Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL
Help

Defense against Denial of Service > General Advice - Pg. 14

14 chapter 1 Denial of Service General Advice Before we get into the details of defending yourself against a DDoS attack, here are a few pieces of general advice: · If you are the victim of a DDoS attack, save your traffic logs, record everything you observe, and keep a record of everything you do. This is essential if you intend to work with law enforcement to try to track down the intruder, but also provides a record you can use after the attack to better understand what happened and how you can better defend your network in the future. Keep yourself up to date on DDoS attack methods and defenses. New articles are routinely published and contain trends and other information to help you better plan and update your network defenses. Monitor your network for vulnerable systems. Running tools like Nessus and Nmap (see the "Recruitment" section) can help you quickly identify vulnerable systems on your network. Routinely scan your machines to make sure that they are not part of a botnet. It will not look good if an attack against one of your competitors is traced back to your machines. Enable logging and monitor log files for suspicious activity. There are tools to help you do this, called intrusion detection systems (IDS). These tools can also help you detect an attack and will be discussed in more detail in the section "IDS/ IPS Systems." Establish a routine for updating, scanning, and monitoring so that these activities are carried out routinely and regularly. Organizations such as CERT Q and SANS R publish guidelines on best practices. Make yourself familiar with these. · · · · · TIP The "InfoSec" reading room on the SANS Institute site contains white papers on a variety of topics, including incident handling. See www.sans.org/. The CERT Web site has a section for system administrators that includes vulnerability information and freely available tools including AirCERT, which provides for automated incident reporting. See www.cert.org/. WARnInG While it is a good idea to run a tool like Nessus on your own network, you should be care- ful when configuring a scan to avoid accidentally scanning outside your network. In some cases, your ISP may detect the scan and simply shut down your access. In other cases, like scanning your employer's network, you may receive an unwanted visit from the IT department. Running scanners is typically against network policy; use them on your own network, only. Q www.cert.org/ R www.sans.org/