The issue of DOS and DDOS (Denial of service, Distributed Denial of service) is a massive problem in the wilds of today's internet. There is currently no defence against these evil attacks that can cause all your servers memory/Processor to be eaten away or worse all of your bandwidth!
Basically anyone can launch a DOS attack against a web-server WE HAVE NO DEFENCE! It's not so bad if your say Micro$oft that have sooo much bandwidth because to DDOS something like that you would need to have equal if not more bandwidth and very few networks actually have that much. But for smaller say DSL customer that run a web server a ADSL person can easily take out the server.
Though this is not often the case it is true that a hacker could hijack the ADSL user and turn their machine into a zombie.
-Zombie is a machine that a hacker has planted a server or Proxy server on so they can launch a DOS attack and it will not be traced back to the hacker but to the person who is the zombie
[ 01 February 2003: Message edited by: Manip ]
Re: DOS & DDOS problem.....
15 years 2 weeks ago #802
I beg to differ, while a DDOS attack will always be a major hassle even if you're gaurding against it, it is not difficult at all to protect against it.. you can even purchase router/firewalls with DDOS protection built in. There are many ways to mitigate (to use a microsoft word) a DDOS attack for example.
In fact Captus Networks and Mazu make entire product lines geared to DDOS prevention. On your own you can always
introduce rate limiting at your ISP edge. By limiting the
amount of certain types of traffic, you can allow for legitimate traffic to pass. For example if you have a 2 meg pipe, you can limit the amount of UDP to half a meg, tcp on port 80 and 443 to 1 meg and half a meg for other traffic. If the traffic exceeds these values, you can force the traffic to be dropped.
If you are explicit with the traffic you are allowing, you can further limit the effects of a DDOS attack. For example you can deny all fragmented traffic and ICMP. You can specify the hosts and ports that need connectivity with a high degree of granularity and drop all other traffic.
Furthermore if you implement RFC2827 filtering you can limit the chances of being used as a DDOS engine yourself.
In most cases a well thought out DMZ and ISP edge can reduce the chances of a success, however as pointed out, you will not get total protection. You will however be able to keep critical services operational at the time of a DDOS attack.
The thing about the net is that its responsive, for every attack, there is always a solution.. do you really think that after mega corporations like yahoo! and microsoft got DDOS'd, they would really not find a way to prevent it from happening again ?
Theres currently a very high awareness about these attacks, any network admin worth his salt will notice that his network is spewing traffic, and will shut the offending host down.. Thus blocking at the source is something that needs to be done.
Most IDS systems will instantly pick up standard DDOS style attacks such as a smurf attack..
Yeah DDOS is bad, but its no worse than all the unpatched webservers that are running around behind 'firewalls' with explicit allow rules. Its just this media feeding frenzy spreading fear, uncertainty and doubt that causes the problem.. they love the idea of millions of small 'zombies' pulling down huge corporations.
DDOS has been around for years, its nothing new.. Trinoo and suchlike programs have been analysed to death on security mailing lists.
This is not to say it can't be effective if you aren't protecting against it.. look at how SCO got kept off the net for days.. but then again they deserved it.
Ps. A further flaw in your arguement is where you state
Zombie is a machine that a hacker has planted a server or Proxy server on so they can launch a DOS attack and it will not be traced back to the hacker but to the person who is the zombie
First off it has nothing to do with proxy servers as this would imply that the traffic comes from the attacker himself, which is not the case, the traffic is generated by the 'zombie'. Secondly, no zombies run as servers, they run as clients which connect to a server that the attacker controls.. if they were all servers, then the attacker would need to maintain a list of hundreds of IPs and connect to each and issue the kill command.
A lot of the clients connect to IRC channels and wait for an order to be issued there.