Help Defeat Distributed Denial of Service Attacks: Step-by-Step

---

Organizations that operate networks connected to the Internet may be serving as unwitting participants in Denial of Service (DoS) Attacks like those that hit many organizations in early February, 2000.

You can act now to reduce the chances that your network could be used to damage other networks if you implement the following two steps:

• Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network
• Stop Your Network from Being Used as a Broadcast Amplification Site

Step1: Egress Filtering to Stop Spoofed IP Packets from Leaving Your Network

Step 1.1: Deny Invalid Source IP Addresses

All organizations connected to the Internet should only allow packets to leave their network with valid Source IP Addresses that belong to their network. This will minimize the chance that your network will be the source of a Spoofed DoS Attack. This will not prevent Distributed DoS attacks coming from your network with valid source addresses.

In order to implement this you will need to know the IP network blocks that are in use at your site. If you do not know this information at this time, then please skip to Step 1.2, and come back to this step once you have that information.

Preventing Spoofed Source IP Address traffic can be accomplished with filtering on routers, firewalls, and hosts. Here is a generic example of what the filter needs to look like.

Permit Your Sites Valid Source Addresses to the Internet. Deny All Other Source Addresses.

On the router(s) connected to your ISP(s), if the interface IP address on the link connecting to the ISP is not out of one of your site's IP blocks, you should also permit packets with the interface IP address.

For detailed instructions on implementing this filtering please select the platform that you are using from the list in the "Step One: Detailed Directions" section below.

Step 1.2: Deny Private & Reserved Source IP Addresses

This step is not necessary if you were able to fully complete Step 1.1.

If you are unsure what address space is in use at your site, then you should at least deny Private () and Reserved Source IP Addresses.

If you are using Network Address Translation (NAT), you need to make sure that you perform this filtering between your NAT device and your ISP, and you should also verify that your NAT device configuration only translates address used and authorized for your internal address space.

Denying Private and Reserved Source IP Addresses can be accomplished with filtering on routers, firewalls, and hosts. Please select the platform that you are using from the list in the "Step One: Detailed Directions" section below.

Step 1: Detailed Directions for Egress Filtering

Step2: Stop Your Network from Being Used as a Broadcast Amplification Site

Step 2.1: Disable IP Directed Broadcast on all Systems

Detailed directions for doing this are available for the following systems.

The following systems have Directed Broadcast disabled by default. However, these systems may have a way to turn this behavior back on. Please select the link for your platform for information on making sure that the system is in the default state, and does not allow directed broadcasts.

• FreeBSD

Step 2.2: Test your network to determine if it is an amplification site.

To test your network to see if it is acting as an amplification site you can use the "ping" command to send an ICMP Echo Request packet to the Network Base IP Address of your network(s) and the Broadcast IP Address of your network(s).

You will need to know your Network Base IP Address and your Broadcast IP Address. You may find the helpful in determining these addresses for your network.

From a machine on the Internet side of your router (i.e. off your site) ping both the Network Base Address (x.x.x.0 for a /24 aka Class C) and the Broadcast Address (x.x.x.255 for a /24 aka Class C) of an internal subnet with a number of machines on it.

Please select from the following list of operating systems for detailed instructions on using the ping command and analyzing the output to determine if your network is a Broadcast Amplification site.

Please be aware that these sites are operated by independent third parties, and that you should use them at your own risk. If your site is in really poor shape it may get added to a "blacklist" that can then be used by attackers to identify your site as a good broadcast amplification site. Because of this you are strongly encouraged to self test with the ping commands listed above first.

Step 2.3: Require that Vendors Disable IP Directed Broadcast by Default

When you purchase new systems, require that the vendor disable receipt and forwarding of directed broadcast packets as specified in .

From RFC 2644:

A router MAY have a configuration option to allow it to receive directed broadcast packets, however this option MUST be disabled by default, and thus the router MUST NOT receive Network Directed Broadcast packets unless specifically configured by the end user.

A router MAY have an option to enable receiving network-prefix- directed broadcasts on an interface and MAY have an option to enable forwarding network-prefix-directed broadcasts. These options MUST default to blocking receipt and blocking forwarding of network-prefix-directed broadcasts.

Based on this you should be asking your vendors to ship systems with Directed Broadcast disabled by default. At the very least the vendor should provide a mechanism to disable Directed Broadcasts.

Some vendors already disable IP directed broadcast by default in the latest versions of their software, but many do not. Please help educate these other vendors by pointing them to .

Credits: