Protect your net with a filter
Protect your net with a filter
Prevent attacks by denying access to your computers, SANS Institute says
SANS' Alan Paller says fixes need to be widespread to improve security.
By William Jackson
Security experts want to stop denial-of-service attacks at their source by encouraging systems administrators to filter outgoing packets at routers and firewalls.
Doing so would not stop a system from being the target of an attack but could prevent it from being used to launch an attack.
Hackers used Trojan horse programs on compromised third-party computers to launch a series of high-profile distributed service-denial attacks in February. Some such programs reportedly have been found on government computers. The attacks are difficult to defend against, but denying hackers clandestine networks from which to flood target sites can slow or halt attacks, according to security experts.
'There is no excuse for government agencies not to protect their systems this way,' said Alan Paller, founder and research director of the SANS Institute of Bethesda, Md.Check the site
|How to avoid becoming an unwitting host|
|Apply egress filtering to keep spoofed IP packets from leaving your network:|
'Use your IP address blocks to define valid source addresses for packets leaving your network. Deny egress for all other IP addresses.
'If the interface IP address on a router connected to an Internet service provider does not appear among your IP address space, do allow packets with that address to leave.
'If you do not know your IP address space, deny egress to private-network and reserved-source IP addresses. A list of such addresses is available on the SANS Institute's Web site, at www.sans.org.
'If you use Network Address Translation, perform filtering between the NAT device and your Internet provider.
'Check the SANS site for detailed instructions about configuring routers from Bay Networks Inc. of Santa Clara, Calif., Cabletron Systems Inc. of Rochester, N.H., and Cisco Systems Inc. of San Jose, Calif.
Stop your network from being used as a broadcast amplification site:
'Configure routers, desktop PCs and servers so they do not receive or forward directed broadcast traffic.
'Detailed instructions for configuring Bay and Cisco routers are available on the SANS site. Directions for other systems can be found at users.quadrunner.com/chuegen/smurf.
'Cabletron's Smart Switch Router, FreeBSD Unix, Windows NT Workstation, and NT Server 3.5 and Server 3.5.1 all can disable directed broadcast traffic by default.
'Service Pack 4 changed NT 4.0's default behavior for answering broadcast packets. Download the latest NT service packs from support.microsoft.com.
'Test your network's broadcast behavior by using the ping command to send an Internet Control Message Protocol echo request packet to your network base IP address and broadcast address.
The institute's Web site posts instructions for configuring routers to block outgoing packets that have false, or spoofed, source IP addresses. Also at www.sans.org/dosstep/index.htm
are instructions for disabling IP broadcast functions so that routers, desktop PCs and servers can't be used as broadcast amplification sites in an attack.
The fixes are relatively simple to carry out but must be widespread to be effective, Paller said. SANS expects to publish a free tool to test systems for egress filtering.
The availability of inexpensive or free tools to check the fixes will spur 'a groundswell of grassroots testing,' he said.
The first such tool, NetLitmus, was announced recently by the Alliance for Internet Security. Computer security company ICSA.net of Reston, Va., formed the alliance in the wake of February's service-denial attacks. NetLitmus, available to alliance members as a free download from www.icsa.net
, tests to see if packets with improper IP addresses can pass through firewalls and routers.
Denial-of-service attacks flood a target site with large numbers of packets, eventually blocking out legitimate users.
The attacker often covers his tracks by using spoofed source IP addresses. Eliminating such attacks probably will require changes in the TCP/IP protocol, said Paul Robertson, a senior developer at ICSA.net.
'The real fix is probably several years off,' Robertson said. 'The immediate fix is to filter traffic leaving networks to make sure it comes from the legitimate IP address range.'
Egress filtering treats a symptom rather than a root cause, but it is effective if enough systems use it, he said.
Alliance members must get a license key to download NetLitmus from the ICSA site. The download creates a bootable diskette from which the program can be run five times. It will work on most 386 and faster PCs.
The user provides IP address information for the network being tested, and the program generates a series of packets with legitimate and phony source IP addresses, aimed at an ICSA collection site. The site analyzes the packets that get through and tallies a score that tells the user whether filtering is in place and how well it is working.
Systems administrators can use NetLitmus to test configurations; users who do not control the routers that feed data to their PCs can use it to find out if filtering is in place. The goal is to encourage users to pressure their network providers to implement filtering.
Like most tools, those that test for egress filtering can be used for evil as well as good. But neither Robertson nor Paller thinks hackers searching for vulnerable systems will find much value in NetLitmus or similar programs expected to be available soon.
Hackers could use tools such as NetLitmus, 'but they're already doing it with scripts that look at 500 or 600 machines at a time,' Paller said.