unSpawn |
08-25-2009 07:37 PM |
As you maybe know DoS stands for "Denial of Service", using up a machines resources in a way it can no longer fulfill its purpose. Depending on how a machine is DoSsed you have a range of direct and indirect measures to try cope with increased or malicious traffic ranging from the SYN cookies sysctl (make the kernel deal with SYN flooding differently), rate limiting, tar-pitting and other packet filtering (let the firewall function as a revolving door of sorts), application level firewall (let mod_security determine if a request is valid), IDS (let an intrusion detection system like Snort or Prelude if traffic has a malicious payload) and (reverse) proxying (buffer traffic to filter and lighten load) to load balancing and multi-colocation (depending on the size of ones wallet). If none of the methods deployed can filter or slow down traffic in a way that the machine can deal with it then you can only route traffic away and sit it out. For a SOHO server that would mean firewalling it or shutting it down, in other situations it might require the ISP to temporarily route traffic to the bit bucket.
In DDoS the first d starts for "distributed" meaning the adversary has access to a structure, a "network inside a network" comprising of thousands to tens of thousands of machines (zombies) to perform the actual attack. In such situations the pressure will be on the ISP to work with routing peers to temporarily route traffic to the bit bucket because at that volume traffic threathens their infrastructure.
As such DDoS attacks can't really be "prevented", it more comes down to a form of "trying to cope with". What's often forgotten to mention is that prevention may well start by not publishing content that works like a red rag on a bull for certain groups (I'm thinking certain pr0n, 88, belief-related content or revisionism, not the average petty "I hate you" site), not bragging about or deliberately taunting people...
For more information about DoS and DDoS search LQ, The LQ Security references part about DoS and DDoS ( http://www.linuxquestions.org/questi...579#post222579) and the SANS Reading Room ( http://www.sans.org/reading_room/), they have gathered much material about different topics over the past years like http://www.sans.org/reading_room/whi...&cat=intrusion
HTH
|