December 11, 2000, 4:31 PM — The recent epidemic of denial-of-service (DoS) attacks against major e-commerce
sites has put a chill in the bones of many network administrators. The thought of a
crippling blow being struck against infrastructure that you're responsible for is
enough to give even the most hardened network manager the chilblains.
On the surface there doesn't seem to be much anyone can do to prevent these attacks.
The traffic originates from many different sources and the return IP addresses are
usually forged and lead investigators to non-existent hosts. And once the attack
begins, the barrage of bogus data is so intense that most monitoring systems are
Take heart. Despite the seemingly grim outlook, there are some steps that you can
take that will make dealing with DoS attacks easier.
Prior to launching an attack, a competent military commander will spend a
significant amount of time gathering intelligence. Network intruders are no different.
A well-planned DoS attack takes advantages of weak spots in the target network. How do
the "black hats" find the weak spots? They probe your network. Detecting these first
signs of an impending attack can make the difference between being a victim or a hero.
The most important step you can take is to install a probe, or sensor, between the
Internet wilderness and your enterprise network. Having a probe in place won't prevent
a DoS attack from being launched against you but it will allow you to get a whiff of
those first tentative knocks on your door. You might just get enough warning to be able
to secure critical systems.
While there are many commercial sensor systems on the market they tend to be
expensive, complicated to install and suffer from "black box" disease; you are
dependent on the detection modules supplied by the vendor. Building your own sensor is
relatively straightforward, very cost-effective -- you probably already own the parts --
and allows you to customize coverage for your site. We'll show you how to build one in
our next column.
Until then, check out these useful packet analysis tools. We'll be using this
software as part of our homebrew probe: