Preventing Distributed Denial of Service Attacks
Pages: 1, 2, 3
4. Consider even more tightly controlled firewalls
If you have limited requirements for Internet access, you might consider an even more tightly controlled firewall. For example, you could filter ICMP to broadcast addresses, even from local hosts to help ensure that even if a local host is breached your network cannot be used as an "amplifier." You might also consider deploying firewalls on each local host rather than relying only on filtering in routers and a more network firewall configuration (such as a NAT or masquerade-style configuration, or use of a perimeter network).
5. Be vigilant and observant
You can minimize the damage associated with distributed denial of service
attacks by being aware of them soon after they begin. It is important to keep
an eye on what is happening on your network and using the logging facilities
of the Linux firewall support can help. Use the -l argument on
ipfwadm and ipchains rules, and the -j LOG target for
iptables commands to cause datagrams matching the rule to be logged to
the console. Beware: The host activity caused by this logging can precipitate
a denial of service attack all by itself. Fortunately the iptables
limit matcher (-m limit) works with logging as well.
The kernel provides a means of logging datagrams suspected to be spoofed IP addresses using:
echo "1" >/proc/sys/net/ipv4/conf/all/log_martians
Staying alert and aware also involves keeping up to date with bugs and exploits that have been discovered and reported by others. The Computer Emergency Response Team (CERT) provides a web site and mailing list designed to keep network and system administrators advised of newly reported security problems. You can find CERT at http://www.cert.org/.
6. Communicate with your peers and encourage them to do the same
This is the most important step. Widespread adoption of good security practices can afford reliable and effective protection against distributed denial of service attacks. Make sure you know who the network or security administrator is of your network peers and upstream providers. Talk with them, let them know what you are doing, and encourage them to do the same. When something does happen, you'll be able to quickly gain their support and assistance and work together to solve the problem.
|
Related Articles: A New Worm Targets Linux -- Noel Davis shows us the Linux based Adore Worm; buffer overflows in xntpd and ntpd; and vulnerabilities in SharePlex, Ultimate Bulletin Board, Lucent/ORiNOCO Closed Network, Red Hat's OpenSSH, Cisco Content Services Switches, and IPFilter. Securing Your Apache Server -- Excerpt from Chapter 13 of O'Reilly's book Apache: The Definitive Guide, 2nd Edition. Enable Apache to communicate securely over Secure Sockets Layer (SSL). Covers building, configuring, and securing an SSL-enabled Apache server under Unix. Also in Linux Network Administration: Exploring the /proc/net/ Directory |
Have a security tip or dilemma? Join the discussion in the O'Reilly Network Linux forum.
