Services News Company Partners Support

  Symbiot: DDoS counter-strike tool

  Cisco Announces More Versatile Firewall Module

 

Full version of this article

 (PDF, 110Kb)
Defensive Technologies

Defense Against Smurf or Fraggle Attacks

If you find yourself the target of a Smurf attack, there is unfortunately not much you can do. Though it is possible to block the offending packets at your external router, the bandwidth upstream of that router will remain blocked. It takes coordination with your upstream provider to block the attacks at the source.

To prevent someone at your site from initiating a Smurf attack, configure your external to block all outbound packets from your site that indicate a source address not contained within your subnet block. If the spoofed packet can’t get out, it can’t do much harm.

To avoid being an intermediary, and contributing to somebody else’s Denial of Service attempt, configure your router to block all network-prefix-directed broadcast packets. That is, disallow broadcast ICMP packets in through your router. This will allow you to retain the ability to perform a broadcast-directed ping inside your network, while eliminating an outsider’s ability to exploit this behavior.

Defense Against SYN Flood Attacks

Micro Blocks
Instead of allocating a complete connection object (which causes the memory failure), simply allocate a micro-record. Newer implementations allocate as little as 16-bytes for the incoming SYN object.

SYN Cookies
A new defense against SYN flood is “SYN cookies”. In the SYN cookies, each side of a connection has its own sequence-number. In response to a SYN, the attacked machine creates a special sequence number that is a “cookie” of the connection then forgets everything. It knows about the connection. It can then recreate the forgotten information about the connection when the next packets come in from a legitimate connection.

RST Cookies
An alternative to SYN cookies, but may cause problems with Win95 machines and/or machines behind the firewalls. The way this works is that the server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.

Stack Tweaking
TCP stacks can be tweaked in order to reduce the effect of SYN floods. The most common example is to reduce the timeout before a stack frees up the memory allocated for a connection. Another technique would be to selectively drop incoming connections.

Defense against DNS attacks

Defending the root server
The root server database is small and changes infrequently, download an entire copy of the root database, check for updates once a day, and stay current with occasional reloads. Deploy root servers using ”anycast” addresses that allow multiple machines in different network locations to look like a single server.

=========== Hang Chau
Senior System/Network Administrator, Tera Technology Inc.
hcdanny@yahoo.com
(909)864-9456
28925 Clear Spring Lane, Highland, CA 92346, U.S.A.





Live Chat   emergency setup
2006 © Callaway Alliance, Inc.
DDoS Protection