Strategies for Defeating Distributed Attacks

Intro
Assume basics - Understand IP addressing - Understand basic system administration
Attack Recognition Problems Blended "patter" and "effect" attacks • Sniffing attacks Decoys and false identification of attack source
Attack Recognition Problems • Blended "patter" and "effect" attacks • Sniffing attacks Decoys and false identification of attack source
Changing Attack Patterns • More large-scale attacks • Better enumeration and assessment of the target by the attacker
Two Basic Distributed Attack Models • Attacks that do not require direct observation of the results • Attacks that require the attacker to directly observe the results
Defensive Techniques Cont. Minimal ports open Stateful inspection firewalls Modified kernels/IDS to look for fingerprint packets
Defensive Techniques Cont. Limit ICMP inbound to host/destination unreachable Limit outbound ICMP
DMZ Server Recommendations Split services between servers Current patches • Use trusted paths, anti-buffer overflow settings and kernel patches • Use any built-in firewalling software • Make use of built-in state tables
Firewall Rules Limit inbound to only necessary services • Limit outbound via proxies to help control access • Block all outbound to only necessary traffic
Intrusion Detection Systems • Use only IDS's that can be customized • IDS should be capable of handling fragmented packet reassembly • IDS should handle high speeds
Spoofed Packet Defenses Get TTL of suspected spoofed packet • Probe the source address in the packet Compare the probe reply's TTL to the suspected spoofed packet
Late Breaking News • HackerShield RapidFire Update 208