How to prevent a DOS Attack

Hey everyone, while studying for my MCSE I ran across this question and answer and thought it may be of use...

Scenario:
You are the administrator for your company's Windows 2000 domain. On this domain, you have a Windows 2000 Server computer acting as your company's Internet interface. This morning when you came to work, you noticed that you had an unusually long wait time to access resources on your network. You run several tests but cannot seem to find any problems although the access times are incredibly long. When the users come in for work, they immediately start complaining about network performance. You then decide to start checking packets on the network. After investigating the problem, you notice that a denial of service attack has flooded your Internet server with "Destination Unreachable" packets. You want to prevent this from happening again with the least amount of administrative overhead possible. You do not want to prevent legitimate packets from being forwarded.

What should you do?


Answer:
Configure input filters on the Internet server to accept all packets except IP Address 10.0.0.0 with Subnet Mask 255.0.0.0, IP Address 172.16.0.0 with Subnet Mask 255.240.0.0, and IP Address 192.168.0.0 with Subnet Mask 255.255.0.0.

Additional Info:
The intruder floods a server with requests that consume system resources and either cause the server to stop responding or become too busy to process legitimate work. Causing the server to stop responding sometimes provides opportunities to penetrate the system.

Denying Spoofed Packets from Private IP Addresses
Another method of performing denial of service attacks is to flood servers with packets, such as TCP connection request packets, from addresses to which there can be no reply. In these cases, the malicious users spoof, or substitute, the source IP address of the packets with something other than the IP address of the interface on which the packets originated. An easy address to spoof is a private address because a response sent to a private address on the Internet results in an ICMP Destination Unreachable message.
To drop Internet traffic from spoofed private IP addresses, configure input filters on the Internet interface to accept all packets except the following:

-The Source IP Address of 10.0.0.0 with the subnet mask 255.0.0.0.

- The Source IP Address of 172.16.0.0 with the subnet mask 255.240.0.0.

- The Source IP Address of 192.168.0.0 with the subnet mask 255.255.0.0.

 

 

 

 

Top