|
|
|
Hardware Is Only Part of the Solution
By: Cameron Sturdevant
2002-04-08
Article Rating: / 0
There are 0 user comments on this Enterprise Networking story.
A denial-of-service attack can cripple a network, even if access isn't gained, and a single distributed-denial-of-service onslaught can disable a multitude of systems.A denial-of-service attack can cripple a network, even if access isnt gained, and a single distributed-denial-of-service onslaught can disable a multitude of systems. Products including Top Layer Networks Inc.s Attack Mitigator Version 1.0 can help a lot, as can firewalls, operating system patches, additional servers and working with ISPs to choke off DoS traffic further upstream. (Go to www.eweek.com/links for eWeek Labs March 25 Special Report on security.)
Although some DoS attacks use only small amounts of carefully crafted packets to jam servers, routers and firewalls, many—especially the DDoS variety—consume all available bandwidth between the ISP and the target site.
IT staffers from a variety of disciplines must work together to stop future DoS attacks and take the necessary steps to unclog network pipes.
IT staff should begin a conversation with their organizations ISP. Its best to do this before the heat of a DoS attack is melting the network. Make a list of the names and phone numbers of people at the ISP network operations center, and keep it on a grab sheet in your central IT area.
Its also worth taking a look at RFC 2267 "Network Ingress Filtering" by Paul Ferguson and Daniel Senie (accessible from www.eweek.com/links). This document has an excellent discussion of a Syn attack and how ingress filtering on various devices can alleviate the problem. It also describes some of the techniques used by packet-filtering products to stop attacks.
The 80s are Over
Limiting connections or even eliminating some kinds of TCP/IP traffic through filters on edge routers is another good way to minimize exposure to DoS attacks. For example, most firewalls limit ICMP (Internet Control Message Protocol) messages. In the early 1980s, ping and other ICMP messages were necessary to control transmissions because bandwidth was extremely limited, and routing devices capabilities were rudimentary.
But these days, ICMP is almost like a public back door into the network. Other than initial trouble-shooting, there is almost no reason why a ping should be allowed to cross the network border. An inbound ICMP echo reply is surely a sign that mischief is afoot.
To prevent directed broadcast attacks, network managers and system administrators should work together to apply patches to every device that can take one. For example, routers and Layer 3 switches often have some ability to determine if rudimentary broadcast-based attacks have been launched. At the very least, many of these devices and server operating systems can be configured not to respond to broadcast network messages.
Service packs are available for most versions of Windows and Unix that prevent fragmented packet attacks including teardrop, boink.c and syndrop.c.
Senior Analyst Cameron Sturdevant is at cameron_sturdevant@ziffdavis.com.
|
|
�������x}ks㶲*�Q3Co{lcؖ�'R$$1H�ɞ?_n߸�҃LIlK���BwI�9wur5�6%s��E}"Ioy�c(p,��IfA)�v�@{iFuۚ:͂A���p��T7d�>J�`OS{S-��Y) |/[s}J��FԚ�\�3�ĝb�^�Q�$Ё_M�M��J��D>�֥��D�#�շ$>qP
ߩ�U�aùO-}!*{�|HJ%h��' Qu��q�ado^x/4�;U'i�?��Sա*v�25vkn��/E�@Z��#BLȡ[Boi�=7dS7-���{"�-�Xd�UZB�bc63!1�kT%T>l[}@�ݑ�[�sI�VHx)�ɡ�æ�gI/!_CRp`eF�K
#ϟ~b[�4��:�]fu~�ƷX7npC70VXMXV'`>6�(L|H?I
CuaO'�Puh�hm�Ea�ijrT
8r~��-t�r�,TeW4F{ӯsj4.�� a|�hl-v�u]+i
u?�;yܺ} Vb+�}�"UJ@D�Z-i"
0i!5f�ttz�Hw|T3aWjBQn4E;J
KHS�=
(�� �N,4X{aG~6t/ޠKݓ^�+lM,!�V4*�V]?�;ˠzqsڹy]v7�rڿ&Iw i
��fV�y�['^=:$~4��`kh�`c��R^iHjG$:/W]2�᭫��Rdt"˝a|68'��} ,�-�)Tt�?o�fz�CU�C�Z9nVĨ9U�SA�EI7CD� r23y�B(��PȀQ��>L�y%Kus7p�@Wm}rjNڊ1Wr{gH
.Cun{!堏.A}�T�364>H�,I�!eݴ%�稫V6�1W*P\?*ËJCU~^�q�-Aqf2B��c�=&M:�vX�ӏp>
0h��v?s�ϩi-ͱ8�9y��tD�AG61^�zK
ucf���>7$ä
�wX�$}Zs�O�6�/|�Ta��֜�^5D$��i��-D�@wM0I�e+��!s@uG Lν߂2à�F{7t,�,/= 0/ Zm�������Ae^~�}�̢!1E@��X�dtǖ
&��SsaPB?yԁ!~9.b�&+A/�tGtL|JIIL"D% �
h��4�A�Zǰ�EBEN�l�bů(odw$]Vi+Raz"�ʶ�B�I�ʧJ�D�V�{T�Kh+�K@f:32YIFMf
X�*ȉ#�o"0�9X����
_-gZ
X��%ּ
f�iZZOG4MN&a��G�n]ռ�6I�`آwB?a! q WQ�eAs�{"����7,kQ���m�A
`���Eu�5>��LfB7��ƙeH|��EpL�2�j�̽Ǧ�Xguϳ-j�{�TN`cܒ~�h{Ͱ&QoTM?>{BO-\n�aDHդg:ϧ�HڶMS�JoBo+څP���_.dI�_fMb�lȜu>I!VB17OD)wf@amXd|r�e��Rj=&"�ǰH7�Z�h)^HIcНj!D�)zէl�.>�?ΖM"kͲG{_�No6�ʁy2Km�VJ�g�@�yc� l+/,;7�kc:*+�_ii��HH*E6�@\Z3-c��%>!1Ad�a:(im7B=r�=&�n�P
jrI� KJt�yT+�%٬ X;l d
�A�qF�Nݔ`�.@FVLl9TZW),֩z��}&�/{)䀥r���>�+]hp�$HP+}a�Qu5�kaA�a ��ŵAb=�?x��ҫC~{,�++iwuaؗ.\՚L|z� [Q�z{�=8`�Tf le8l0��X&Ŀuow�j�15��&�?NՊRR��iO9&"_Gƅ�Kd�^�`O`T�|̠:L'�Qڞ^-B.,g���\�npj
Z�*L�AqA04L]y�5/t�U~\�),4�ra,1 D��R5V2swl�uo{םT*[PnTSDq!
֚D��r@uߘ@g��Ӑ!a�s:�A�Db��6���$>���\R`�t>*��W$Xpn) 5tn*Fviy�m"`�+�Œ!='�uX6H �j,|t���~h3ʫ<
E
��ә^JZ�qthUUԎjVC�gG�_pG"(NxW�E�bI�xԀA�_�F�fX�#l?K(�v4<�|;K�C�'�<\Vae3F}H�dod�+0\@5@X{k�O��hR9A}�l#e{�
$$�MU��~t�V8V;�"� V@?�a#E��CV8#����L6ᦽ��
n�= �=gKj�U�ӌ��0ZL�fem�B(D8p)~)h�?MU5%}�NW�C7g%jf��#RL@
`�1
9v}W(:b(u�Í'ZAiC|ق�o!zUqʀWIe��Ǧ�24:�,[d'W'W\�JW>.7.!�pb�HNQ�͕�G9X�)Qljy�7v@Aū�!@0e+4ct���y���?O�i_2v�cȖ��BL0B�_�XH�!)W$fe�*K
/]9]�}D�
(9�o��<%E��٦�@7df&ubJL5��"Rv=O[�?quϣt1èQ�LwʩtN�e~�=m3lC%�<3OђL)gdJD���=)!�jچI4g28J542
eI?
