Denial of service attack

Antidotes

STOPING DOS ATTACK



What do you do if you are a victim of DoS?





The only thing you can realistically do here is block the IP Addresses that are doing this. You need to be careful however that they are not being spoofed as you could then cause DoS on legitimate traffic coming into your systems. You really need to try and get your ISP to assist in this as the blocking needs to be done as far away from your link as possible. If you have a 2Mb link and you start to block the DoS traffic, its not really going to do a great detail if you are getting 2Mb of DoS traffic because its still going to come over your Internet Pipe to your firewalls before its blocked, therefore the ISP needs to stop it before it saturates your own links.



There are also techniques to mitigate against this attacks such as setting embryonic limits on the firewalls that support such feature, agreeing a CIR (Committed Information Rate) on your link with your ISP to try and limit Ping traffic, etc going down the link, its like a QoS on that link. If you are using a Cisco pix one can specify a function called emb_lim( embryonic limit) because the attack sets the target host in an embryonic state emb_lim (Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections. Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This option does not apply to outside NAT. The security appliance only tracks connections from a higher security interface to a lower security interface. . If you set the embryonic limit for outside NAT, the embryonic limit will be ignored.