Summary 277
Degrading Services In this approach, services may be throttled down or shut down in the
event of an attack automatically in response to an attack. The idea is that degraded services
make an attack tougher and make the target less attractive.
Absorbing the Attack Another possible solution is to add enough extra services and
power in the form of bandwidth and another means to have more power than the attacker
can consume. This type of defense does require a lot of extra planning, resources, and of
course money. This approach may include the use of load balancing technologies or similar
strategies.
Botnet-Specific Defenses
The following are botnet-specific defensive strategies:
RFC 3704 Filtering This defense is designed to block or stop packets from addresses that
are unused or reserved in any given IP range. Ideally this filtering is done at the ISP level
prior to reaching the main network.
Black Hole Filtering This technique in essence creates a black hole or area on the network
where offending traffic is forwarded and dropped.
Source IP Reputation Filtering Cisco offers a feature in their products, specifically their
IPS technologies, that filters traffic based on reputation. Reputation is determined by past
history of attacks and other factors.
DoS Pen Testing Considerations
When you’re pen testing for DoS vulnerabilities, a major area of concern is taking down
integral resources during the testing phase. The ripple effect of taking out a file server
or web resource can be pretty far reaching, especially if bringing the system back online
proves challenging after a successful DoS test attack. As with all pen testing activities, an
agreement between the tester and the client should explicitly define what will be done and
the client’s timeframe for when the testing will occur. Also, as always, documenting every
step is crucial in every part of the process.
Summary
In this chapter you learned that a denial-of-service attack involves the removal of availabil-
ity of a resource. That resource can be anything from a web server to a connection to the
LAN. DoS attacks can focus on flooding the network with bogus traffic, or they can
disable a resource without affecting other network members. We also discussed buffer
overflow, which pushes data beyond the normal memory limit, thereby creating a DoS