Network Computingwww.networkcomputing.com

You can implement a number of countermeasures to help mitigate the number and severity of DDoS attacks. Because of the nature of DDoS, your Internet infrastructure must be properly configured, and procedures must be in place to monitor for and respond to DDoS attacks. If you do nothing else after reading this, disable directed broadcasts and implement egress filtering on your border routers.

Network IDSes (intrusion-detection systems), such as Internet Security Systems' RealSecure, which won our Editor's Choice award in 1999, and virus-scanning software are only a start. Tools such as the remote intrusion detector (www.theorygroup.com/Software/RID/) and those provided by the National Infrastructure Protection Center (www.nipc.gov/warnings/alerts/1999/trinoo.htm) are available to detect some DDoS attack clients. Such tools can help you determine if your systems have been compromised. Most network intrusion- detection systems include signatures to detect communications as part of a DDoS constellation. In-depth knowledge of DDoS agents' network behavior is also helpful. Because DDoS tools change so quickly, however, the best methods are to update your IDS signatures regularly and to monitor and understand the normal traffic patterns coming into and going out of your networks, as well as patterns of activity on your network servers.

Prevention

You can do several things to lessen the probability and impact of a DDoS attack. Implementing best practices in the areas of network and systems administration is critical. These practices include properly configuring Internet edge routers, host-based security on Internet-accessible hosts, operational monitoring of systems and networks, and incident-response planning.

Specific DDoS prevention steps for the network include the following:

• Disable IP directed broadcasts (RFC 2644). On Cisco Systems IOS, make sure no ip directed-broadcast is configured on each interface. For Bay Networks systems, run bcc, then config, then ip, and finally directed-bcast disabled. This will prevent you from being used to launch Smurf-style attacks.

• Implement egress filtering. Only traffic that originates from your internal network address space should be allowed onto the Internet. Be sure that proper outbound filters are implemented at your Internet border (see www.sans.org/y2k/egress.htm and www.ciac.org/ciac/bulletins/g-48.shtml).

• Implement ingress filtering (RFC 2267). All Internet providers should implement network ingress filtering, to stop any downstream networks from injecting packets with spoofed addresses into the Internet. This does not stop an attack from occurring, but it does make tracking down the source of the attack much easier. Cisco provides Unicast Reverse Path Forwarding (RPF), which makes sure that a router forwards only packets with source addresses consistent with its IP routing table. Ingress filtering methods will not help much for non-ISPs, since the network connections will be saturated by attacks even if the packets don't reach their intended destination.

• Establish a good relationship with your Internet provider. Work with ISPs to establish a good business relationship. Also, make sure that SLAs (service-level agreements) identify the ISP's responsibilities in tracking and blocking traffic during DoS attacks. Make sure security requirements are part of your ISP's engineering and operations processes.

• Monitor network traffic patterns closely. Be suspicious of changes in usage or types of traffic. Enable detection of unsolicited ICMP echo replies and unusually high traffic levels.

• Use network intrusion detection. As with virus-scanning software, this method will probably not detect new variations of DDoS attacks immediately; however, most IDS vendors update their signatures frequently and have signatures available to detect trinoo, TFN and Stacheldraht traffic.

• Keep OS and application patches up to date. This is especially important when the patches fix known security vulnerabilities.

• Examine system logs periodically. Look for evidence of intrusions and take action based upon your response plans.

• Use cryptographic checksum tools. Periodically compare systems with your reference system, using binary integrity checking tools, such as Tripwire.

• Implement a host security certification process. Run host- and network-based tools to detect system vulnerabilities and intrusions (see "Vulnerability Assessment Scanners"). Make this part of the deployment and ongoing maintenance of any systems you have exposed to the Internet.

Prevention of DDoS attacks is a community effort. We all need to improve our security practices and communicate well with our upstream providers to protect ourselves. Remember, the security of any network on the Internet depends upon the security of every other network. Your duty as an Internet citizen is to at least implement egress filtering and disable directed broadcasts.