Preventing Distributed Denial of Service Attacks
03/09/2000Most of the press coverage of the recent spate of distributed denial of service (DoS) attacks against well-known web sites has focused on the hunt for the perpetrators, how they should be punished, and what effect all this will have on electronic commerce. Few reports have explained how the attacks occur, and fewer still have said anything about how we might prevent them.
Let's take a Linux-focused look at denial of service attacks and what we can do as responsible Internet citizens to assist in preventing them.
A denial of service attack is any act intended to cause a service to become unavailable or unusable. In an Internet environment, a service might be an application such as a web or mail server, or a network service like routing of datagrams.
A simple form of denial of service attack involves sending a stream of connection requests to a service in the hope of exhausting the server of memory or by reaching the server connection limit, if it has one. When either of these conditions occur, the server will either refuse further connection requests or perform so poorly that the service becomes unusable to others. More sophisticated denial of service attacks might involve exploiting bugs or design problems in specific types of servers to cause the server to become extremely busy or fail completely.
A distributed denial of service attack exploits several machines to make the attack. Distributed denial of service attacks are the most effective and insidious because they can generate more traffic from more sources. This makes it much harder to identify the attack's source, and more difficult to resolve.
Sometimes the distributed denial of service attack involves cracking the security of a number of hosts and installing a program to cause denial of service a remote host. Other times the DoS attack exploits poorly configured networks and weaknesses in the IP security model.
|
6 Ways to Prevent DoS Attacks • Disallow ICMP to broadcast and multicast addresses from outside |
A good example of the latter form of attack is the "Smurf" attack which involves sending ICMP echo request datagrams (ping packets) to the broadcast address of large networks using a faked or "spoofed" IP source address of the host to be attacked. An IP host will respond to ICMP echo requests on either the nominal address or the broadcast address of any its interfaces. When you ping the broadcast address of a network, all active hosts on that network will respond so that for any one request there are many replies. It is this amplification that makes this type of denial of service attack so powerful.
Preventing this type of attack against your own hosts is difficult. If you want to prevent distributed denial of service attacks on your hosts, the best hope you have is to prevent your own hosts and networks from being used to cause denial of service attacks on others and to encourage other network and system administrators to do the same.
So let's look at ways you can configure your Linux-based router and hosts to assist in preventing distributed denial of service attacks. Imagine that we're managing a simple installation comprising one router and three network interfaces. The first is a PPP link to the Internet, and the others are Ethernet interfaces supporting an IP network each. The interface details for our example network are:
| interface | address | netmask |
|---|---|---|
| ppp0 | 139.130.10.0 | 255.255.255.0 |
| eth0 | 172.29.16.0 | 255.255.255.0 |
| eth1 | 172.29.17.0 | 255.255.255.0 |
To keep these details handy as we work through the examples in this article, you can load them into a pop-up window here.
