Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
31323334353637383940
Solaris 9 Security CX-310-301 36
Preventing DoS Attacks
Some DoS attacks can be prevented fairly easily, whilst for others there is little protection. The following
points can be used to assist with stopping some of the attacks listed in the previous section:
¾ TCP SYN and Ping of Death attacks use ICMP messages. If you have a firewall installed, then
restrict, or disable the use of ICMP through the use of the firewall rules. You can also run an
Intrusion Detection System, such as Courtney to detect unusual amounts of activity
¾ Smurf attacks rely on replies being sent to broadcast ICMP messages. You can either disable the
use of ICMP on your firewall, or specifically stop your system from responding to broadcast
requests. Do this by setting the following tunable parameters:
# ndd –set /dev/ip ip_respond_to_echo_broadcast 0
# ndd –set /dev/ip ip_forward_directed_broadcasts 0
¾ Fork bombs can have their effect reduced by setting the maximum number of user processes to a
specified value. This would be done by setting maxuprc to say 75 in /etc/system and would not
allow a user to have more than the specified number of processes. It would prevent any single user
from being able to use up all the available processes on a system
¾ You can stop a user from being able to use up all of the disk space by installing quotas on relevant
filesystems
¾ Use of the ulimit command can stop users from being able to hog system resources
¾ For the example of backing up to a file instead of the intended backup device, put the backup
procedure into a script to remove human error
¾ Monitor disk space regularly, or better still, install a network management system, such as HP
OpenView, or BMC Patrol so that you get early warning of filesystems filling up.
¾ For system log files, ensure that you have a regular log rotation strategy that is suitable for your
site and the amount of information being logged. From Solaris 9, the logadm utility exists for this
purpose
How DoS Attacks Execute
Network DoS attacks can be executed remotely from another system, or host out on the Internet. It involves
the attacker merely knowing the address to send the attack to, which in most cases, can be found out very
easily. The attacker then modifies the packet to be sent, in the case of a smurf attack, making the target
system the address to reply to. For attacks like ping of death, it is the action of sending loads of packets
with much larger than expected amounts of data that causes an attack to be successful.
Note that Solaris Sparc systems are not vulnerable to ping of death, but Solaris x86 systems are.
Most host-based DoS attacks will involve a malicious piece of code being installed on the target system,
which means that the attacker must have gained access to the system in order to install the program. Once
installed, the program can be triggered to execute either when a certain condition is encountered, or for
example, after a specified time has elapsed.