Brumley added that many machines don't keep logs, and attacks that spoof packet addresses are difficult to trace unless data is collected during the attack. He also warned that many Internet service providers aren't willing to trace packets and get data in real time unless it is a big attack. Companies should develop contacts with law enforcement and be prepared to quantify financial losses to overburdened investigators.
All the panelists agreed that if more network managers installed a type of filtering known as RFC2267 to their I/O interfaces, it would be more difficult to launch attacks with spoofed packet addresses. As the packet leaves the router, these filters apply a set of rules making sure the packet complies with an internal source address before it is sent. This would prevent a compromised machine from being used by an attacker to send a flood of packets with inaccurate addresses against a target. The panelists noted that it would be especially effective for service providers to install these filters. "If everyone did this, source address spoofing would not work," said Lears.
Other tips from panelists on preventing denial-of-service attacks:
- Monitor your own network to make sure your machines aren't being compromised for a denial-of-service attack network.