[转载]Understanding Planning For and Responding To DoS
信息来源:[url]www.antpower.org[/url]Understanding, Planning For, and Responding To Denial of Service Attacks
SANS 2001
Denial of Service Attacks – The Game
Types of attacks
Flood-based
Crash-based
Difficult problem
Network Engineering
Information Security
Psychology
Denial of Service Attacks – The Game
Vulnerability management (or lack thereof)
Psychology aspect – what is the attacker trying to accomplish?
Legal liability and negligence issues
Denial of Service Attacks – The Game
Attacker compromises multiple hosts and configures DDoS clients
Attacker utilizes hosts to flood the Internet pipe of your organization
Most commonly use ICMP, UDP, and TCP SYN floods
New paper measuring attacks shows 4000 DoS attacks per week
Overview of TheShell.com
ISP specializing in Unix shell accounts
Most users utilize the IRC chat network
IRC is a magnet for attack
At least one attack per day and 19 serious attacks in a 1 year period
Planning for the Attack – Training Camp
Developing an incident response plan is key
All players must be identified, brought on board, and taught their assignments
Network Engineering
Information Security
Internet Service Provider
Planning for the Attack – Training Camp
Create a form with complete contact information, network information, and responsibilities
Ensure ISP engineering contacts are established – this is extremely important!
Planning for the Attack – Training Camp
Have a packet sniffer ready to go
Ensure that a SPAN port is available on your Internet-facing switch
Map existing traffic patterns
Implement bandwidth limiting filters at your ISP
Implement ISP-side filters for other traffic you don’t want/need
Playing the Game
Identify that you are under attack
MRTG, syslog, flow logs, Intrusion Detection, Firewall logs, sniffers
Identify deviation from normal traffic
Determine intent of attacker
Immediately look for ICMP pings and traceroute packets – the attacker usually will try to determine if the attack is working
Playing the Game
Climb the ladder
Port/Service
Host IP stack
Local segment (switches/routers)
Border router
ISP router
Playing the Game
Take system offline
Ask ISP to null route IP or group of IPs
Develop local filters to push the traffic up the ladder (and farther away from you)
Implement local filters at your border router
Ask your ISP to implement the same filters on their side of the link
Sample ISP Contact Policy
TheShell.com
Qwest Communications
NOC : 1-800-860-1020 Press: 1,#,2,2
IP Team : 888-795-0420
Tony : 408-555-6677
Tony Cell : 703-455-6677
CORE : 98765432
ACCT : 44566789
Circuit : 1234567890
email : [email]support@qwestip.net[/email]
: [email]cmc1@qwest.com[/email]
Conclusion
Nobody wins this game
No easy solution to the problem
Best defense lies in organization and policy
页:
[1]