What Can I Do to Prevent DDoS Attacks?
DDoS attacks are hard to prevent, and are, unfortunately, a fact of life on public networks. However, there are some simple precautions you can take.
First of all make sure you have a good relationship with your ISP and that you have an emergency contact number to reach a technical person. Time wasted calling around to find the right person to help means time wasted getting your public services back online.
Second, many operating systems & TCP/IP stack implementations provide an option to change the timeout on a TCP conversation. If you are able to reduce the amount of time before the reset of an unfinished TCP connection occurs, you will make it harder for an attacker to continually keep the servers resources occupied. Some operating systems such as Windows 2000 and routers also include specific SYN Flood attack protection options.
Third, consider whether to configure your boundary routers and firewalls to drop ICMP packets. This is both a blessing and a curse. It does reduce the effectiveness of ICMP floods by preventing any responses from inside your network (note that it cannot by definition prevent ICMP packets from actually arriving at your network boundaries), however, troubleshooting network connectivity problems becomes much more difficult without the help of the good old ping and traceroute (or tracert for Windows users) commands, which use ICMP and wont get through an ICMP block.
Finally, be a good bedizen. If client machines on your private networks have access to public systems, implement a technique known as source filtering on the firewalls and routers at the boundaries of your network. Source filtering prevents spoofed IP packets from leaving your network, as any device they pass through will check the source address against the known local network numbers. If the source IP address does not match an internal subnet, the packet is considered bogus, and discarded. Well discuss this more in section 1.4.3, on Spoofing.
66. Configure NT and Windows 2000 stack to resist network Denial of Service, http://is-it-true.org/nt/nt2000/registry/rtips3.shtml
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.