work and IT @ 13 Mar 2008 03:40 pm by ayoi
Today is the final day of my Introduction to ICT Security class (finally after 16 tiring days). During explaining the proper detection processes, I’ve been asked by one question.
“How can we prevent Distributed Denial of Service Attack?”
As example let see one simple scenario. You’ve been attack by SYN Flood attacks where the attacker is using random-hosts or spoof source IPs, what is or what are your countermeasures?
Can anyone give their opinion/views/suggestion?
Looking forward for that
afaik..
1. os has to improve the tcp/ip stack
2. u mention spoofing coz dos only interested in sending not receiving..so it’s the other side, the attacker must come from one nw, he is spoofing the ip..so administrator has to use egress filtering, no un-allowed ip coming out from one nw..
I don’t think end users, say colo a box at datacentre, could prevent DDOS attack without the help from the ISP to mitigate the attack as some of the DDOS attacks are capable of bringing down BGP routers. Question. How can you prevent this if your ISP uplink is dead?
However, for simple SYN flood attack, I feel that OpenBSD PF tcp flags trick really helps. For instance:-
pass in on dc0 proto tcp from any to any port http flags S/SA
The rule above allow traffic with SYN flag set while only looking at the SYN and ACK flags. Packet with proper handshake will be allow while a packet with SYN and ACK or just ACK would not.