By adopting and employing stable, pre-emptive strategies for avoiding and
site intrusions and the resulting disruptions, executives and
practitioners can bolster their company’s defences against attacks like
those recently highlighted in the media. These incidents, as unfortunate
as they may be, emphasize what will soon become a common refrain: Security
on the Web requires teamwork and attentiveness by all members of the
Denial-of-Service (DoS) attacks is a phenomenon that has recently plagued
a number of well-known online companies. This paper will explore DoS
attack methods; best practices for implementing sound strategies for risk
management; and how best to equip systems and people to recognize and
respond to attacks should they occur.
Placing risk in the proper context
methods and remedies
Defending against Distributed
Understanding basic Denial of-Service response methods
Looking to the future: The likelihood of more sophisticated attacks
Placing risk in the proper context
There is no longer any question that the Internet is revolutionizing the
communicate and conduct business. Its remarkable growth is already
translating into significant business rewards—financial and
otherwise—especially for those who are first to implement. At the same
time, with every opportunity comes a measure of risk.
By nature, the Web is public, distributed, connected and highly
to phenomenal growth in terms of infrastructure, the number of people
online—as well as the sheer volume and types of applications running
across and beyond today’s complex corporate environments. Security threats
and attacks can often be traced to hackers, who enjoy the thrill of
pushing security boundaries, pointing out companies’ security weaknesses
and winning the respect of their peers. These traits are fostering a new
generation of skilled hackers armed with sophisticated tools designed to
attack the weakest link in a network. DoS attacks point out the heavy
price that companies can pay when security is lacking, and underscore the
vulnerabilities of the weakest link in a given entity.
Network environments are complicated. Security solutions are most
they can be customized to a specific installation. Unfortunately, a high
individuals involved in building and maintaining Web sites and
infrastructures for these
environments have little knowledge of security protocols. As a result,
many of today’s
Web hosting systems and networks are vulnerable to break-ins and
Still, learning to build and maintain secure Web sites is only one piece
of the security
puzzle. Security gaps must be detected, new technologies implemented, and
tools and best practices developed for minimizing risk and avoiding the
of service interruptions—or worse.
That said, it is important to note that creating a secure posture for
e-business is not a single effort; it is an ongoing process. The effort
takes time, and must be continually refined to become an integral part of
standard business operations. Security approaches that take a holistic
view of hardware, software, services and networks have the best chance of
To help ensure and manage Internet security, you can begin by following
• Understand your dependencies on the Internet
• Maintain constant awareness of the status and nature of those
• Be prepared to react quickly yet thoughtfully to changes in the
Remember, successful online businesses all share a distinguishing
awareness and effective management of security risks. Although security
continue to emerge, enterprises can mitigate risk by exercising diligence
DoS attacks: What are they?
When DoS attacks occur, the hacker’s objective is to render target
inaccessible by legitimate users. During a recent spate of incidents,
flooded the companies’ Web servers and communication links—temporarily
Fortunately, this type of attack does not threaten credit card information
corporate data stored on host systems, which could otherwise be vulnerable
viewing, tampering or theft. Nevertheless, DoS occurrences can pose
for companies whose very business depends on their ability to service
customers on the Web. For these organizations, downtime constitutes a
store; customers can shift their allegiance with the click of a mouse.
The nature of DoS attacks can vary—from the more publicized incidents that
be remedied with operating system fixes, to very sophisticated violations
more difficult to detect and avoid. The following section provides a
summary of the
types and nature of DoS attacks, as well as their remedies.
DoS attack methods and remedies
Numerous DoS attack methods have been documented. Attacks that
target host systems can most often be checked with operating system
is much more difficult, however, to defend against attacks that flood
Network flooding attacks can be categorized as “Smurf,” “TCP SYN,” “UDP,”
and combinations thereof.