Mt$0㓄PVl
pɂ�ڗ#�5=ݻ<�^]һxs��y�~ςRpl:2��ðw>� e!>R倏w�qFh��鳁VˮM^cQ0><�''x!� r�({*F&mܱ
O�H1ԝL(6{��WQ杊�vI�ar�J dނ�>3�ᛷG
6n�2'|2KO$h﬩�~Q��'o/�VSY�f=fo?c_;Ǎ>--8t�Ycz�TiJɘΧB�ARTUkln,�j�Y9sJ@V
{_+N`E�Q�d1�0dƛ'q=+�N�}#uooo=ȥ�֛q=*A�CG���w5~@z@pw.{g�QJ=�qm@jjejR?�-35!i� �@.umvg)輳��2���
a[cVo
lϸp@
s�cx�2FN&[euw+[c�³��D`HI@R�ui�g�A� j(l9��itpm�U0p178\}5�ߊ:"YcCƓdǟ۲c|��s2i��TWeT�/�_B�!MsѴg=.0(AQ�/�4�ƾK[�⹏^}:lOo
%~!�й*Ͷ9-C;tڀ�yZX06\R 4}t�((|GKלX'�쁰�q�3
`D�WJ�l~*`EwO��&IIY.:lJC!9:�58,<�
�'3U]3ޙ,3$�\v@�'pu�� [/�Ec�dGOCKQ$&Wix܍C
zQ��ttnMTQZU͡�X�;$�F�0<ތ�
|ID���*?JRY饨L�\��|n��zHO�2�Ys4EUZVr�}`A�\pVT�H�99!}R�IЅ�L&�aIqT_p|K�T̗�P7Ce.����EOJSz� V%kkb'�1��D�j�!�`�Iȡ���~DP!��ewGHPz>�Vh�&�e< ��I:m�i:Ҁ-�gRVyԅ���?�@���!�$a �*{IDX��_yCec.(nϥ+%]�&cr0%��hKj� ��0xr,�0�h/h[M$�Uµ3^eQQ�]��j\-?߹1G^FcZʝ��VqWgf���|�;L]�O(8)^|pHx�|��[ Q�\EE-AfoY�`^�g1^�M%%oc^��K�`gKi�S㝗Ts�,ܴj_xD|kr.�$��& O8|�OR7�ԜD�^�i��%^aI�r[�̬I�te�B�X/�H��I-jul������g؏�,/\b���F^l�[�yc+^x%YƓ.u@�K�60��Jh�[�u��Ef���$�̃$n��}e_|ID-IƧ$�N1"dF�
tS)t�m#�ǀJmd�F}KLL{8$ LI�B�!(3qz[RW$v[n`�(ibֵ0�
+c�������1X�����+K�-I�.er0;�cr �\2ntۖ��LԶ@9�6f��Jī�_%j3�MȰc/6#mmSk��G=u�u�u�u�s���^7O���tm8�Q;IǾk&:'?0�9nj�ؠ0A!a�#�O�rD@$�$�I�q
"VSQa?�%}k?'�X@/ct�F;0b#�WI/ 2Wk�L*[�;�{tG|n;w2�:S��(�RM! 5
tȜi ���%`��Y��"�4.?Or�#g0�b�9@0R0Hak�Y �)� ��B�J� v00�_u8�\R�'W�5`i���x/n��Lh�b' +u u�*6
�ꐤ`�:��%N�,�F'WO;㣵;Ow�cE��)�c�
���iF��aо�[䥑�)>ǣ4m�꺢�0/M v3O}Yi}v,_'�I:^L6w��S��ط�tk�Qz(�B^"0tAm�Nn֪a7��pNQ]T*�N��t,R�ş-o{�-ʸ9#S.�/B!@fM�oi�J,e0t^x �w�mvYoĐTek3I"�A��[�o�&|6௶eula}*6^�k&/�*淵qdE;m^)jhk;5CQc�L�zlïA�B�Y�f#e։
9V(���5N1�5�kx*$(Y(3P7z� r�%|p0Kפ�Kt:k�;2(Pq�d/X_"Ҷ���:oI{{�W��mɀ{9;0�8?A1E+l��o@.h2E}b�H#[s]72�cl` tq&�o��}/7��ʁV?P�,
x߸֊�OZZYΞCag/� �X�xmD�ncn$Ɩ�ҘZ?^#X/#qCBs�?q�T��ݥ�e
}.
�ͦ.��0i�6�#�:6MSz@��FTǷ{mI;k~;ѷ{}J٧Tc:A&o��Û��'@M!wwl�~&x�%t�$7+ē{Ϯ@vOĥ�FU1�ʑmOex}WMOV=C�cK[,pť+p����Aa�D0ޤ�G">G=0k�v/Ѝo#j\Dհ;�js�0dj*b�df�iAh!Fv?۷{�Kb+.L6Q{F$IxNkjj5z5��V^�
[1akzzF��-?��x�ǍE�/]Q|�2~4�.2dRCx��n��/˛i~pp�^�z4jsy̙Tl�/ZNt]D�cΩeZMi9��Śd;$VG K]ɖ1xy��[/Ϭz'5!Lv;VE(�*Io�$zTGл:J$�RM�`��o2Ÿ�6
