SAN MATEO (02/11/2000) - THE HUGE HUBBUB over the recent attacks on major Web sites, such as Yahoo and eBay, brings on a renewed sense of urgency about appropriate security measures in our wired world. But for all the current fuss, DoS (denial of service) attacks are certainly not a new phenomenon.
In fact, the incidents we've recently seen are but one form of a DoS attack.
According to the definition provided by the Pittsburgh-based Computer Emergency Response Team (CERT) -- "A denial of service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service."
One example of DoS attack modes (and the kind used in the most recent attacks) includes flooding a network with bogus traffic, which prevents legitimate users from accessing the service. The bogus traffic can be generated by one or more attackers or by executing code planted on the servers of several unsuspecting companies.
Other examples of DoS attacks include attempts to disrupt traffic between two explicit machines, attacks that prevent a particular individual from accessing a network or a service, or activities that shut down services on a specific system. DoS attacks can also be used to cover the tracks of a larger attack, which may include the illegitimate storage of software on your systems.
Sound scary? You can take action to prevent DoS attacks. For starters, consider implementing router-based filtering that prevents the "flooding" type of attacks. This will reduce your exposure while also helping prevent your systems from unknowingly aiding the launch of such an attack.
Moreover, check to see if any patches that prevent TCP SYN flooding are available for your systems. Inspect the network services you currently have activated and disable any services that are unused or unneeded. Attackers often use these "backdoors" to leverage your systems as part of the execution of a DoS attack.
You might also implement quotas (such as disk quotas) for all accounts on all your systems. And you might consider partitioning systems to separate critical business functions from other services.
Keep a close eye on system performance metrics and determine normal operating activity for disk, CPU, and network traffic. If possible, implement real-time monitoring to detect any deviation from your normal activity.
Other simple steps include regular examination of physical security, such as wiring closets, and implementing tools that can detect changes to system configuration files. Be sure to have "hot spare" systems available for critical business functions so you can swap servers in the event of an attack. Redundant network configurations should also be considered.
Double-check your backup policies and make sure you're safeguarding important configuration information. Finally, be vigilant about password policies and limiting access to administrator accounts.
Maggie Biggs is director of the InfoWorld Test Center.
DoS defenses
Below is an at-a-glance checklist of some steps that enterprises can take to decrease their chances of becoming DoS victims.
* Implement router-based filtering
* Check to see if TCP SYN flooding patches are available for your system* Consider implementing quotas and partitioning* Monitor systems' performance* Deploy detection software that checks for system configuration changes* Check that your backup policy includes protection for configuration informationROUTERS TO EVOLVEAfter last week's DoS (denial of service) attack on its Web site, Yahoo said it narrowed the problem to an overwhelmed router on the path to its Web site. To eliminate such security weak spots, network hardware vendors including Cisco Systems are working on improvements to their products that would guard against this in the future.
Networking hardware is the logical place to mount this defense, said Chris Klaus, founder and CTO of Internet Security Systems in Atlanta.
"The routers need to be a little smarter to combine security intelligence, what are patterns in the traffic, monitoring, and cost-balance analysis," Klaus said.
According to Roger Farnsworth, senior manager of Security Solutions at Cisco, among the technologies that the company is investigating are ways to add rate limiting for specific protocols and reverse address lookup on its router product line for service providers.