Understanding and defending against Denial of Service attacks
by Amy Pace, Yaagneshwaran Ganesh - SolarWinds - Friday, 6 September 2013.
Tips to stay secure: First, ensure you’re running the latest release of your DNS software. You should also configure your firewall to drop packets having an internal source address on the external interface as these are in most cases “cooked-up” addresses. Another important step is to collect and analyze log files from your DNS servers to identify anomalies and suspicious patterns, such as a multiple queries from the same IP within a short amount of time.

3. ICMP/Ping flood

In this case, the attacker sends a continuous stream of ICMP echo requests to the victim as fast as possible without waiting for a reply—in other words, “floods” it with ping packets. This barrage of data packets consumes the victim’s outgoing and incoming bandwidth, preventing legitimate packets from reaching their destination.

Tips to stay secure: Filter ICMP traffic appropriately. Block inbound ICMP traffic unless you specifically need it, such as those tools used for normal administration and troubleshooting. For ICMP traffic you do allow, do so only to those specific hosts that require it. Also, configure appropriate parameters and rate limits on firewalls and routers, such as setting a threshold for the maximum allowed number of packets per second for each source IP address. Additionally, make sure you’re monitoring those device logs in real time to immediately detect patterns of high ICMP volume.

4. E-mail bombs

This type of attack involves sending huge volumes of bogus emails simultaneously, and in most cases, containing very large attachments. E-mail bombs consume large amounts of bandwidth, as well as valuable server resources and storage space. An attack of this kind can quickly bring your mail service to a crawl or crash the system altogether.

Tips to stay secure: In addition to firewalls, you can put other perimeter protection in place, such as content filtering devices. It’s also wise to limit the size of emails and attachments, as well as limiting the number of inbound connections to the mail server.

5. Application-level floods

Application denial-of-service attacks target Web servers and take advantage of software code flaws and exception handling. These types of attacks are common and difficult to defend against since most firewalls leave port 80 open and allow traffic to hit the backend Web applications.

Tips to stay secure: Make sure servers and applications stay up-to-date with security patches. Also, educate developers on the risks of sloppy code and leverage a Web Application Firewall (WAF) to protect against bad code and software vulnerabilities. In addition, you should be logging relevant data from all your business-critical applications.

Security tools to mitigate vulnerabilities

As long as there are vulnerable systems on the Web, there are going to be denial-of-service attacks. And, though some DoS attacks can be difficult to defend against, there are ways to mitigate your risks to these types of cyberattacks.

First and foremost, ensure you systems are up-to-date with the latest patches. Patch management is one of the most critical processes in vulnerability management. You need to apply the latest security patches and updates to operating systems and applications, as well as firmware updates for your network devices, including routers and firewalls.

Next, continuously monitor your systems and devices. Start by creating a baseline and then monitor how the network is behaving to identify anomalies. To do this successfully requires that you have a solution in place that is capable of monitoring and correlating log event data throughout your environment, and very importantly, reacting in real time. This is where Security Information and Event Management (SIEM) solutions come into play. Log management solutions centrally collect and correlate logs from network and security devices, application servers, databases, etc., to provide actionable intelligence and a holistic view of your IT infrastructure’s security.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th