During a Smurf1 attack, the hacker floods the network with Internet
Protocol (ICMP) ping response messages. Ping is the simplest kind of
you can have on the Internet, and is routinely employed by hackers to hunt
These requests are forwarded to a directed broadcast address; the source
is set to the address of the target system, which then becomes flooded
response packets from all the hosts on the selected network. The attack
can amplify its original ping request hundreds of times. The original
hidden behind the forged address. Furthermore, by bouncing the attack off
number of networks, effective Smurf attacks make it impossible for the
system to filter out the intrusive data.
Although this scenario is complex, Smurf attacks can be stopped if all
the router at the top of an IP subnet that defines the subnet—are
to forward directed broadcast packets. This is strongly recommended by
(Internet Engineering Task Force) and the Computer Emergency Response Team
(CERT). Unfortunately, many sites have not implemented this type of
Smurf attacks can also be handled with upstream rate limiting, which
ICMP traffic to approximately 2.5 percent—high enough to handle expected
traffic, but low enough to keep large attacks at bay.
An ICMP flood attack is similar to Smurf, but without the amplification
sending packets to broadcast addresses. Similar remedies apply.
A TCP SYN flood2 sends erroneous Transmission Control Protocol (TCP)
to the target system, which cannot complete the connections. The hacker
or her identity by using the address of an innocent party—further
attempts to trace the hacker. Incomplete connection requests fill up the
request table, preventing it from accepting anymore valid requests.
These type of attacks can be handled with a defence called “random early
which, as the name implies, randomly deletes incomplete connection
Today, “patches” are available for most operating systems. Cisco routers
implemented another defence called TCP Intercept,3 which reportedly helps
A UDP flood sends large numbers of User Datagram Protocol (UDP) packets to
the target system, effectively tying up available network bandwidth.
contain forged source addresses to prevent simple filtering.
The best way to deflect UDP attacks is to have all peered boundary routers
Network Ingress Filtering,4 which blocks packets with clearly forged
addresses from entering the Internet in the first place. While this method
prevent UDP floods, it will indicate their source. Upstream rate limiting
of UDP traffic
is another defensive approach to UDP attacks, and can be achieved in much
same way as ICMP limiting. The problem is that different sites may have
volumes of normal UDP traffic. Limiting should thus be undertaken with
TCP floods are similar to UDP floods, except the attacker uses TCP packets
of UDP packets. TCP floods create a problem unlike the UDP case—upstream
limiting is not an option, since most valid traffic is over TCP. The only
defence for TCP
floods is to enforce Network Ingress Filtering.
•Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)5 attacks are harder to remedy than
attacks, and therefore require a more comprehensive set of approaches. By
DoS building blocks, DDoS takes a more sophisticated approach by
the attacking host hundreds of times around the Internet.
These distributed attack agents are controlled remotely from a central
location manned by one or more “handlers.” Even if one attack system is
traced and shut down, others can continue their assault, making it
difficult to eliminate the problem. Nonetheless, defending against each
component of these well orchestrated incidents can still help. Most
network vulnerability scanners can detect common vulnerabilities, which
patched to prevent loading of the DDoS agent.
number of DDoS programs have been developed by hackers over the past few
years. The ones that are most prevalent in widespread attacks include
Trinoo, TFN, Stacheldraht and TFN2K.
Floodnet (Netstrike) is a JavaTM application that inundates the target
requests for non-existent pages and queries to the search engines. It uses
a form of
TCP/IP flooding that attacks inbound and outbound data. This form of
saturates not only the CPU, but also the network—filling up disk space
for logging. Floodnet is a cooperative system; the debilitating
application is downloaded
by a willing perpetrator. In 1998, Floodnet was used for an online sit-in
political protest called NetStrike. The protests were directed at the Web
sites of the
Department of Defence, the president of Mexico and the Frankfurt Stock
Floodnet agents can be identified by an intrusion detection system, then
based upon the packet content.
Trinoo 6 is the first and simplest of the DDoS systems. In this case, the
date of the attack is controlled by the master, and contains only the UDP
package. Its agents are detected with remote scanning.
Tribal Flood Network (TFN)7 comprises multiple DoS attacks: Smurf, TCP SYN
UDP flood, and ICMP flood. Its agents can be detected with remote
Stacheldraht 8 (German for “barbed wire”) is based on TFN, and
multiple DoS attacks: Smurf, TCP SYN flood, UDP flood and ICMP flood. Its
can be detected with remote scanning.
