-----BEGIN PGP SIGNED MESSAGE----- 10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks ----------------------------------------------- To say the least, coping with all the causes and security vulnerabilities that can be exploited for compromising hosts and launching Denial Of Service from them is very complex. In the long term, there is no simple, single method for protecting against such attacks; instead, extensive security and protection measures will have to be applied. For everyone whose systems are currently at risk, or who is generally worried, I am compiling a small list of easy and fast to implement methods to protect against those attacks. - Mixter Important things to do as a current or potential victim of packet flooding Denial Of Service: 1) Avoid FUD FUD stands for fear, uncertanity, and doubt. The recent attacks have obviously been launched with provocating hysteria and overreactions in mind, due to the victims that have been targeted. It is very important to realize, that only a small amount of companies and hosts do have to fear becoming a victim of Denial Of Services. Those include top-profile sites like search engines, the most popular e-commerce and stock companies, IRC chat servers, as well as news magazines (for obvious purposes). If you are not amongst them, there is little reason for you to worry about becoming a direct target of DoS attacks. 2) Arrange with your Internet uplink provider(s) It is very important that you have the assistance and cooperation from your direct backbone and uplink network providers. The bandwidth used in DDoS attacks is so major, that your own network probably cannot handle it, regardless of what you try. Talk to your uplinks, and make sure that they agree to helping you with implementing routing access control that limits the amount bandwidth and different source addresses that are let through to your network at once. Ideally, your uplink should be willing to monitor or let you access their routers in the case of an actual attack. 3) Optimize your routing and network structure If you don't have only a host, but a bigger network, then tune your routers to minimize the impact of DoS attacks. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at http://www.cisco.com or at your router manufacturer's hotline. Block the kinds of UDP and ICMP messages that your network doesn't require to operate. Especially permitting outgoing ICMP unreach messages could multiply the impact of a packet flooding attack. 4) Optimize your most important publically accessible hosts Do the same on the hosts that can be potential targets. Deny all traffic that isn't explicitly needed for the servers you run. Additionally, multi-homing (assigning many different IPs to the same hostname), will make it a lot harder for the attacker. I suggest that you multi-home your web site to many physically different machines, while the HTML index site on those machines may only contain a forwarding entry to the pages on your actual, original web server. 5) During ongoing attacks: start countermeasures as soon as possible It is important that you start the backtracking of packets as soon as possible, and contact any further uplink providers, when traces indicate that the packet storm came over their networks. Don't rely on the source addresses, as they can be practically be chosen arbitrarily in DoS attacks. The overall effort of being able to determine origins of spoofed DoS attacks depends on your quick action, as the router entries that allow traffic backtracking will expire a short time after the flood is halted. Important things to do as a current or potential victim of security compromise, break-in, and flood agent installation. 6) Avoid FUD As a potential victim of a compromise, you should as well try not to overreact, instead take rational and effective actions fast. Note that the current Denial Of Service Servers have only proven to be written for and installed on Linux and Solaris systems. They are probably portable to *BSD* systems, but since those are usually more secure, it should not be a big problem. 7) Assure that your hosts are not compromised and secure There are many recent vulnerability exploits, and a lot more of older exploits out. Check exploit databses, for example at securityfocus.com, or packetstorm.securify.com, to make sure that the versions of your server software are not proven to be vulnerable. Remember, intruders HAVE TO use existent vulnerabilities to be able to get into your systems and install their programs. You should be reviewing your server configuration, looking for security glitches, running recently updated software versions, and, this is most important, be running the minimum of services that you really need. If you follow all of these guidelines, you can consider yourself to be secure and protected from compromises to a reasonable extent. 8) Audit your systems regularly Realize that you are responsible for your own systems, and for what is happening with them. Learn sufficiently enough about how your system and your server software operates, and review your configuration and the security measures that you apply frequently. Check full disclosure security sites for new vulnerabilities and weaknesses that might be discovered in the future in your operating system and server software. 9) Use cryptographic checking On a system, on which you have verified that it has not already been broken into, or compromised, you are urged to set up a system that generates cryptographic signatures of all your binary and other trusted system files, and compare the changes to those files periodically. Additionally, using a system where you store the actual checksums on a different machine or removable media, to which a remote attacker cannot have access, is strongly recommended. Tools that do this, e.g. tripwire, can be found on security sites, like packetstorm.securify.com, and most public open source ftp archives. Commercial packages are also available, if you prefer them. 10) During ongoing attacks: shut down your systems immediately and investigate If you detect an attack emerging from your networks or hosts, or if you are being contacted because of this, you must immediately shut down your systems, or at least disconnect any of the systems from any network. If such attacks are being run on your hosts, it means that the attacker has almost-full control of the machines. They should be analyzed, and then reinstalled. You are also encouraged to contact security organisations, or emergency response teams. CERT (www.cert.org) or SANS (www.sans.org) are some places where you can always request assistance after a compromise. Also keep in mind, that providing these organisations the data from your compromised machine(s) left by the attacker is important, because it will help them tracking down the origin of the attacks. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQEVAwUBOKQY5rdkBvUb0vPhAQHkyQf9GQlwQWfJTy3QSXobwijbF+fpuUt5TOwS 6kz8JkdMpCz3hyrVNSuixvR9Z7RTfriHTn6Mk6j2EtXBtcvqkxZfP6Gh4k+PlnLK YYF0fCgT9tK62SqOrZS1fvSSDGS+s/k6hys2tb3vrVhkappTi8eynihLe6v6BnL2 /cAuck4ACGruaLxqwMJu16tY83OsiTV/StAVPivQpaBz1KeWN4MxJc568/Y/wUsx xfwjgncNflYCsMnGEMaVuPYeaPkeNXBn2NtwTKN3EVcga4/BgqVo1VrfxBinBNEt AZBpMk16Gql82BmXTaFuLnYxJ7TLiHZVhiq6l6DYwws+MjpjT5IiDw== =g2Lj -----END PGP SIGNATURE-----