FRAMINGHAM (03/06/2000) - There is no defense against a denial-of-service attack. Just ask your security staff. They'll hem and haw and mention some products you can buy. But then you'll start hearing terms right out of the Vietnam War: "mitigate losses" and "acceptable casualty rate." If you're connected to a public network like the Internet, some bad guy will be able to devise a way to deny you service. Distributed denial-of-service attacks, in which hackers use hundreds or thousands of unwitting third-party systems to do their dirty work, are just a further iteration in the battles.
There are, however, ways of reducing your chances of becoming either an attack victim or an unwitting dupe used to attack someone else. I'm assuming you already have a firewall and security policy of some sort and regularly scan your systems for known vulnerabilities. In addition, here are four steps you can take to help make the Internet a safer place:
Get your ISP to help. ISPs have a huge amount of power to cut down these attacks, but most are too lazy or ignorant to do anything. Put pressure on your ISP to add filters or access lists that restrict packet source addresses to all customer interfaces. In addition, your ISP may have suggestions for configuring your on-site router to practice safer networking - restricting you from acting as a packet amplifier, for example. If your ISP gives you a blank stare, change ISPs. The stupid ones don't deserve to survive.
Keep your test systems off-net. You undoubtedly have some boxes that are in test mode and haven't had their security configuration fully locked down. These are the systems most likely to be compromised because no one is paying attention to them. Put these boxes behind some sort of very simple firewall, access list, filter or network address translation box. You don't need total protection; you simply want to block incoming connections to them. If they can't be hit, they can't be compromised.
Don't deceive yourself about your inconspicuous nature. Script Kiddies look for systems by the thousands to compromise using random IP addresses. Just because you're small and obscure doesn't make you any less a target. At Opus One, we see port scanners come through daily, looking at addresses that have no Domain Name System entries and haven't been used for years. If they can find those addresses, they can find yours. This means you must pay attention to all parts of your network - not just the obvious servers, but anything which can be seen from the Internet.
Talk to your telecommuters. Joe DSL and Jane Cablemodem are now the No. 1 candidates for a break-in - they're always on, have high-speed lines and probably don't pay much attention to security configuration at home. They are an accident waiting to happen. Invest in inexpensive small office/home office firewalls from vendors such as Netscreen and Sonicwall. Break-ins to home systems can spread throughout the corporate network like wildfire, and a little prevention here can save you major headaches later.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.