TFN2k9–Although similar to TFN, TFN2k attacks are much harder to detect.
Communications are encrypted, and there is no default key. Agents can be
with a remote scanner if a key is known, or with a host-based tool like
Infrastructure Protection Centre's (NIPC) find_ddos.
DDoS Defence Planning
This section details additional measures that can be employed to help
against DoS attacks. It begins by describing general security practices
every organization should have in place, then focuses on intrusion
a key factor in defending against DoS attacks. Finally, it provides a
description of steps that can help prevent DoS attacks, followed by a
of incident management.
e-business security checklist
_ Have you implemented a thorough and aggressive security policy that is
reflected throughout the business—including firewall configurations,
controls and employee communications?
_ Have you received endorsement by all levels of management and the
Board of Directors to implement effective security measures?
_ Have you fully integrated established security processes and procedures
with your organization’s systems management software?
_ Do you have operating systems that are configured to the most secure
settings? Are vendor-supplied password default settings replaced with your
own secure passwords?
_ Have you installed firewalls on outside borders, as well as internal
Have the default settings on the firewall application been changed?
_ Have you adopted intrusion detection software? Similar to installing
alarms and motion detectors, intrusion detection is equally critical for
and external networks. Complementary policy-based roles and
should be assigned and used at the application layer to prevent Trojan
_ Have you distributed antivirus software? The best antivirus systems will
easy, effective update mechanisms for thorough, up-to-date implementation.
_ Can you regularly validate installed software inventories? Software
be obtained from sources that are consistent with corporate security
_ Are clients equipped with enhanced security capabilities for network
It is important to establish access rights via hardware-based security
such as embedded security subsystem, smart-cards and secure access
tokens. Usage privileges and access control should be authenticated via
Public Key Infrastructure-based credentials.
_ Have you implemented a user administration system? Enterprise solutions
should be established to enable centralized support staff to easily
modify and delete user accounts that are consistent with the corporation’s
_ Have you established rules for password selection? Determine very clear
guidelines for passwords, e.g., six characters with at least one numeral,
develop an easy way to verify. Passwords should be changed periodically.
Users should not store their passwords in their applications, or on or
_ Have you conducted a security awareness campaign to regularly remind
employees of their security responsibilities (Web-based certification or
_ Do you perform security audits on a regular basis? These should be
and random—some electronic, some physical, some concealed
and others overt. The purpose of these audits is to test whether policies
being implemented and whether practices are effective. The goal of some
audits, for example, may be to attempt to break into a target system,
valuable data if possible, and determine if the intrusion was noticed by
charged with monitoring the systems.
_ Have you designated someone as the main network security contact and
determined clear procedures for reporting and responding to security
_ Do your employees clearly understand that they should report all
that seem to breach the security policy? Do they know whom to contact?
_ Can you ensure that system administrators stay abreast of security
and make security-related changes in a timely manner? These people are
your first, best defence; they need to take a proactive role and be ready
react quickly to security issues.
_ Do you have a clear policy for action when an employee leaves the
regardless of the reason? Measures should be taken to quickly disable
an ex-employee’s building and computer access, delete or redistribute
computer accounts, and change all passwords and access codes known
by the employee.
Companies should deploy a risk-management solution to help centrally
attacks, threats and exposures by correlating security information from
intrusion detectors, vulnerability scanning tools and other security
helps administrators eliminate “clutter” such as false-positives, and
adaptive security measures.
Integrated security management also makes it easier for system
who are not necessarily security experts—to monitor and assess security
real-time and with a high degree of integrity and confidence across an
multiple security checkpoints. Automated countermeasures help ensure
access to business partners, customers, suppliers, internal employees and
• Intrusion detection
In matters of network security, corrective actions to intrusions should be
soon as possible. Intrusion Detection Systems (IDS) support network
in two ways: They alert them promptly so that planned responses can be
and help them determine whether an unusual traffic pattern is an attack or
random event caused by non-malicious actions. IDS can detect when
users are employing your site to launch attacks against another site.
systems can be designed for network-based and host-based systems.
