Computer science

Computer science

Question

Runa Singh is the network administrator in charge of network security for a medium-sized company. The firm already has a firewall; its network is divided into multiple segments separated by routers, and it has updated virus scanners on all machines. Runa wants to take extra precautions to prevent DoS attacks. She takes the following actions:

1. She adjusts her firewall so that no incoming ICMP packets are allowed.

2. She changes the web server so that it uses SYN cookies.

Now consider the following questions:

1. Are there problems with any of her precautions? If so, what are the problems?

2. What additional steps would you recommend to Runa?

• To defend against the DoS attacks, the first thing to consider is how the attacks penetrate. This is performed by utilizing ICMP packets, which are utilized to transmit error messages on the Internet or are transmitted via traceroute and ping utilities. If the user comprises a firewall, then it must be configured to reject the ICMP packets from outside the user’s network that will be a major step to secure the network from the DoS attacks. As the DoS attacks can be implemented through a wide variety of protocols, the user can also configure the firewall to refuse any incoming traffic at all irrespective of what port or protocol it executes on.  
• The SYN cookie is referred to as a technique utilized to resist specific kinds of DoS attacks and SYN flood attacks. It is a specific option of primary Transmission Control Protocol series numbers by TCP servers. In this technique, the computer system doesn’t instantly develop a buffer space in memory for a handshake process. Instead, it first transmits an SYN+ACK that comprise a carefully produced cookie that is generated as the hash containing the Internet Protocol address, port number, and other data from the client machine requesting the link. When the client replies with the normal ACK, the data from that cookie will be included that the server then verifies. Hence, the system doesn’t fully assign any memory until the 3^rd stage of the handshake process. This helps the system to continue to operate normally. Whereas, the cryptographic hashing utilized in SYN cookies is fairly resourced intensive.

Computer science

Solution & Explanation

• No, there is no problem with any of her precautions because:

1. To defend against the DoS attacks, the first thing to consider is how the attacks penetrate. This is performed by utilizing ICMP packets, which are utilized to transmit error messages on the Internet or are transmitted via traceroute and ping utilities. If the user comprises a firewall, then it must be configured to reject the ICMP packets from outside the user’s network that will be a major step to secure the network from the DoS attacks. As the DoS attacks can be implemented through a wide variety of protocols, the user can also configure the firewall to refuse any incoming traffic at all irrespective of what port or protocol it executes on.  
2. The SYN cookie is referred to as a technique utilized to resist specific kinds of DoS attacks and SYN flood attacks. It is a specific option of primary Transmission Control Protocol series numbers by TCP servers. In this technique, the computer system doesn’t instantly develop a buffer space in memory for a handshake process. Instead, it first transmits an SYN+ACK that comprise a carefully produced cookie that is generated as the hash containing the Internet Protocol address, port number, and other data from the client machine requesting the link. When the client replies with the normal ACK, the data from that cookie will be included that the server then verifies. Hence, the system doesn’t fully assign any memory until the 3^rd stage of the handshake process. This helps the system to continue to operate normally. Whereas, the cryptographic hashing utilized in SYN cookies is fairly resourced intensive.  

• Additional steps to defend against the DoS attacks are:

1. Utilize virus-scanning software and it must be updated.
2. Keep the operating system and software patches up-to-date.
3. Develop a company policy that states that employees cannot download anything onto the system unless the download has been permitted by the IT staff.
4. Utilize the Blackholing method where if the traffic seems to be DoS attack, then the traffic is transmitted to the black hole, which is often performed by Internet service providers.
5. Sinkholes are referred to as the IP addresses that are utilized to analyze the traffic and deny bad packets. The incoming traffic is transmitted to the sinkhole so that it can perform analysis. 

Computer science

Explanation

The simplest and most common kind of attack on the system is the Denial of Service attack. This attack simply tends to prevent legitimate users/clients from accessing the system. It is based on the fact that every device comprises operational limits. Any computer system, network or web server can only manage a finite load. The workload for the computer may be described by the number of clients, speed of the data/information transmission, size of the file or the amount of the information stored. Here, the system is simply overloaded with requests and is made no longer available for the legitimate users attempting to access the system or network.

Reference

Computer Security Fundamentals, By Chuck Easttom, Chapter – 4.