Thursday, March 25, 2010

Preventing the DDoS

Posted on  by   with No comments:






  • Keep the network secure







  • Install IDS (Intrusion Detection System)







  • Use scanning tools







  • Run zombie tools
    IDS pattern matching technologies have a database of signatures. When it finds packets that have a given pattern, it sets off an alarm.






    		•
    Important things to do as a current or potential victim of packet flooding Denial of Service are given below:
    The bandwidth used in DDoS attacks is important. Therefore, there should be proper coordination with the ISP and the ISP with the upstream providers. To prevent SYN flooding attacks, set up the TCP interception feature. Details about this can be found at http://www.cisco.com. Block the UDP and ICMP messages that are not required by the network. Especially permitting outgoing ICMP unreachable messages could multiply the impact of a packet flooding attack. Deny all traffic that is not explicitly needed for the servers run. Adopt multi-homing as a best practice.
    If attacked, start countermeasures as soon as possible. The response should be to determine origins of spoofed DoS attacks. This should be done quickly as the router entries that allow traffic backtracking will expire a short time after the flood is halted. Be updated. Check exploits databases, for example at securityfocus.com, or packetstorm.Com, to make sure that the versions of server software are not proven vulnerable. Learn sufficiently enough about how the system and server software operates, and review configuration and the security measures that are applied frequently. Set up a system that generates cryptographic signatures of all binary and other trusted system files, and compare the changes to those files periodically. Additionally, using a system where you store the actual checksums on a different machine or removable media, to which a remote attacker cannot have access, is strongly recommended. If you detect an attack emerging from your networks or hosts, or if you are being contacted because of this, you must immediately shut down your systems, or at least disconnect any of the systems from any network. If such attacks are being run on your hosts, it means that the attacker has almost-full control of the machines. They should be analyzed, and then reinstalled.

    0 comments:

    Post a Comment