Some excellent posts in this thread, did some digging to come up with some starting points, so it's presented rather sparse as not to cramp your Google searching stylee :-]
= Type of DoS attacks:
- TCP floods (SYN, ACK, RST) *Google ?q="3-way handshake SYN flood"
- ICMP echo request (Smurf, Fraggle)
- UDP floods (chargen)
- DDoS attacks are "distributed", DoS attacks launched from compromised hosts.
= DoS defense:
- ISP filtering
- Host filtering (Netfilter)
Filtering means you/ISP should check that IP source addresses do not contain reserved or broadcast addresses, on inbound (ingress) that the source address shouldn't be the same as the destination addresss and reverse on outbound (egress) routes.
- Rate limiting
- Kernel SYN cookies
- TCP Wrappers
- Tweak network serving application/master (xinetd) parameters, like for instance Xinetd using "sensors" and explicitly denying in Apache's conf: allow,deny. Maybe also check out max childs etc.
- Test your setup!
= Handle DoS attacks:
- Start tcpdump capture if possible: save evidence of attack.
Pro: evidence available, con: none
- Rate-limit sources: try and curb traffic.
Pro: may alleviate load, con: may slow response for legitimate traffic if applied w/o scrutiny
- Track down offending source addresses.
Pro: aid in contacting remote ISP's, con: may be impossible due to spoofed source addresses
- Aggresively filter sources: drastic way to try and curb excess traffic.
Pro: may alleviate load, con: may also cut out legitimate traffic
- Close down networking daemons: no-way-out effort.
Pro: reduces load, con: obviously doesn't serve availability
- Notify remote ISP to apply egress filtering.
Pro: may alleviate load, con: depends on ISP service-mindedness so YMMV.
- Notify ISP to apply ingress filtering.
Pro: alleviates load, con: depends on ISP service-mindedness so YMMV.
The ISP may also decide in their wisdom to just kill the pipe for just now.
SANS - Help Defeat Denial of Service Attacks: Step-by-Step: http://www.sans.org/dosstep/index.htm
CERT - Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html
NWC - Fireproofing Against DoS Attacks (forms of): http://www.nwc.com/1225/1225f38.html
SANS - ICMP Attacks Illustrated: http://rr.sans.org/threats/ICMP_attacks.php
Xinetd Sensors: http://www.gate.net/~ddata/xinetd-sensors.html
Xinetd FAQ: http://synack.net/xinetd/faq.html
SANS - Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/ddos_roadmap.htm
SANS - Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://rr.sans.org/threats/spoofed.php
SANS - Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation: http://rr.sans.org/threats/understan...nding_ddos.php
Juniper.net - Minimizing the Effects of DoS Attacks: http://arachne3.juniper.net/techcent...te/350001.html
CISCO - Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks: http://www.cisco.com/warp/public/707/newsflash.html
*If any docs don't come tru due to registration, bad internet weather, no blood sacrifices been made to SCSI chains etc etc, just prefix with "http://126.96.36.199/search?q=cache:" to get 'em from the Google cache :-]