GCN Hot Topics:

How to stop a service denial attack before it stops you

Under the gun: Here�s what to do

If you suspect a distributed denial-of-service attack is under way, reconfigure your network for real-time capture of packet traffic, then log the traffic. An intrusion detection system can do this.

In a limited data sample, you likely will see either large fragments of improperly formed packets aimed at any server port or large User Datagram Protocol packets aimed at some nonexistent port. You also might see Internet Control Message Protocol debris from large-packet ping commands.

It’s likely your local router and firewall can discard this garbage, keeping it out of your main Web servers. But the data flood will still block legitimate traffic by using up bandwidth. Your true bandwidth is the limit of what your routers can handle.

The best place to filter out bad packets is before they leave the router of your main Internet connection. You should have a 24-hour engineering contact there, and keep the phone numbers handy.

Apply filters

A secondary and quicker solution is to install a traffic-limiting intrusion detection system, but it can’t be done after an attack has begun.

Show the provider your analysis of the attack pattern, then ask for filters to be applied for specific UDP and ICMP traffic shown in your analysis.

This should reopen your connection while you work with the provider to try to trace the bad traffic further upstream.

The only real way to trace spoofed traffic upstream is to hop from router to router, involving other network administrators. This is a lengthy effort.

Generally speaking, distributed service denial attacks die out over time as other sites shut down their compromised servers. The flow gets shut off before traffic can be traced all the way back to the source.

—Shawn P. McCarthy