Network-based IDS are attached to the network; they detect attacks by
the content of network packets sent over the wire. An unusually high
of TCP, UDP, or ICMP packets sent to a single destination can easily be
IDS are configured to determine if these packets should be considered
normal traffic. Tivoli SecureWay Risk Manager 11 is a good example of a
solution capable of recognizing basic attacks (Smurf, TCP SYN flood, UDP
TCP flood) and preventing DDoS incidents.
Host-based IDS are software components that attempt to detect attacks
the computers on which the IDS is installed. Host-based IDS can analyze
network packets received on the network interface, as well as the log
by the operating system or by applications running on the computer.
host-based IDS can detect DoS attacks against Web servers by analyzing its
Sites should install both network and host-based detection systems. Rapid
of network analyzers must be assured to help determine the nature of an
and to help formulate possible filtering/rate limiting responses in the
event of an actual
DoS or DDoS attack.
Additional DDoS defence planning
The previous sections have outlined sound security and intrusion detection
that all organizations should implement. Sites more vulnerable to DDoS
require additional measures, which can help organizations respond in a
Be prepared: Establish a response plan before an attack occurs:
• Develop a documented incident management plan (see p. 11)
• Create a list of the names and numbers of your security team and
who can begin analysis of attacks
• Maintain a list of available emergency response services
• Know the name and number of your Internet Service Provider (ISP)
can provide additional filtering/limiting
• Know the name and number of your law enforcement contact
• Work with your ISP to establish proactive rate limiting of ICMP12 and
for implementing new filters or rate limits
• Install intrusion detection systems that are capable of recognizing
(Smurf, TCP SYN flood, UDP flood, ICMP flood)
• Ensure rapid availability of network analyzers to determine the nature
of an attack
and formulate possible filtering/rate limiting responses should an actual
Understand basic DoS response methods
It is important to know how to address each type of DoS attack.
Be a good neighbour
Defending against DDoS attacks is especially challenging; traditional
strategies are simply not sufficient. Defence management requires the
of multiple organizations in the Internet community; organizations
an attack can do little to stop or track these incidents without the help
A victimized system is highly dependent upon its ISP and its upstream
well as administrators at remote sites—to help limit and stop such
Attacks are better controlled if all organizations practice basic “good
policies that limit the use of their sites as “agents” or “soldiers” in
attacks. These measures require that the company:
• Implement Network Ingress Filtering.16 on all boundary routers. This
type of filtering
blocks all packets with forged source addresses from moving from the site
the Internet. This filtering stops Smurf attacks, while simplifying attack
and tracking. It is important to note that the Internet Engineering Task
advanced the network ingress filtering Request for Comment (RFC) to a
of Best Current Practices (BCP).
Disable directed broadcast messages at leaf routers.17 The routers closest
systems know the broadcast addresses for their subnets. Therefore, they
be configured not to forward packets directed to broadcast addresses.
directed broadcast packets stops the amplification used in Smurf attacks,
not halt legitimate broadcasts. It prevents only those broadcasts that are
leaf nodes upwards. In addition, if a broadcast is trying to move up from
a leaf and it
couldn’t possibly have originated on the sub-network that the leaf is on,
origin address was probably forged and should be considered suspect. As
ingress filtering, the IETF has just elevated the directed broadcast
filtering RFC to a
status of BCP.
Scan external hosts for vulnerabilities to prevent installation of new
Current DDoS installation tools appear to use well-known vulnerabilities
RPC services; fixing these known weaknesses will help to shield a site’s
Scan external hosts for the existence of known DDoS agents.19, 20
removing existing DDoS agents will also help prevent DDoS attacks.
Report attacks to local law enforcement and industry organizations.
A good summary of these and related countermeasures is contained in the
working draft, “Security Expectations for Internet Service Providers,” by
Secure Web site configurations
There are several security practices that, if implemented during a Web
configuration, can reduce the likelihood of future attacks. A sound IT
should provide guidance to Web masters and Web system administrators
system setup and subsequent deployment. This policy should entail:
Guidance on installing and configuring peripheral packet filters and
as a first line of defence
A list of TCP/IP services that are not required for Web site function.
should be disabled
Installation of devices to ensure that configured controls do not change;
should include intrusion-detection “health checking” tools
Application of timely security fixes to the operating system and Web
including replacement of vendor-supplied default settings for passwords,
Regular scanning of the Internet/intranets to detect vulnerabilities.
Unless specific traffic is allowed to reach the Web server, no service can
provided. Therefore, you must allow certain TCP/IP traffic to reach the
Generally, this is TCP ports 80 and 443. It is very difficult to defend
against a DoS
attack on a Web server on one of these ports, since the normal primary
mechanisms, such as routers and firewalls, are configured to allow traffic
Hence, special steps are needed.
First, consider where the Web server will reside within the
the Web server is located between filtering devices, such as firewalls and
This places it in a "demilitarized" zone (DMZ), which offers some
Internet intrusions. The internal network receives protection from the Web
Outside filtering devices permit only ports 80 and 443 to reach the Web
other potentially dangerous traffic, such as ICMP, is inhibited. The
device is important, since the Web server itself should not rely on other
the secure LAN. Although you must allow potentially dangerous parties
your Web server, careful measures should be taken to prevent unwanted
are many reference books that address the different DMZ methods in more
The second step is to configure these filtering devices to comply with the
you are providing, while restricting everything else. Proper configuration
and routers can be a complex task, and is often assigned to highly skilled
consultants. Many types of undesirable attacks, such as TCP and UDP, as
the methods for blocking them, have been described in this paper. It is
to remember that in addition to blocking traffic, attacks can also be
directed at your
key consideration of comprehensive intrusion detection can help
discover when an unwanted intruder has been attempting unauthorized use.
Deny logs triggered by these filtering devices should be sent to a logging
for analysis and storage. Much like filtering-device logs, Web server logs
excellent sources for detecting intrusions. Many DoS attacks can be
the signature they leave in the Web server log files. More sophisticated
include intrusion detection boxes, which perform network “sniffing” as
out suspect signatures.
A simpler technique involves writing a piece of shell code that notices
patterns like unusual CPU utilization, or a dramatic increase in the
number of threads
currently running on the Web server. If such patterns are detected, the
can alert key personnel. Of course, this method takes some tuning to
what is truly unusual, versus what constitutes a simple increase in normal
requests. Nevertheless, this has proven to be an effective approach for
It is critical to develop, document and test a detailed response plan
occur. In the case of a prolonged DoS attack, an appropriate response is
to continue to keep the problem away from the Web server complex. This
involve pushing the offending traffic away from the Web server and back
supporting infrastructure network, then pushing it away from the
back into the assigned ISP, who would help in the recovery process. Other
tactics for deflecting a severe attack include:
• Adding filter rules to the Web server or operating system to block
with the attack. Not all Web servers or operating systems provide this
a deliberate check is recommended
• Adding filter rules to routers and/or firewalls to block undesirable
• Adding rules to divert unwelcome traffic to a nonexistent host IP on the
• Minimizing exposure of IP pool addresses. If there is no route, the
collapse at the nearest full routing router.
When an incident occurs, security personnel are faced with many different
difficult choices. At the same time, hasty, improper reactions can only
worse. Before any actions are taken, several key questions must be
• Has an incident actually occurred? Human error or a software failure can
mimic the actions of an intruder.
• Was any damage really done? In many incidents, the perpetrator gains
access, but doesn’t actually access privileged information or alter data.
• Is it important to collect and protect evidence that might be used in an
Is it important to get systems back into normal operation as soon as
• Is it acceptable to assume that data has been changed or deleted? How do
determine if changes have been made?
• Does it matter if people inside and outside the organization hear about
• Could this event happen again?
