
- Patch all servers and routers against vulnerabilities in the TCP stack and against attacks using fragmented packets.
- Set up routers and servers with the minimum amount of services required. Turn off anything unnecessary or easily exploited by a hacker. For example, turn off SMTP on Web servers not used for e-mail.
- Tune firewalls and routers to block IP addresses from malicious sources that consistently show up in logs.
- Strong perimeter security, in general, with hardened servers and aggressive firewall rules can divert many DoS attacks before they even reach the guts of your network.
About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He specializes in Web and application security and is the author of the recently released book The Little Black Book of Computer Security available from Amazon. SearchSecurity.com users can submit questions to Joel via our Ask the Expert feature and download a chapter from his book.
This was first published in October 2005