DoS Defensive Strategies

Let’s look at some DoS defensive strategies:

Disabling Unnecessary Services You can help protect against DoS and DDoS attacks by hardening individual systems and by implementing network measures that protect against such attacks.

Using Anti-Malware Real-time virus protection can help prevent bot installations by reducing Trojan infections with bot payloads. This has the effect of stopping the creation of bots for use in a botnet. Though not a defense against an actual attack, it can be a proactive measure.

Enabling Router Throttling DoS attacks that rely on traffic saturation of the network can be thwarted, or at least slowed down, by enabling router throttling on your gateway router. This establishes an automatic control on the impact that a potential DoS attack can inflict, and it provides a time buffer for network administrators to respond appropriately.

Using a Reverse Proxy A reverse proxy is the opposite of a forward or standard proxy. The destination resource rather than the requestor enacts traffic redirection. For example, when a request is made to a web server, the requesting traffic is redirected to the reverse proxy before it is forwarded to the actual server. The benefit of sending all traffic to a middleman is that the middleman can take protective action if an attack occurs.

Enabling Ingress and Egress Filtering Ingress filtering prevents DoS and DDoS attacks by filtering for items such as spoofed IP addresses coming in from an outside source. In other words, if traffic coming in from the public side of your connection has a source address matching your internal IP scheme, then you know it’s a spoofed address. Egress filtering helps prevent DDoS attacks by filtering outbound traffic that may prevent malicious traffic from getting back to the attacking party.

Degrading Services In this approach, services may be throttled down or shut down in the event of an attack automatically in response to an attack. The idea is that degraded services make an attack tougher and make the target less attractive.

Absorbing the Attack Another possible solution is to add enough extra services and power in the form of bandwidth and another means to have more power than the attacker can consume. This type of defense does require a lot of extra planning, resources, and of course money. This approach may include the use of load balancing technologies or similar strategies.

Botnet-specific Defenses

The following are botnet-specific defensive strategies:

RFC 3704 Filtering This defense is designed to block or stop packets from addresses that are unused or reserved in any given IP range. Ideally this filtering is done at the ISP level prior to reaching the main network.

Black Hole Filtering This technique in essence creates a black hole or area on the network where offending traffic is forwarded and dropped.

Source IP Reputation Filtering Cisco offers a feature in their products, specifically their IPS technologies, that filters traffic based on reputation. Reputation is determined by past history of attacks and other factors.