Defending Against Denial of Service Attacks.The Federal Computer Incident Response Center (FedCIRC) has released a paper addressing defensive maneuvers against Distributed Denial of Service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDoS) attacks. The recommendations are applicable both before and during an attack, and they are effective against the four common attack tools analyzed in the paper: Trinoo, TEN, TFN TFN Tax File Number (Australia)
TFN TheForce.Net (Star Wars Fan Site)
TFN Taiwan Fixed Network
TFN Texas Freedom Network
TFN Tribe Flood Network [sub.2]K, and stacheldraht. The paper describes five attacks that can be launched using these tools: SYN flood A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of
When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs , UDP UDP (uridine diphosphate): see uracil.
(User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required. flood, ICMP (Internet Control Message Protocol) A TCP/IP protocol used to send error and control messages. For example, a router uses ICMP to notify the sender that its destination node is not available. flood, Smurf, and Fraggle attacks. It also provides recommendations for defeating these attacks.
For example, in a SYN flood attack An assault on a network that prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server's SYN-ACK response (SYNchronize-ACKnowledge) in the handshaking sequence, which causes the server to keep signaling until it , packets are sent to a target using spoofed (fake) IP source addresses. The target sends a packet in response; however, the spoofed source will never reply, leaving the connection half open and draining resources. Since such a large number of these packets are sent, legitimate users will be unable to access the site.
The paper discusses two defenses against this type of attack. The first describes a method of configuring a Cisco router to intercept these packets before they reach the client and establish a connection with the destination server. In this case, "connection attempts from unreachable hosts will never reach the server," the paper concludes, and the DDoS attack will be foiled because the router can handle more potential connections than the server can. The second defense method is similar but uses a firewall configuration to intercept packets before they reach the client.
While the paper is highly technical, it provides a comprehensive list of recommendations as well as an index of references that can help even nontechnical security professionals.
@ To read the FedCIRC paper, go to SM Online, click on "Beyond Print," and scroll down to this item in "Tech Talk."