A filter at the firewall will help shield agency nets from attack

A filter at the firewall will help shield agency nets from attack

By William Jackson

GCN Staff

Security experts want to stop denial-of-service attacks at their source by encouraging systems administrators to filter outgoing packets at routers and firewalls.

Doing so would not stop a system from being the target of an attack but could prevent it from being used to launch an attack.

Hackers used Trojan horse programs on compromised third-party computers to launch a series of high-profile distributed service-denial attacks in February. Some such programs reportedly have been found on government computers. The attacks are difficult to defend against, but denying hackers clandestine networks from which to flood target sites can slow or halt attacks, according to security experts.

'There is no excuse for government agencies not to protect their systems this way,' said Alan Paller, founder and research director of the SANS Institute of Bethesda, Md.

Check the site

The institute's Web site posts instructions for configuring routers to block outgoing packets that have false, or spoofed, source IP addresses. Also at www.sans.org/dosstep/index.htm are instructions for disabling IP broadcast functions so that routers, desktop PCs and servers can't be used as broadcast amplification sites in an attack.

The fixes are relatively simple to carry out but must be widespread to be effective, Paller said. SANS expects to publish a free tool to test systems for egress filtering.

The availability of inexpensive or free tools to check the fixes will spur 'a groundswell of grassroots testing,' he said.

The first such tool, NetLitmus, was announced recently by the Alliance for Internet Security. Computer security company ICSA.net of Reston, Va., formed the alliance in the wake of February's service-denial attacks.

NetLitmus, available to alliance members as a free download from www.icsa.net, tests to see if packets with improper IP addresses can pass through firewalls and routers.

Denial-of-service attacks flood a target site with large numbers of packets, eventually blocking out legitimate users.

Fake address

The attacker often covers his tracks by using spoofed source IP addresses. Eliminating such attacks probably will require changes in the TCP/IP protocol, said Paul Robertson, a senior developer at ICSA.net.

'The real fix is probably several years off,' Robertson said. 'The immediate fix is to filter traffic leaving networks to make sure it comes from the legitimate IP address range.'

Egress filtering treats a symptom rather than a root cause, but it is effective if enough systems use it, he said.

Alliance members must get a license key to download NetLitmus from the ICSA site. The download creates a bootable diskette from which the program can be run five times. It will work on most 386 and faster PCs.

The user provides IP address information for the network being tested, and the program generates a series of packets with legitimate and phony source IP addresses, aimed at an ICSA collection site.

The site analyzes the packets that get through and tallies a score that tells the user whether filtering is in place and how well it is working.

Systems administrators can use NetLitmus to test configurations; users who do not control the routers that feed data to their PCs can use it to find out if filtering is in place. The goal is to encourage users to pressure their network providers to implement filtering.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.