The answers to some of these questions may be contradictory. For example,
collecting and protecting evidence may not be possible if the primary goal
to get systems and services back into normal operation immediately.
such choices must be made quickly—when an incident is actually detected—
a well-defined process is vital to helping security personnel take
and necessary actions.
An Internet Security Event Response Process (ISERP) should be designed to
companies react in a rapid, structured, efficient and effective manner.
should be carried out by a group of people possessing a variety of
in relevant technologies, but also in non-technical areas such as public
This group is referred to as the “Response Team.” By effectively
the ISERP allows organizations to optimize the protection that
provide. This will in turn extend protection to a company’s data, systems
services, safeguarding the business’s reputation. The ISERP plan comprises
elements, which should be clearly documented:
The process description articulates what needs to be done from a
operational standpoint—but not how it should be done. The process
thus remains independent of the specific technological components and the
configuration of a company’s current environment, and can be easily
accommodate change. The process description should include—at a minimum—
contact information for your security specialists, ISPs and enterprise
• Scope and goals describes the scope, context, inputs and outputs and
connections, plus required mechanisms and measurements.
Functionality defines diagrams and descriptions of each of the major
including Internet security event notification, categorization,
restoration, defence strengthening and documentation. Process testing,
updating are also addressed.
Staffing and assignments provide detailed definition on process roles,
and associated responsibilities.
In the event of a DoS attack:
Work with your ISP and emergency response team to perform rate limiting
other steps outlined on pages 4-7. If these do not work, try steps 2 and
Change the IP address of the target and update the DNS to reflect the new
address. Most of these attacks, once initiated, are then left to run. They
look up the IP address at each attempt and therefore do not go to the
address. In these cases, an enterprise can block intrusions at the router
The problem with this approach is caching; in the time it takes for the
to propagate, the attack could be over—before the change is completed.
Investigate the actual attack by working with the ISP, who can check each
If the attack spans multiple ISPs, the providers must work together. When
attacks occur, it may be appropriate to contact federal law enforcement,
the FBI, for assistance. In order to trace one connection to the source of
the attack, the location of the master station must be known before
actions can be taken.
DDoS attacks have two distinct types of victims: end targets—the sites
attack, and soldiers or agents—companies whose systems have been
and are now controlled by the hacker. Typically, organizations become the
hacker’s soldier, rather than the end target. Hackers assign soldiers by
weaknesses and defects in networks and operating systems, which gains them
root/administrator access. Next, they install software to hide the
break-in and all
subsequent activities. The software they employ includes a process to
control the victimized system and use it for subsequent attacks on others.
DDoS attacks make detective work extremely difficult. Although the packets
the network—those with source and destination addresses—must be inspected,
this is not really helpful, since a target’s IP address is the destination
and the source
address is random. The only valid information available is the hardware
the last router the packet passed through before reaching its final
Sometimes, this provides insight into the ISP, who may be passing the
flood of packets.
The greater the complexity of a company’s LAN or WAN, the more steps it
take to access the initial outside router. A company may even have to
trace its own
internal routers first. Next, a packet from the other side of that outside
router must be obtained. Since the enterprise under attack would not own
router, cooperation is required from the network administrator, who can
hardware address of the previous router. Finally, a packet from the other
side of that
previous router must be found.
These steps must be performed over and over, from network to network,
hardware address of one soldier machine is determined. Note that the
of DDoS attacks on the scale of a gigabit of packets per second will
hundreds of soldier systems. Once one soldier is located, the next effort
is to trace
it back to the controlling system. There may be information on the soldier
that describes its origin or the original compromise that led to the setup
Another tactic is to track the controlling system when the controller next
soldier system. This type of tracking can only be done when the controller
It may involve multiple intermediate links, limiting its chance of
success. Both of
these approaches should be done in parallel with tracking down additional
systems. Shutting off soldier systems can provide immediate relief from a
The above tactic is from the point of view of the victim. The owner of the
system may have a different objective: to restore their system. Their
remove the chance of examining the compromised system for clues to the
of the attack; however, their cooperation can still allow placement of a
to deflect attempted contacts by the controlling system. In this event, a
do a bit-level copy of the system’s disk storage might be granted, opening
window of time to examine the system for additional evidence (particularly
“peeks” beneath the file system layer and examines the raw disk blocks to
intruder data file contents subsequently deleted).