g5̈G�g5�0}�fBGa�ZvD�f�7SYz�Z<1Xs35Ⱥ0�ۺsε�;q1�=G[TxSvX�˩\͛Rn!lg�N(��L~#;�-|) ��r�|jXozvQ�>�uȄ8��p|6
/xޝ+j߶�$lWй
H
WIkm3J%3�?3\�D䶁W'\^sjodF.F{!Ұ��dq
ͬG[QZYɎvi~X�K1q8��Lwt��cJЁH��5,���k4a\_�ȪVԞ�kC׃#zB�s%x`4t0ֿ�|ֲ͌:m���&�_cL�ge��Q�@�O@L-A�J ,�W�\c�P�|�=S7�W�p+TՕGܯh}�extJG"*�r�3,MCh%�)7}��0*
>T(wAG>p:~SR��U%=\ht����֦̋,|OKt2):�>m;e6\ix�O�M�׀�#g"TV""a=X@:>n�de�H']Y�Uc�`�xQ!�V�q�zhefp���
d
-���\,Cߑ? �@G���3�3Ż̘�I=�R�dw0wCE/cC~�1`1r*��m#k^K��ʑ,\hvo~�(
I>�ս��c�x�Tpj��H1�d5"&t�85���A_��[�@���r���!-b|�>g'H �Y+D`@q:^�(b�WE����@��_-G,(pk���TJLmn$`u�~k �v�K9
g.X`Vt�A"�\2��Ͻy?]�&�@V.pRt=��:r�tԬ)ʁ*|{�c��@u�a�S��2S¤vtB\/?>').yDci�� 8�^iN4(mL��7,��zof�̒s
�=<�RXX_1[5�=L꺂OGJ�2,�S=VJ*�6#p;#��/M%�ǃհ$
¶-j=�u�;~9]v{BA�cal\_dj(�,[,# rzپ2;eAq*'<�˥,�%�y�:w"f;ȉkHw��
�!r:vLYq�Xmn¸~�(�hO1v�ɐ/VdRRs _לk(\~�JmS>\��t9'P~�s9�?l.?�ZgNCz9CL2�OBAN/Ps��]"g~.`�9��y��9�\�3�ϋ��ȡO˜_~9gP~S�(GN�_^%e�\]_��O?GAs�U�}\W9_�\�?��?��oCß�>G(W�39rߛ�orڿ�ɡ�=��>k_T�8Rh�K
"�S^9,.Os�P#Ϫ
�[�z2*�RϜW��~�~INV&诽~'��]a芫-5ݹn�
ǤZu3.2x�K/Cymo2YN� �AQFgG6�+.ȭ-'Hl]=�g%%x�=0ߥMu{�2پWߕ\~Qne�+tq2<#s"q�DZJ5Bf�aO@Nj�0 %/ܻ�GzʉnS"��\2�A8ԺY8Na3^*�'�B8D3
�7_`��!/`x�I?y�O15EL^�xB#
{4��۽N͑a[�;$�o1eM+5VkZpwrH[�"B�S]FTMV�Yi2ZUiT5r(�2B�4|;یW�17tS+r�&=\ŠMC7ao/�a+F��öp�Z';��=2djE(}`)049+hw `��M�z��y<8�JN),#�[LP`t{�_�F.t/� \�V=�wwp*dm+�X)2�'V?,"�XC0lt��u�么
p^*� {Җ`VM��ƍqgʼnmLP_b
v"f\3f2�oħOn3 &�`T�;|5@uW�YN�C7�n΄`�ðHo=,6"4Σ/ܝ3W`�Z܉.$}=@bO�jB4s �CQ=;z|F,w��ڮF�\F�%�O^���ۍ�Wpx
um���r��b2Oty'0OqtgĈ�IL��mb�[>/�~~$[�˹7 K�v�`"s(F29G
%|�X�AW]&� A_&|NbOh�SxYugԹm�a,Nd=:v?
vD�X�z£_3f쭨F��_�UA�#!7s�>+2ppn�n]�}>gv�s��cT
==Gbб�2]SX~�A�}FV53�B㙸|z^Db�,�-ي:�;j�KaRJ��z+6*م�7�n 7fRי,���`'/]�;���g�\��zH|k,XΩD�
%��'=^Πb�_wnԷe�&PLc�cW%#rnRB��4w^|7(6؆|%OG
Ͽay�H
O)t��&Io�cQ�g 1��|�j7;�v��'c.,s0ŬBSh�<�)�O?'[nG\��<>b�i�E�P,c�<�9z�@n0$ �ަJu��AY�?_�v{[=/৲_d3c7Dj0Br!
d[Lօu&��k�/cY4~1� �<9�9�.@ꋫ$�NSP_X1X�]< :L+O���+R
?�b%P�n0弻r'^��P:m_9!#M�*`'gG�ޯݨ>!�T!6�{xnpMIc�O~zpّ6�EKB_wY��B*;�wtz�Tv r�F˳�?q7*O�Ѡ,jU
z' 4mEgl(3��W'
\/mu;Ǎo=��i)l٦dU4s�_jj�J6
}Tar�?,�qg;\d¦[HXFHk�k�j0n:,��
|
Enterprise Networking 
