Preventing DOS and DDOS attacks

Relevant classes: any A Denial of Service (DOS) attack is a saturation attack, in which a service provided by a computer is overloaded with requests from illegitimate sources, thus preventing the service from performing its intended function for legitimate users. A distributed Denial of Service attack (DDOS) is a DOS attack which is launched from a number of hosts in parallel, so that source of the attack is bolstered both by redundancy and multiplicity. Once a DOS attack has taken a foothold on a system, there is no universal defense against it. DOS attacks are rather like the common cold: it has never been cured because the problem mutates faster. This is a very efficient attack strategy. However, there is a number of things one can do to prevent DOS attacks from being successful, and to prevent one's own hosts from being used to attack others. The problem can be analyzed from a game theoretical perspective. A mixture of strategies is the best approach. Strategy Contribution Stop packets from arriving Ease the load on the service by filtering packets, with some kind of firewall. This assumes that one knows where the packets are coming from and can adjust the filter rules quickly enough. Some intrusion detection systems can detect DOS attacks, unfortunately modern networking and operating systems are not able to respond automatically to such attacks. Methods of computer immunology might one day be used to automate this. Load spreading redundancy A service is hard to saturate completely if it has sufficient redundancy. Assure sufficient load balancing and redundancy. You can use a randomization strategy ("rotate shields") to present a moving target to attackers. Preventing complicity In order to participate in a DDOS attack, attackers must have access to your systems. It is up to every member of a community to obey the law, if law is to be enforced. "Rogue systems" which harbour cyber-terrorists will sustain the DDOS problem. If they are local users, you need to be on the look out for them. You can do this by scanning for known tools. In cfengine, you can do this by looking for suspicious filenames SuspiciousNames = ( .. ) or unwanted processes. Be aware that attackers usually try to hide their tracks by using unusual names for well-known programs. On the other hand, many script-kiddies simply download and run programs unaltered. Garbage collection One of the reasons why DOS attacks are successful is that resource garbage collection is not performed by almost any modern systems. DOS attacks work because they consume resources but never free them. One form of attack which has been used to crash Unix systems is a log attack. Systems which log all kinds of messages quickly fill up disk partitions with these messages. If logs are not rotated often enough, systems will crash from lack of disk space. (Note that some operating systems are programmed to do this all by themselves, without any outside help!) In the future, one would hope to see dynamical operating systems, able to adapt to stress. Back to documentation