DoS attacks are invisible to legal commands and cannot be completely blocked.

Degree: elementary

Denial of Service (DoS) attacks use a large number of legitimate packets to paralyze enterprise network services, making the original anti-virus, firewall and even intrusion detection systems useless, network services are more likely to be interrupted for several hours or even days.

Yang Guangming, senior product and technology manager of beidian Enterprise Network department, said that traditional DoS attacks were initiated only by a few computers and targeted at standard services (such as TCP and FTP) in a short time) A large number of or abnormal packets are sent, causing the system or network to be unable to load and service interruption. However, the current DoS attack uses the trojan program to pre-implant the user's computer before the attack is initiated. When the attack is initiated, the pre-embedded Trojan program can be used, at the same time, hundreds or even thousands of computers are launched to launch the so-called Distributed blocking Service (DDoS) attack on the enterprise network ).

The biggest difference between DoS attacks and other attacks is that, although DoS is an "attack", it uses valid packets to perform disguised attacks. For example, in order to test whether the network is correctly connected, network administrators often use the ping command, which is a normal network command. However, if hackers execute ping commands on the same server using thousands of computers at the same time, the server will be busy replying to the ping request, and there is no way to deal with other services or even cause network congestion, network service interruption.

Yang Guangming said that to defend against DoS attacks, enterprises must have corresponding defense measures from the front-end firewall to the network switches and clients. Like firewalls at the frontend of an enterprise network, they usually integrate or integrate functions such as IDS to enable firewalls to defend against unknown attack behaviors without waiting for management personnel to respond. Although the internal network switch (Layer 2) does not provide intelligent network attack detection capabilities, it can still detect abnormal network traffic through the traffic monitoring function, immediately notify the management personnel for further processing or directly blocking the traffic.

Yan Jielin, product and Technical Manager of beidian public and Enterprise Network department, said that in addition to internal attacks, enterprises should pay more attention to network architecture and computer security updates, to prevent hackers from using system vulnerabilities to implant Trojans and directly launch attacks within the enterprise.

Yan Jielin believes that when planning the network architecture, enterprises can separate the entire network into multiple network segments, and place a unified management intrusion detection system in each network segment, when an attack or virus infection is detected in a certain network segment, the intrusion detection system of other network segments will receive a notification and immediately respond to it to reduce the impact of the attack on the overall enterprise network. 「 With this network architecture and proactive defense plan, the enterprise network will not be completely paralyzed by a single attack event, 」 said Yan Jielin.

Yang Guangming further said that when purchasing network equipment, enterprises must pay attention to their own hardware architecture and impact tolerance, rather than simply looking at what protection functions the software can provide. For example, although some devices provide DoS defense, they only have MB of traffic load. If an attack generates more than MB of traffic within a short period of time and exceeds the load capacity of the device, even if there are good functions, it cannot be used.

Since DoS attacks are carried out using valid packets, it is difficult to completely defend against them. Yang Guangming believes that the most important thing is that network devices must be able to load traffic that suddenly surges, maintain network operations, and win more time for network administrators. At ordinary times, network administrators should make proper network planning and traffic monitoring to resume normal network operation in the shortest time after an attack.