18 chapter 1 Denial of Service respond to intrusion attempts and block them transforms this system into one known as an intrusion prevention system (IPS). Another strategy for detecting intrusion attempts is to create a honeypot. A hon- eypot is a carefully monitored machine or address that is used only to detect attacks. Normal, legitimate traffic is never directed to the honeypot machine, so any traffic that is detected at the honeypot is likely malicious traffic. Thus, by monitoring the honeypot, an IDS can detect when a network intrusion is being attempted. A simple example of a honeypot is an e-mail address created for the sole purpose of collecting spam. Since the e-mail address does not go to any legitimate recipient, any e-mail that arrives at the address is spam, and should be filtered from the rest of the e-mail. Project Honey Pot uses exactly this technique to monitor spammers. AA Reacting to DDoS Attacks Once a DDoS attack is underway, you have several options. You can attempt to block the hosts generating the traffic. Because of spoofing and the large number of hosts used in a DDoS attack, this may be difficult. To block hosts, you must first identify them. If you are running an IDS, you will already have a list of addresses provided by the tool. Otherwise, you have to capture network traffic and analyze it. To capture network traffic, you can use tcpdump. BB This is a packet sniffer that can observe and record network traffic on an interface. In the following example, we capture 1,000 packets using tcpdump. $ tcpdump ­c 1000 ­w record.tcp eth0 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 1000 packets captured 1000 packets received by filter 0 packets dropped by kernel An easier way to analyze network traffic is to use an actual network traffic analyzer, such as Wireshark. CC Wireshark is available for most platforms and is rela- tively easy to use. Figure 1.5 shows packets captured using Wireshark. It is also possible to configure some routers to provide this information. Cisco routers, for instance, keep a total of the number of times each rule is matched. In the following, we create a rule to match echo and one to match echo reply (pings). access-list 169 permit icmp any any echo access-list 169 permit icmp any any echo-reply Including log-input at the end of a rule will also create a log of matching network traffic. Use show log to see the log. We can now get the number of times each rule is matched via the show access-list command, which gives the number of times each rule is matched by network traffic. AA http://projecthoneypot.org/ BB While tcpdump is common on UNIX and Linux machines, on Windows you can use WinDump, an open-source clone of tcpdump. CC www.wireshark.org/