Preventing Denial of Service (DOS) Attacks
December 2001
One of the most prevalent attacks on computer
systems that we know of today is a denial of service (DOS) attack. While common
and potentially devastating, these attacks can be avoided, as explained by Chris
Cowger in this article.
by Chris
Cowger
Total Risk Management
Imagine for a moment everything on your networks running smoothly. Your servers
are readily available, and everybody on your private network is happy. A few
minutes later you get a phone call. Someone in the human resources department
can't access their files on the server. Then another phone call: the sales department
can't get to their files either. Then ANOTHER phone call, the marketing department
can't get to the web sites they check. Then yet another phone call (the worst
one possible), the vice president can't get his e-mail, or check his stock web
sites.
What was turning out to be a good day was just shot down by one of the most
prevalent attacks we know of today, a denial of service (DOS) attack. Attacks
like these are preventable. In this article, I hope to give you a little insight
into their nature and provide suggestions for avoiding them.
The Purpose of a DOS Attack
DOS attacks happen more often than you would think. Many go unreported because
companies don't publicly reveal such information. Also, a lot of times they
go unnoticed by system administrators or the problems caused are attributed
to some other problem they're having at the time.
Beware, though, a DOS attack is usually one of the first a hacker will try
on their way into your network. A DOS attack can serve a few purposes for a
hacker.
- If the hacker wants to masquerade as a server or workstation, he needs
a way to remove that machine from the network so he can take its place.
- The attacker may just want to shut you down from the Internet completely
in an act of "hacktivism."
- A DOS attack can be used to lead you off the trail of a different attack
that is being launched at the same time.
For each of the above scenarios, a different style of DOS attack exists,
depending on the needs of the attacker.
Service Attack
The first style is an attack on a service. Hackers can attack a service running
on a machine (Web, SMTP, FTP, etc.) just as easily as attacking the machine
itself. Unlike buffer overflows, where control is given over to the attacker,
the service is stopped.
These attacks are software-vendor specific and sometimes can be pretty tough
to pull off. Attacks of this nature rely on exploits in the service. Therefore,
the best way to prevent such an attack from being successful is staying up to
date on your service packs and patches. These are available from your software
vendors.
These types of attacks don't happen all that often in the DOS arena. Usually
this style of attack is used in hactivism attacks. Hackers will often take down
a site that disagrees with their views or beliefs. These attacks can also be
used to throw you off the trail of another attack that is going on. Without
really good logs, you may never know about the real attack.
Distributed Denial of Service Attack
The second style is known as a DDOS attack (short for Distributed Denial
of Service). This type of attack is very different from the first one. The goal
of this type of attack is to completely lock down your gateway or server. These
attacks require more than one machine for the attacker to be successful. The
attacker gathers up as many machines and hacker buddies as possible, then sends
as much traffic into your network as possible.
The main goal of these styles of attacks is to effectively overload your
gateway and/or server with traffic. This was the style of attack used on Yahoo®
a few years ago. These attacks can be difficult to avoid because of the nature
of the attack. With so many people coming at you at once with what looks like
harmless traffic, it's difficult to ascertain that a flood of requests is about
to jolt your network.
When a DDOS attack occurs, it is tough to mount a resistance right away.
So many people from so many different subnets will be coming at you. Plus, at
the same time, there will be others who are validly trying to access your servers
or use your gateway. Distinguishing which traffic is valid and which is not
can be a daunting task.
When approaching a router or server that's under heavy DDOS fire, make sure
you do some form of packet logging. This can prove beneficial later on down
the road if you wish to involve the authorities in pressing charges against
the attackers.
Second, watch the traffic for patterns. This will help you distinguish attacker
from customer or employee. Look for certain Internet provider (IP) addresses
that continually attempt to access the same resource over and over and over
again in a very short amount of time. These are the attackers, and you can block
them at your firewall or router when you learn what IPs are in use.
Third, when a DOS/DDOS attack is occurring, watch the rest of your network
even more closely than before. Turn the logging on your servers up, and try
to capture traffic from every segment on your network. Remember that many times,
a DOS attack is merely a cover up for an attack of a different nature and purpose.
The Importance of Firewalls and Corporate Security Policy
One thing I cannot stress enough is the need for a firewall and a corporate
security policy that's followed to the letter. The benefits of a firewall greatly
outweigh the cost. A good firewall will identify and stop most attacks of this
nature. Also, consider implementing an Intrusion Detection System (IDS). A solution
such as this will greatly increase your chances of detecting and stopping what
could become a very disastrous occurrence. Not only do these solutions increase
the security of the perimeter of your network, they give you greater control
of the traffic and its source and destination to and from your network.
Secure your routers as well. Make sure you only allow traffic from your network
to be forwarded down the line. There are certain kinds of DOS attacks that play
on this vulnerability to mask their identity. Also, if you have a machine exposed
to the Internet (such as a web server), only allow the absolute necessary protocols
from the machine to go outside onto the Internet.
Another form of DOS attack known as "smurf" attack can be used too. A "smurf"
attack is where an attacker uses your server to bounce traffic toward the intended
target. This makes it look like the attack is coming from you, not the actual
attacker, effectively masking his identity. These attacks are easily avoidable
by having a firewall in place and following the best practices laid down by
the vendors from whom you purchased your security equipment.
Conclusion
DOS/DDOS attacks will become more and more commonplace over the next few
years, and the burden to halt them falls on everyone. Many of the techniques
used by these attackers to mask their identity and propagate such attacks are
easily stopped through a few configuration changes to your routers and servers.
Stay as up to date on software patches as possible, and follow up with your
router vendors for firmware patches too. Staying on top of these will reduce
your risk of DOS/DDOS and other attacks as well. And reducing risk is what we're
all about.
The number one way to prevent many of these types of attacks is to not put
your networks online. Unfortunately, this is not a viable option. So, in view
of what you know now, audit your network. See if there are any vulnerabilities
or choke points on your network. There will be at least a few, I guarantee it.
No online system is hack proof. The only thing that's hack proof is a machine
that's disconnected and powered off. Fear not, though, for if you stay current
on your patches, practice good security protocols, and continually audit your
system, you'll go a long way toward being able to stop hackers in their tracks.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.