Ten security policies to prevent DDoS attacks

This article is provided by the famous German hacker Mixter (only 20 years old) who compiled Distributed Denial-of-Service attack tools TFN and TFN2K (these tools were used to attack large websites such as Yahoo.

To put it simply, it is very complicated to master all the causes and security vulnerabilities that may cause intrusion and be used to launch DoS attacks. In detail, there is no simple or dedicated way to protect against these attacks, but you can only apply various security and protection policies as much as possible. For every system facing security threats, some simple and fast security policies are listed here to protect against these attacks.

Important measures should be taken for targets or potential targets facing DoS Attacks:

1. Eliminate FUD mentality

FUD means Fear, Uncerntainty, and Doubt ). Recent attacks may cause some people to be worried all day for fear of becoming an attack target. In fact, we must realize that there are only a few companies or hosts that may become targets of DoS attacks, and most of them are famous websites, such as search engines, portals, large e-commerce and securities companies, IRC servers, and news and magazines. If the website does not belong to this type of website, you do not have to worry too much about becoming a direct target for DoS attacks.

2. Ask for assistance and cooperation with ISP

It is important to obtain assistance and cooperation from your major Internet Service Provider (ISP. Distributed Denial-of-Service (DDoS) attacks consume bandwidth, and you cannot cope with these attacks by managing the network on your own. Negotiate with your ISP to make sure they agree to help you implement the correct routing access control policy to protect the bandwidth and internal network. Ideally, your ISP is willing to monitor or allow you to access their routers when an attack occurs.

3. Optimize the routing and Network Structure

If you manage more than a host but a network, you need to adjust the route table to minimize the impact of DoS attacks. TCP listening should be set to prevent SYN flood attacks. For more information, see vro technical documents. In addition, do not allow unnecessary UDP and ICMP packets to pass through the network. In particular, do not allow Outbound ICMP "inaccessibility" messages.

4. Optimize hosts with open access

Optimize all hosts that may become targets. Disable all unnecessary services. In addition, multiple IP hosts also increase the difficulty of attackers. We recommend that you use the multi-IP address technology among multiple hosts, and the homepage of these hosts will only automatically switch to the real web server.

5. When you are under attack, you must apply the corresponding policy immediately.

It is important to block attack packets as quickly as possible, and contact them as soon as possible if they are found to come from certain ISPs. Do not rely on the source address in the data packet, because they are often randomly selected in DoS attacks. Determining the source of forgery quickly and accurately depends on whether your response is fast, because records in the vro may be cleared shortly after the attack is aborted.

Important measures should be taken for hosts that have been or may be intruded into and installed with DDoS proxy programs:

6. Eliminate FUN mentality

As an object that may be infiltrated, there is no need to be too nervous. You only need to take reasonable and effective measures as soon as possible. Currently, all Denial of Service (DoS) attack servers are only installed in Linux and Solaris systems. Although it may be transplanted to * BSD * or other systems, as long as these systems are secure enough, the possibility of system intrusion is unlikely.

7. Ensure that the host is not intruded and secure

There are many old and new vulnerability attack programs on the Internet. To ensure that your server version is not affected by these vulnerabilities. Remember, intruders always use existing vulnerabilities to access the system and install the attack program. System Administrators should always check server configurations and security issues to run the latest software version. The most important thing is to run only necessary services. If the system is fully compliant with the above ideas, it can be considered safe enough and will not be under intrusion control.

8. Periodic Review System

You must be aware that you are responsible for the system you manage. We should fully understand how the system and server software work and regularly check system configurations and security policies. In addition, you should always pay attention to the latest security vulnerabilities and problems posted by the Security site related to the self-managed operating systems and software.

9. Check file integrity

When it is determined that the system has not been intruded, all binary programs and other important system files should generate file signatures as soon as possible, and periodically compare with these files to ensure that they are not modified illegally. In addition, it is strongly recommended to test and save files to another host or removable media. Free tools such as tripwire for file/directory integrity check can be downloaded from many FTP sites. Of course, you can also choose to purchase commercial software packages.

10. immediately shut down the system and investigate the attack.

If an attack is detected (or notified) on the network or host, immediately shut down the system, or at least cut off the connection to the network. Because these attacks also mean that intruders have almost full control over the host, research and analysis should be conducted and the system should be reinstalled. We recommend that you contact the security organization .. It must be noted that it is very important to provide all the programs and data left by attackers in the intrusion into the host to security organizations or experts, because it can help track the source of attacks.