The recent epidemic of denial-of-service (DoS) attacks against major e-commerce sites has put a chill in the bones of many network administrators. The thought of a crippling blow being struck against infrastructure that you're responsible for is enough to give even the most hardened network manager the chilblains.
On the surface there doesn't seem to be much anyone can do to prevent these attacks. The traffic originates from many different sources and the return IP addresses are usually forged and lead investigators to non-existent hosts. And once the attack begins, the barrage of bogus data is so intense that most monitoring systems are overwhelmed.
Take heart. Despite the seemingly grim outlook, there are some steps that you can take that will make dealing with DoS attacks easier.
Prior to launching an attack, a competent military commander will spend a significant amount of time gathering intelligence. Network intruders are no different. A well-planned DoS attack takes advantages of weak spots in the target network. How do the "black hats" find the weak spots? They probe your network. Detecting these first signs of an impending attack can make the difference between being a victim or a hero.
The most important step you can take is to install a probe, or sensor, between the Internet wilderness and your enterprise network. Having a probe in place won't prevent a DoS attack from being launched against you but it will allow you to get a whiff of those first tentative knocks on your door. You might just get enough warning to be able to secure critical systems.
While there are many commercial sensor systems on the market they tend to be expensive, complicated to install and suffer from "black box" disease; you are dependent on the detection modules supplied by the vendor. Building your own sensor is relatively straightforward, very cost-effective -- you probably already own the parts -- and allows you to customize coverage for your site. We'll show you how to build one in our next column.
Until then, check out these useful packet analysis tools. We'll be using this software as part of our homebrew probe:
- Snort,, a packet sniffer/logger that can be used as a lightweight network intrusion detection system
- Tcpdump, a protocol packet capture and dumper program, and
- Iptraf, a network monitoring utility for IP networks.