linux, säkerhet

4788281 2000-02-12  00:34  /84 rader/ Postmaster
Mottagare: Bugtraq (import) <9747>
Ärende: Re: DDOS Attack Mitigation
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <20000211152800.U12832@securityfocus.com>
Date:         Fri, 11 Feb 2000 15:28:00 -0800
Reply-To: Elias Levy <aleph1@SECURITYFOCUS.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Some updates and suggestions made by others to my earlier comments.

Egress Filtering
----------------

Chris Brenton <cbrenton@sover.net> reminded us of the flip coin of
ingress filtering, egress filtering. It can be used by networks
connecting to the Internet to make sure they are not a source of
spoofed packets.

You can find information about it at:
http://www.sans.org/y2k/egress.htm


Spoofed Packet Tracing
----------------------

Chris also pointed out a presentation by Robert Stone from UUNET given
at NANOG on CenterTrack. CenterTrack is an overlay network that allows
you easily determine the ingress network edge router of packets.
This makes it easy to track down the source of spoofed packets.
You can find the presentation slides at:
http://www.nanog.org/mtg-9910/robert.html

Network Auditing Tools
----------------------

David Brumley <dbrumley@rtfm.stanford.edu> pointed out the is at
least one other free scanning tool called RID that will detect the
presence of Trinoo, TFN, or Stacheldraht clients. You can find this
tool at: http://theorygroup.com/Software/RID/

Axent has released an updated test for NetRecon to find hosts with
DDOS agents.
http://www2.axent.com/swat/News/nr30su1.htm

ISS's Internet Scanner 6.01 will find hosts with DDOS agents.


Intrusion Detection
-------------------

Axent has released an updated signature for NetProwler to detect
DDOS attacks and communication with the DDOS agents.
http://www2.axent.com/swat/3download_np.htm

ISS's RealSecure 3.2.1 will detect DDOS attacks and communication to
with the DDOS agents.


The Obvious
-----------

Secure your machines. It won't stop you from being a victim of a DDOS
attack but it will stop someone using you as a launching point for
the attacks. You may be found liable if someone uses your network and
hosts to attack someone else.


Snake Oil
---------

You should also be aware the are a number of companies out there
that claim to have solutions to DDOS attacks that they will happily
sell you. You should be skeptical of anyone peddling a "silver bullet"
solution. Caveat emptor.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
(4788281) ------------------------------------------(Ombruten)