oreilly.comSafari Books Online.Conferences.


Preventing Distributed Denial of Service Attacks
Pages: 1, 2, 3

4. Consider even more tightly controlled firewalls

If you have limited requirements for Internet access, you might consider an even more tightly controlled firewall. For example, you could filter ICMP to broadcast addresses, even from local hosts to help ensure that even if a local host is breached your network cannot be used as an "amplifier." You might also consider deploying firewalls on each local host rather than relying only on filtering in routers and a more network firewall configuration (such as a NAT or masquerade-style configuration, or use of a perimeter network).

5. Be vigilant and observant

You can minimize the damage associated with distributed denial of service attacks by being aware of them soon after they begin. It is important to keep an eye on what is happening on your network and using the logging facilities of the Linux firewall support can help. Use the -l argument on ipfwadm and ipchains rules, and the -j LOG target for iptables commands to cause datagrams matching the rule to be logged to the console. Beware: The host activity caused by this logging can precipitate a denial of service attack all by itself. Fortunately the iptables limit matcher (-m limit) works with logging as well.

The kernel provides a means of logging datagrams suspected to be spoofed IP addresses using:

echo "1" >/proc/sys/net/ipv4/conf/all/log_martians

Staying alert and aware also involves keeping up to date with bugs and exploits that have been discovered and reported by others. The Computer Emergency Response Team (CERT) provides a web site and mailing list designed to keep network and system administrators advised of newly reported security problems. You can find CERT at

6. Communicate with your peers and encourage them to do the same

This is the most important step. Widespread adoption of good security practices can afford reliable and effective protection against distributed denial of service attacks. Make sure you know who the network or security administrator is of your network peers and upstream providers. Talk with them, let them know what you are doing, and encourage them to do the same. When something does happen, you'll be able to quickly gain their support and assistance and work together to solve the problem.

Related Articles:

A New Worm Targets Linux -- Noel Davis shows us the Linux based Adore Worm; buffer overflows in xntpd and ntpd; and vulnerabilities in SharePlex, Ultimate Bulletin Board, Lucent/ORiNOCO Closed Network, Red Hat's OpenSSH, Cisco Content Services Switches, and IPFilter.

Securing Your Apache Server -- Excerpt from Chapter 13 of O'Reilly's book Apache: The Definitive Guide, 2nd Edition. Enable Apache to communicate securely over Secure Sockets Layer (SSL). Covers building, configuring, and securing an SSL-enabled Apache server under Unix.

Also in Linux Network Administration:

Dynamic Address Assignment

Creating Network Diagrams

Exploring the /proc/net/ Directory

Building High Performance Linux Routers

Traffic Shaping

Have a security tip or dilemma? Join the discussion in the O'Reilly Network Linux forum.

Return to the Linux DevCenter


Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: