1. Industry best practices to
protect the network against
DDoS attacks
Public University
By Marcelo Silva
2. INTRODUCTION
The public university has faced a DDoS attack on its web-based registration system.
The network was compromised after some password sniffers have been deployed
and one of them has captured an administrator password and then the bots were
installed on some internal hosts, located in the university’s Computer labs, where the
attacks were originated from.
Thus, the internal network has proven be vulnerable, while the university perimeter
network is well protected behind of some technologies such as firewall, NIDS and
ACLs.
3. How could the industry best practices protect the
university’s network?
1. Implementing a Patch Management System
2. Deploying Internal firewalls, IDS and creating a DMZ
3. Install an Antivirus solution on all workstations
4. Improving Security Policies
5. Investing in Security Awareness Program
A best practice is a method or technique that has consistently shown results superior
to those achieved with other means. (Wikipedia, 2013)
4. Implementing a Patch Management System
Control and fix Operating Systems and Applications vulnerabilities:
Buffer overflow
Remote Code Execution
Elevation of Privilege
Automate patches deployment
Avoid administrator’s password exposure during patches deployment
5. Deploying Internal firewalls and IDS
Create network segmentation
Create a Demilitarized network zone (DMZ) for the webservers
Filter internal traffic
Deploy IDS sensors into the internal networks
Deploy host-based IDS
Many organizations continue to attribute a significant percentage of their corporate “cyber
losses” to inside attacks, indicating the need for more robust firewall filtering throughout
the enterprise network segments. (Cisco, 2006)
6. Install an Antivirus solution on all workstations
Deploy an Antivirus software on all computers
Protecting file systems, Internet browsing and messaging activities
(Virus, Worms, Backdoors, Rootkits, Trojans)
Deploy a centralized management system for the Antivirus
7. Improving Security Policies
Limit incoming connections
Use encryption for network communication
Minimize Remote Access (strong authentication, peer-to-peer VPNs)
Use secure protocols
Educate Users (Information Security Awareness Program)
8. References
EC Council (2010). Ethical Hacking and Countermeasures, Threats and
Defense Mechanisms, Clifton Park, NY: EC-Council Press.
Cisco Systems (2006). Deploying Firewalls Throughout Your Organization.
Retrieved January, 10, 2013, from
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1
018/prod_white_paper0900aecd8057f042.pdf.
Wikipedia (2013). Best Practice. Retrived February, 08, 2013, from
http://en.wikipedia.org/wiki/Best_practice
Notes de l'éditeur
AnalysisBy using some specific industry best practices we’ll be able to protect the university network against DDoS attacks, providing:Protection for Web ServersImplementing an automated system to manage patchesProtections against Password Sniffers and keystrokes Protection against Social EngineeringImplementing IDS and Firewall between internal networksImplementing Host-based IDS on all workstationsInstalling Antivirus software and keep them updated on all workstations Improve some security policies to separate regular accounts from administrative accounts
“A best practice is a method or technique that has consistently shown results superior to those achieved with other means.” (Wikipedia, 2013) Here we’ll present some industry best practices in order to protect the university’s network against DoS and DDoS attacks, by implementing a system to manage the patches and security hotfixes, firewalls between internal networks, and antivirus solution. Also, the University has to improve its security information policies and implement a security awareness program to educate both employees and students.The denial-of-service (DoS) is designed to consume resources in order to bring the services unavailable, by bringing them down or at least significantly slowing performance. In the same way, the Distributed Denial of Service (DDoS) has the same goal, but the attacks originated from multiple sources (hosts/networks) simultaneously. (EC-Council, 2010).
Patch Management SystemControl and fix the Operating Systems and Applications vulnerabilitiesSome vulnerabilities such as Elevation of Privilege on a SQL Server, could allow an attacker to inject a script into the user's web browser, and take action on behalf of a real user.Thus, a Patch Management system can help an Administrator to:Monitoring computers that are running without the authorized and published vendor’s patches and service packs;Deploy missing patches on the systems according to the priorities/levels (Critical, Major, Important).Automate patches deploymentCreate auto-tasks to run in a daily basis against the systems and schedule the patches deployment according to the maintenance windows and get all the servers, workstations and network devices such as Firewalls, Routers and Switches updated and fully patched.Avoid administrators using administrator passwords to deploy patches remotely on the networkUse some systems management software such as the Microsoft SCCM, LANDesk and VMware Update Manager to deploy patches remotely. This way you avoid expose unnecessarily admin password and you don’t have to login into local servers and workstationsCreate the deployment tasks to be ran by service accounts instead of Administrators accounts. This way, the admin password will be less exposed
“Many organizations continue to attribute a significant percentage of their corporate “cyber losses” to inside attacks, indicating the need for more robust firewall filtering throughout the enterprise network segments”. (Cisco, 2006)Deploying Internal firewalls and Intrusion Detection systems (IDS):Create a Demilitarized Zone (DMZ) for the University Web serversFilter internal trafficThe packets from all internal networks, including the Computer Labs networks, which should pass through the firewalls in order to reach out the web servers. Implement Network-ingress filtering to try to prevent source address spoofing traffic.Define Rate-limiting network traffic for some protocol such as ICMP.Deploy IDS sensors into the internal networksDeploy host-based IDSDetecting suspicious local activitiesControl binaries execution and files changing Monitoring the local systems according to the known signatures on the Intrusion Detection System.
The Antivirus software is a security tool against Virus, Worms, Malwares, Backdoors, Rootkits, and Trojans. By installing an antivirus software on all university computers, the local computers will be safe from suspicious/unauthorized software running, thus bringing more security for user’s activities such as Internet browsing and sending/receiving emails.Also, in order to monitor and perform engine upgrades and virus signature updates, we’ll deploy a centralized management system for the Antivirus. Therefore the updates will not be laid on the user's responsibility.
The public university should enhance its information security policies, establishing some procedures such as:Encryption usage for network traffics (IPSec/HTTPS/FTPS)Encryption and digital signatures for internal emailsLimit the number of incoming connection for specific systemsMinimize the Remote Access and enforce strong authentication (Smartcard / RSA Token +Active Directory account)Implement peer-to-peer VPNs for AdministratorsEducate Users by implementing an Information Security Awareness Program