QDN: Urgent Request For Help In Stopping DOS Attacks

Urgent Request For Help In Stopping DOS Attacks

Mar 29, 2000 | Q

Yesterday, I received the following email from Alan Parker, of the SANS Institute. It is a plea for network admins to tighten up their routers; routers with lax security and network permissions are the prime candidates responsible for many of the denial-of-service attacks that we’ve all read about in the news lately.

If you’re a network admin, or have responsibility for even one single router (this includes cable and DSL “modems”, which are actually routers), please read this. If you don’t have the capability to configure your own cable or DSL modem, call your provider and talk to them about this.

Only by making these security precautions standard practice will we make these DOS attacks go away.

Received: from wodc7mr3.ffx.ops.us.uu.net by wodc7ps1.ffx.ops.us.uu.net with
ESMTP

(peer crosschecked as: wodc7mr3.ffx.ops.us.uu.net [192.48.96.19])

id QQiion24397

for <mail02675@vpop0-alterdial.uu.net>; Wed, 29 Mar 2000 06:25:37 GMT

Received: from server1.SANS.ORG by wodc7mr3.ffx.ops.us.uu.net with ESMTP

(peer crosschecked as: server1.sans.org [167.216.133.33])

id QQiion26517

for <jlevine@si.timeinc.com>; Wed, 29 Mar 2000 06:25:36 GMT

Received: by server1.SANS.ORG (rbkq) id QDL93241

for jlevine@si.timeinc.com; Tue, 28 Mar 2000 23:23:57 -0700 (MST)

Date: Tue, 28 Mar 2000 23:23:57 -0700 (MST)

Message-Id: <200003285226.QDL93241@server1.SANS.ORG>

From: The SANS Institute <sans@sans.org>

Subject: SANS Flash: Urgent Request For Help In Stopping DOS Attacks

Precedence: bulk

Errors-To: bounce@sans.org

To: Jason Levine (SD442238) <jlevine@si.timeinc.com>

X-UIDL: 8f015324c05b74c7454a646292daf198

Status: U

To: Jason Levine (SD442238)

From: Alan Paller, Research Director, The SANS Institute

This is an urgent request for your cooperation to slow down the wave of denial of service attacks?

As you may know, denial of service (DOS) attacks are virulent and still very dangerous. These are the attacks responsible for the many outages reported recently in the press and others that have been kept more secret. DOS attacks are a source of opportunities for extortion and a potential vehicle for nation-states or anyone else to cause outages in the computer systems used by business, government, and academia. DOS attacks, in a nutshell, comprise a world-wide scourge that has already been unleashed and continues to grow in sophistication and intensity.

One effective defense for these attacks is widely available and is neither expensive nor difficult to implement, but requires Internet-wide action; that’s why we’re writing this note to request your cooperation.

The defense involves straightforward settings on routers that stop key aspects of these attacks and, in doing that, reduce their threat substantially. These settings will not protect you from being attacked, but rather will stop any of the computers in your site from being used anonymously in attacking others. In other words, these settings help protect your systems from being unwitting assistants in DOS attacks, by eliminating the anonymity upon which such attacks rely. If everyone disables the vehicles for anonymity in these attacks, the attacks will be mitigated or may cease entirely for large parts of the net.

The simple steps can be found at the SANS website at the URL http://www.sans.org/dosstep/index.htm and will keep your site from contributing to the DOS threat. Tools will soon be publicly posted to determine which organizations have and have not protected their users and which ones have systems that still can be used as a threat to the rest of the community.

More than 100 organizations in the SANS community have tested the guidelines, which were drafted by Mark Krause of UUNET with help from security experts at most of the other major ISPs and at the MITRE organization. The testing has improved them enormously. (A huge thank-you goes to the people who did the testing.)

We hope you, too, will implement these guidelines and reduce the global threat of DOS attacks.

We also urge you to ask your business partners and universities and schools with which you work to implement these defenses. And if you use a cable modem or DSL connection, please urge your service provider to protect you as well.

As in all SANS projects, this is a community-wide initiative. If you can add to the guidelines to cover additional routers and systems, we welcome your participation.

Alan

Alan Paller

Director of Research

SANS Director of Research

sansro@sans.org

301-951-0102