Again, knowing your service providers and having the right contact
information can speed this process. If you are looking for a drive’s full
data forensics, be sure to make a bit-copy of the drive (if possible) and
conduct the exam on copies of that mirror. Using monitoring tools to
detect active soldiers is easy. An IDS should be able to pick up both
incoming and outgoing floods. If an organization’s routers are configured
outbound traffic should not appear to originate from outside the network.
new routers provide this capability, but are turned off by default. Also,
masters of these soldiers (shall we call them “generals”?) can use
protocols (udp/icmp), they can also disguise the address of the
This makes detection much more difficult, and of limited value.
Looking to the future
Over time, the variety and sophistication of network attacks are likely to
The Internet technical community has repeatedly risen to the challenge of
security exposures, and will undoubtedly do the same regarding DDoS
promising new approach to blocking and tracking DDoS attacks is the packet
tagging22 method. Backbone routers add tagging information to packets to
trace them back to their real source. Another encouraging area involves
to share attack data while removing sensitive packets that might
disclose private or confidential information. This is referred to as
“blinding” the data
captured by intrusion detection systems so that details like “who is
Web sites” are hidden from view. If there is a subsequent investigation,
officer can unlock the relevant records.
System design techniques that appear to be effective for defending against
attacks avoid single points of failure; that is, they have built-in
example of this method is distributed replication of caching servers,
servers, maintaining similar content, are spread geographically.
Work is also underway to make operating systems more secure. The concepts
behind evaluated systems are being adapted for broader use. An area that
further research is the improvement of forensic tools to apprehend
DoS attacks should be viewed as a risk management issue—one that can be
effectively dealt with like other business issues. Having appropriate
plans in place
allows organizations to deal with attacks on their systems in a
manner, in an environment where duties and actions are clearly defined and
by all key players. Two plans are essential:
A preventive plan can help ensure that appropriate measures are taken to
business continuity. These include installing software to detect and
as well as software to identify the nature of the attack. Because
are typically not 100 percent effective, a plan must consider how to deal
security breaches when they do happen.
The incident response plan outlines the steps to take should a security
event occur, and specifies responsibilities for executing necessary tasks.
plan can prevent panic, as well as ineffective or sometimes detrimental
In many parts of the world, neighbourhood “watch” programs rely on members
the community to help keep other residents safe. The community of
no different; responsible users of the Internet should adhere to “good
principles. When a problem does arise, the community should join forces to
their collective security.
The principles of being a good neighbour on the Internet include:
Securing one’s own systems to help prevent against them being compromised
used against others
Conducting regular testing of those systems for vulnerabilities
Instituting a process to proactively monitor systems activity and take
any attempt is made to illegally gain access to those systems
Reporting factual information promptly
Avoid spreading inaccurate or untrue information that could create or
Cooperation with authorities is essential. Timely responses to law
subpoenas for critical information, for example, can help locate and
and minimize further disruptions to your business or others on the
The collective strength of an informed, responsible and cooperative
community is a powerful security tool that can aid in the success of your
as well as those on whom it depends.
For more information
To learn how the professionals of Lindengrove security and privacy
services can help
you protect your IT infrastructure, contact your Lindengrove sales
representative, or contact us here:
2 TCP-SYN flood Information
3 TCP Intercept
4 Network Ingress Filtering RFC 2267 (January 1998)
5 CERT analysis of DDoS
7 Tribe Flood Network (TFN)
11 Network Ingress Filtering RFC 2267 (January 1998)
12 Directed Broadcast Filtering
13 NSA Host Vulnerability Scanner
14 NIPC’s find_ddos
15 Internet Engineering Task Force working draft,
"Security Expectations for Internet Service Providers"
Updates will be posted at
16 Packet tagging
BUY SECURELY ONLINE
We are looking
for partners to distribute our product and provide first line support.
contact us if you would like further info.