1 / 14

Understanding, Planning For, and Responding To Denial of Service Attacks

Understanding, Planning For, and Responding To Denial of Service Attacks. Barrett Lyon blyon@netpr.com. Robert Brown rjb@netpr.com. SANS 2001. Types of attacks Flood-based Crash-based Difficult problem Network Engineering Information Security Psychology.

lindashoemaker
Download Presentation

Understanding, Planning For, and Responding To Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding, Planning For, and Responding To Denial of Service Attacks Barrett Lyon blyon@netpr.com Robert Brown rjb@netpr.com SANS 2001

  2. Types of attacks Flood-based Crash-based Difficult problem Network Engineering Information Security Psychology Denial of Service Attacks – The Game

  3. Denial of Service Attacks – The Game • Vulnerability management (or lack thereof) • Psychology aspect – what is the attacker trying to accomplish? • Legal liability and negligence issues

  4. Denial of Service Attacks – The Game • Attacker compromises multiple hosts and configures DDoS clients • Attacker utilizes hosts to flood the Internet pipe of your organization • Most commonly use ICMP, UDP, and TCP SYN floods • New paper measuring attacks shows 4000 DoS attacks per week

  5. Overview of TheShell.com • ISP specializing in Unix shell accounts • Most users utilize the IRC chat network • IRC is a magnet for attack • At least one attack per day and 19 serious attacks in a 1 year period

  6. Planning for the Attack – Training Camp • Developing an incident response plan is key • All players must be identified, brought on board, and taught their assignments • Network Engineering • Information Security • Internet Service Provider

  7. Planning for the Attack – Training Camp • Create a form with complete contact information, network information, and responsibilities • Ensure ISP engineering contacts are established – this is extremely important!

  8. Planning for the Attack – Training Camp • Have a packet sniffer ready to go • Ensure that a SPAN port is available on your Internet-facing switch • Map existing traffic patterns • Implement bandwidth limiting filters at your ISP • Implement ISP-side filters for other traffic you don’t want/need

  9. Playing the Game • Identify that you are under attack • MRTG, syslog, flow logs, Intrusion Detection, Firewall logs, sniffers • Identify deviation from normal traffic • Determine intent of attacker • Immediately look for ICMP pings and traceroute packets – the attacker usually will try to determine if the attack is working

  10. Playing the Game • Climb the ladder • Port/Service • Host IP stack • Local segment (switches/routers) • Border router • ISP router

  11. Playing the Game • Take system offline • Ask ISP to null route IP or group of IPs • Develop local filters to push the traffic up the ladder (and farther away from you) • Implement local filters at your border router • Ask your ISP to implement the same filters on their side of the link

  12. Sample ISP Contact Policy • TheShell.com • Qwest Communications • NOC : 1-800-860-1020 Press: 1,#,2,2 • IP Team : 888-795-0420 • Tony : 408-555-6677 • Tony Cell : 703-455-6677 • CORE : 98765432 • ACCT : 44566789 • Circuit : 1234567890 • email : support@qwestip.net • : cmc1@qwest.com

  13. Conclusion • Nobody wins this game • No easy solution to the problem • Best defense lies in organization and policy

  14. Contact: Robert Brown Vice President rjb@netpr.com Barrett Lyon Security Consultant blyon@netpr.com Network Presence, LLC 6033 W. Century Blvd., Ste 400 Los Angeles, CA 90045 310-412-8607

More Related