First, an investigative process should begin immediately after the DOS attack begins. There will be multiple phone calls, callbacks, emails, pages and faxes between the victim organization, one's provider, and others involved, but this can be a very time consuming process. The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of attack.
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Routers may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous.
Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, IPS which work on content recognition cannot block behavior based DoS attacks. An ASIC based IPS can detect and block DOS attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.
No comments:
Post a Comment