Web Informant <#235, 30 January 2001:
Preventing Denial of Service attacks


Quote of the week: "We did not apply sufficient self-defense techniques to ... our core network infrastructure." -- Microsoft CIO Rick Devenuti.

Last week, Microsoft learned exactly how vulnerable their various web sites were to distributed denial of service (dDOS) attacks. The attacks came a day after the company's web sites were unavailable due to router configuration errors. Perhaps this is a lesson for the rest of us, that you can never take any part of your network infrastructure for granted.

The dDOS attack involves sending many requests to connect to a target server in a short period of time, so many that the server is overwhelmed by its sudden increase in popularity. These requests are generated by a wide variety of hacker programs, and can either crash a server entirely or slow it down so much to make it unusable to ordinary visitors. The reason it is called distributed is because the attack can come from many different sources concurrently, making it even harder to track down and find the culprit(s).

These attack programs are easily available around the Net, and all it takes is someone with a little time on his or her hands to set one up. So, not to be too paranoid about this, but what can you do?

The first step is to make sure your hosts are secured and any extraneous programs, along with the ability to run such programs, are prevented. You need to carefully understand the specific security configuration of your servers, and there are a number of scanners available that can review your security settings and make sure that you haven't inadvertently left a back door or two open for someone to come in unannounced. These scanners will also report on whether or not you have installed all the latest patches and fixes to your server operating systems, including the ones that have particular security implications. A good review of these tools, along with some sample reports from the various scanner tools, can be found here.

Second, you should download one of the attack programs and try it for yourself, once you have followed the remaining suggestions here to harden your servers. The best defense is to go on the offense against any possible attacks, and to really understand what is involved you should try these out, possibly during a non-critical time if you can find such a window for your site. Various dDOS attack tools can be found here.

Most of the remaining solutions are fairly technical, and involve configuration changes to your routers and firewalls. You should tighten up your firewalls to allow packets to leave your networks only if they have the proper IP addresses of your internal networks. Similarly, you should only allow incoming packets with the proper internal IP addresses as well. Typically, these are done via filters or command-line arguments. The particular commands for hardening your Cisco routers can be found here.

You also need to disallow the ability of one computer to pretend it is someone else, what is called IP spoofing, and to prevent outsiders from being able to send broadcasts of ICMP protocols into your network. Again, you need to know the precise commands for your firewalls and routers to block these kinds of situations. Some examples of how to do this can be found in Terry Dawson's excellent article on the O'Reilly Network here.

Finally, you need to spend some time communicating with your peers in other companies, and know where you can go to get the right kinds of support and knowledge. There are dozens of security web sites out there, I recommend you find one or two that can speak most appropriately to your needs and regularly review them. One that I particularly like is the Live Security service from Watchguard, which costs an additional $100 per year when ordered with one of their firewall appliances.

Microsoft learned the hard way. Hopefully, you will be better prepared.

To subscribe, send a blank email to

To be removed from this list, send a blank email to

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 2001 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.