DDOS Countermeasures RFC

["Karl Wolfgang" <karl_wolfgang () hotmail com>]

 There are no solutions to defeating distributed denial of service attacks, 
only methods to mitigate the effects of zombies. I seek any opinions on 
whether our "corporate" policy is sufficient in attenuating DDOS risks or 
merely scratches the surface.

 Our new policy seems to focus primary on ingress filtering of broadcast 
packets, egress filtering of spoofed IPs, and blocking default ports that 
DDOS programs use.  The latter seems only effective in stopping script 
kiddies who rely on automated attacks:  second generation programs such as 
TFN2 or Staldracht allow more experience attackers to configure ports and 
thus circumvent elementary port blocking.  It seems that it would be 
possible to script a zombie or DDOS slave to choose random IPs from a 
compromised network in order to circumvent egress filtering; however, I have 
not read of any such capabilities yet.

 New techniques such as packet marking or interjecting "tracer" packets 
into network flow are still under research,  Therefore, in addition to 
packet filtering, a corporation could improve its capability to gather 
indications and warning data and limiting scope of attack by using current 
network techniques such as Cisco's Committed Access Rate.  Apparently, one 
can set routers to throughput only a configured percentage of packets by 
protocol.  We have considered developing SNMP traps that would alert a 
network operation center when CPU usage of network devices exceeds a certain 
level.

 I have seen organizations opt for perimeter defenses comprised of static 
filtering on routers and network layer IDS.  Firewalls can cause 
self-inflicted denial of service attacks when one has no clue as to what 
protocols were running on the inside. Yet stateful firewalls that can block 
nmap or RAMEN-like SYN/FIN scans are critical to prevent target acquisition 
of vulnerable computers and subsequent installation of DDOS aps.

 Blueprints for building a better mousetrap many times remain on drawing 
boards for lack of funding or lackluster bureaucratic dynamics.  I have seen 
executive- or policy-level computer security personnel apparently reserve 
funds for their own purposes rather than push money to the operation and 
maintenance level.

 The article at http://www.msnbc.com/news/521044.asp rhetorically asks 
"What good is a Band-Aid if you don’t use it?" The mantra of harried sys 
admins continually lament lack of time for applying patches despite gurus 
chanting that lack of security application is the single greatest cause of 
root compromises (and thus laying the groundwork for DDOS aps installation).

 Our one or two sys admins support 100 workstations, soon to double to 200. 
Do other companies support like ratios for those who provide all services 
from security to desktop support?  Upper security management levies 
increasing requirements for increasing workstations.  However, I have not 
been able to get them to recognize that centralized software management 
products can compensate for lack of technical personnel and are legitimate 
information assurance expenditures.

 Attenuation of the DDOS threat requires defense-in-depth, from router 
filtering, to stateful firewalls, to configuration of network management 
devices, to the enlistment of additional administrators and technically 
savvy and financially resourceful executives.  Comments welcome.

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards