Ddos Prevention Best Practices
To begin with, system hardening should be implemented on all University workstations, and especially the Web servers. This means turning off any unused services, closing all ports except those that are specifically needed for the operating roles of the servers, and ensuring that an anta;plus solution Is in place and regularly updated. Additionally, a strong patch management policy and procedure should be used to keep University computing assets up to date.
This is to help prevent the exploitation of newly discovered vulnerabilities, and is part of the hardening process. All publicly available services, such as Web facing servers, DNS servers, and application servers, should be separated from private university resources. The separation should include enclosing the public servers in a DMZ. The DMZ should have firewalls in place on both sides of the network, to protect from external threats, and Internal ones. This separation also Isolates the servers from the rest of the network, in the event one of them is compromised.
Furthermore, PLANS should be implemented to break up broadcast domains, and IP subletting used to control outwork traffic, further isolating the public systems from the internal network devices. Also, A split DNS scheme that consists of an external DNS server separate from an Internal DNS server can help limit the Impact of DNS Dos style attacks. Network Address Translation (NAT) should remain in place, as it also has the effect of hiding the internal network from the Internet. Moreover, the blocking of IGMP or ping attempts should be blocked, at least externally, so that attempts to Identify systems from the Internet are reduced.
As part of capacity planning, consideration should be made to plan for excess. This should help to absorb any Dodos attacks by having plenty of resources to maintain network operations. This Includes having more than adequate switch and router bandwidth, CAP]. And frame/packet processing ablest. Additional consideration should be made to use different Internet Service Providers (ISP) for redundant connections. In the event of an attack, this has the benefit of having alternate paths to the Internet, providing redundancy and load sharing.
When upgrading or replacing network equipment, anta-DoS capable devices should be carefully evaluated and selected. Intrusion Detection/Prevention Systems (DIPS) should be deployed, with the emphasis on prevention at the network perimeter. An inline device will be more effective placed behind the external facing firewall. The firewall is configured to allow only traffic that Is desired, blocking all other traffic, while the DIPS Is designed to block specific traffic and allow the rest. An DIPS device that uses both signature- 1 OFF positives, and therefore a better chance of detecting attacks.
The DIPS device should be capable of sending alerts via email, SMS, and pager communication methods to Taft. The DIPS should also be configured to alter the firewall filtering rules on the fly, in the event an attack is occurring. A period of fine tuning is necessary to reduce false positives, and ensure information is not lost due to miscommunication. Ingress and egress filtering needs to be implemented. This involves configuring the firewalls to block unreliable IP addresses as specified in RFC 1918, using Access Control Lists (Calls).
This will help prevent IP address spoofing, and computing assets from being used to attack other organizations outside the University IP address pace. Egress filtering should only allow IP addresses to leave the University that fall within the range of allocated addresses. Log monitoring and review of all network and server devices should be performed regularly. In addition, IT staff should be alerted when suspicious activity or events are detected. For instance, repeated failed attempts to access a network device might indicate a password hacking attack. Performance baselines of essential network and server equipment needs to be documented.
This will provide a metric of network utilization under normal operating conditions. Excessive use of resources above equipment baselines might indicate a Dodos attack. Also, establishing a performance baseline will aid in capacity planning and provide data for scalability and growth planning. A honesty with relaxed security should be installed. Its purpose is to draw hackers away from actual University computing assets by providing an easier target. It needs to be completely isolated from all other critical assets. The honesty should also be monitored, as data obtained from attacks can be used to shore up the rest of the network.
An Incident Response Plan (RIP) needs to be drafted and provided to all University administrative staff. Potential items in the plan should include Points of Contacts (POCK), and handling procedures if an attack is suspected. In conjunction with the RIP, an Emergency Response Team (RET) comprised of senior network and information security personnel, as well as members of the management team, should formalized. This team will be tasked with the responsibility as first responders to an attack. The RET should also have a Plan of Action (POP) more detailed than the RIP.
Items in this Lana should include detailed network documentation, disaster recovery plans, any business continuity plans, ISP support numbers, etc. The combined effect of all of the measures previously described, will significantly lessen the impact of a Dodos attack. By no means is this document complete, and should be considered as a living document. As new threats emerge, additional or even different methods may be required to be put in place. Technology also improves over time, therefore a periodic review of the practices described should be conducted, and this document adjusted accordingly.
