Prevention DoS/DDoS Attacks

Prevention DoS/DDoS Attacks – Distributed attack tools leverage bandwidth from multiple systems on diverse networks to produce potent denial-of-service attacks. To a victim, an attack may appear from different source addresses, whether or not the attacker employs IP source address spoofing. Responding to a distributed attack requires a high degree of communication among Internet sites. Prevention is not straightforward because of the interdependency of site security on the Internet; the tools are typically installed on compromised systems that are outside of the administrative control of future denial-of-service attack targets.

Prevention DoS/DDoS Attacks

Some of the precautionary steps that can be taken to prevent DDoS attacks are the following:

  • Prevent installation of distributed attack tools on the systems.
  • Prevent origination of IP packets with spoofed source addresses.
  • Monitor the network for signatures of distributed attack tools.
  • Employ stateful inspection firewalling.

Sites using intrusion detection systems should establish patterns to look for what might indicate Trinoo or TFN activity based on the communications between the master and daemon portions of the tools. Trinoo is a set of computer programs that conduct a DDoS attack by using a remote buffer overflow exploit. Sites that use proactive network scanning should include tests for installed daemons and/or masters when scanning systems on the network.

Prevention DoS/DDoS Attacks

What to Do If Involved in a Denial-of-Service Attack

Due to the potential magnitude of denial-of-service attacks generated by distributed networks of tools, the target of an attack may be unable to rely on normal Internet connectivity for communications during an attack. Security policies should include emergency out-of-band communication procedures through upstream network operators, or emergency response teams, in the event of a weakening attack.

Prevention DoS/DDoS Attacks

Countermeasures for Reflected DoS

There are a number of measures a network administrator can take to mitigate attacks. Router port 179 can be blocked as a reflector. Routers can also be configured to filter (drop) packets destined for a particular address or group of addresses. Since reflected SYN/ACK packets must bounce off a TCP server, and almost all common service ports fall between numbers one and 1023, blocking all inbound packets originating from that service port range would block most traffic being innocently generated by the reflection servers. Holes in the reflection filter may have to be created to allow legitimate traffic to pass through.

Blocking all inbound packets to high-numbered ephemeral service ports is impractical. This has the undesired effect that legitimate clients of the protected server could be attempting to generate connections from those blocked ports, thus stopping the legitimate communication of those clients and applications.

End-user client machines cannot be protected, since the machines need to connect to remote servers all over the Internet. End users need access to data returning from many of the common low-numbered service ports.

Servers could be programmed to recognize a SYN source IP address that never completes its connections and has an anomalous number of failed connections occurring within a time period. The target of the reflection attack could be easily determined and the SYN/ACK response could be temporarily turned off.

ISPs could prevent the transmission of fraudulently addressed packets (packets with an IP source address not within their source address space) from within their controlled networks. This control mechanism alone would have a major dampening effect on this type of attack.

Tools for Detecting DDoS Attacks

ipgrep

This tool searches for hosts by finding domain names that end in some arbitrary domain and/or are IP addresses that reside in arbitrary CIDR blocks. It is useful for identifying or excluding specified hosts in reports of hundreds of compromised victims.

tcpdstat

tcpdstat produces a per-protocol breakdown of traffic by bytes and packets, with average and maximum transfer rates for a given libpcap file. It is useful for obtaining a high-level view of traffic patterns.

findoffer

This produces a two-level break report of XDCC offer/transfer traffic, as well as listing all files served on each host. This script was written to deal with a large series of XDCC/DDoS attacks.

Taxonomy of DDoS Countermeasures

There are many ways to mitigate the effects of DDoS attacks. Many of these solutions and ideas assist in preventing certain aspects of a DDoS attack. However, there is no one way to protect against all DDoS attacks. In addition, attackers are constantly working to circumvent common countermeasures.

The following are three types of essential components for DDoS countermeasures:

  1. Preventing potential secondary victims from being victimized
  2. Detecting or preventing the attack, mitigating or stopping the attack, and deflecting the attack
  3. The postattack component, which involves network forensics.

If your Like This Blog Please Comment Down For More Hacking Blog Click Here

Related posts

Leave a Comment