Tweet
Defending against DoS attacks is not an easy task but some strategies exists to lower the risk of a successful attack.
Denial-of-service attacks involves the removal of availability of a resource. The is the A in the CIA triad. That resource can be anything from a web service to a connection to the local network. DoS attacks can focus on flooding the network with bogus traffic, or they can disable a resource without affecting other network members. The attack could be done against dedicated authentication services such as Active Directory or Cisco Secure ACS. Another possibility may be attacking the service itself with just one or a few well crafted packets that will crash the service entirely.
Disabling Unnecessary Services
You can help protect against DoS and DDoS attacks by hardening individual systems and by implementing network measures that protect against such attacks. The less services running the less the attack surface.
Using Anti-Malware
Real-time virus protection can help prevent bot installations by reducing infections from Trojans carrying bots as payload. This will not stop a DoS attack but slow down the creation of a botnet having a proactive effect.
Enabling Router Throttling
Some types of DoS attacks rely on traffic saturation of the network and can be mitigated or at least slowed down by enabling bandwidth throttling on the gateway. This can help establish an automated control on the impact an attack can inflict. This will also give network administrators a windows to respond appropriately.
Use a Reverse Proxy
A reverse proxy is the opposite of a forward proxy. When a request is made to a web server, the requesting traffic is redirected to the reverser proxy before it is forwarded to the actual server. This gives the benefit that the reverse proxy acts as a middleman and can take protective actions when an attack occurs.
Enabling Ingress and Egress Filtering
Ingress filtering prevents some kinds of attacks by blocking traffic with spoofed IP addresses coming in from an outside source. This could be traffic with a rfc1918 source addresses as such an IP address should not come from the Internet. One exception could be tunneled traffic from a VPN peer.
Egress filtering can block outbound traffic that was intended for the attacking party or malicious traffic participating in a DDoS attack on a third party victim.
Degrading Services
In this approach, services may be throttled down or shut down in the event of an attack. This could be manually or an automated process and has the purpose of making the target service less attractive. It may also help keep the target system stable and prevent it from crashing from lack of resources. The services can then be returned to the previous state when the attack is over.
Absorbing the Attack
It might be possible to absorb the attack by adding enough extra resources and bandwidth if the available resources surpassed the resources available to the attacker. This type of defense does require a lot of extra planning, resources, and of course money. This approach may include the use of a load balancer or similar technology.
Some defense strategies a more botnet-specific and include the following...
RFC 3704 Filtering
This defense strategy is designed to block or stop packets from IP addresses that are unused or reserved in any given range. Ideally this filtering is done at the ISP level prior to reaching the target network.
Black Hole Filtering
This strategy is in essence a black hole or area in the target network where offending traffic can be forwarded to and then dropped.
Source IP Reputation Filtering
Some IPS vendors offer features to filter or firewall traffic based on reputation. Reputation is determined by past history of attacks by reported IP addresses or ranges and other factors.
One thing to keep in mind when penetration testing is the damage that can be done when stress testing or simulating a DDoS attack or an ordinary DoS attack. A major concern is taking down integral resources during the testing phase. The ripple effect of taking down a critical component of a larger infrastructure can be far reaching. Some times bringing the service or system back online after a successful stress test can prove challenging. An agreement between the pentester and the client should explicitly define what will be done and the client's time frame for when the testing may be done. And always document every single step in every part of the pentesting process.
Denial-of-service attacks involves the removal of availability of a resource. The is the A in the CIA triad. That resource can be anything from a web service to a connection to the local network. DoS attacks can focus on flooding the network with bogus traffic, or they can disable a resource without affecting other network members. The attack could be done against dedicated authentication services such as Active Directory or Cisco Secure ACS. Another possibility may be attacking the service itself with just one or a few well crafted packets that will crash the service entirely.
Disabling Unnecessary Services
You can help protect against DoS and DDoS attacks by hardening individual systems and by implementing network measures that protect against such attacks. The less services running the less the attack surface.
Using Anti-Malware
Real-time virus protection can help prevent bot installations by reducing infections from Trojans carrying bots as payload. This will not stop a DoS attack but slow down the creation of a botnet having a proactive effect.
Enabling Router Throttling
Some types of DoS attacks rely on traffic saturation of the network and can be mitigated or at least slowed down by enabling bandwidth throttling on the gateway. This can help establish an automated control on the impact an attack can inflict. This will also give network administrators a windows to respond appropriately.
Use a Reverse Proxy
A reverse proxy is the opposite of a forward proxy. When a request is made to a web server, the requesting traffic is redirected to the reverser proxy before it is forwarded to the actual server. This gives the benefit that the reverse proxy acts as a middleman and can take protective actions when an attack occurs.
Enabling Ingress and Egress Filtering
Ingress filtering prevents some kinds of attacks by blocking traffic with spoofed IP addresses coming in from an outside source. This could be traffic with a rfc1918 source addresses as such an IP address should not come from the Internet. One exception could be tunneled traffic from a VPN peer.
Egress filtering can block outbound traffic that was intended for the attacking party or malicious traffic participating in a DDoS attack on a third party victim.
Degrading Services
In this approach, services may be throttled down or shut down in the event of an attack. This could be manually or an automated process and has the purpose of making the target service less attractive. It may also help keep the target system stable and prevent it from crashing from lack of resources. The services can then be returned to the previous state when the attack is over.
Absorbing the Attack
It might be possible to absorb the attack by adding enough extra resources and bandwidth if the available resources surpassed the resources available to the attacker. This type of defense does require a lot of extra planning, resources, and of course money. This approach may include the use of a load balancer or similar technology.
Some defense strategies a more botnet-specific and include the following...
RFC 3704 Filtering
This defense strategy is designed to block or stop packets from IP addresses that are unused or reserved in any given range. Ideally this filtering is done at the ISP level prior to reaching the target network.
Black Hole Filtering
This strategy is in essence a black hole or area in the target network where offending traffic can be forwarded to and then dropped.
Source IP Reputation Filtering
Some IPS vendors offer features to filter or firewall traffic based on reputation. Reputation is determined by past history of attacks by reported IP addresses or ranges and other factors.
One thing to keep in mind when penetration testing is the damage that can be done when stress testing or simulating a DDoS attack or an ordinary DoS attack. A major concern is taking down integral resources during the testing phase. The ripple effect of taking down a critical component of a larger infrastructure can be far reaching. Some times bringing the service or system back online after a successful stress test can prove challenging. An agreement between the pentester and the client should explicitly define what will be done and the client's time frame for when the testing may be done. And always document every single step in every part of the pentesting process.