How to ? :)

Hello to all !

I have 2 question's.
Do you know some method's to stop DDOS ? I mean to protect yourself in face of DDOS ?
How do you catch those user's in our network ( if you are a network admin ) , if they do Arp spoofing ?

Can anyone help me , with those ?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

blackzone

If you give an example of how you did a DDOS attack step by step, I'll try to see if I can find a solution.

For arp poisoning, you can probably use static arp entry.

Type "man arp" on linux, or "arp" under window for more detail

p.s. I dont' know anyway of spotting spoofing.

sprkymrk

!30 wrote:

Do you know some method's to stop DDOS ? I mean to protect yourself in face of DDOS ?

Usually it has to be blocked at the ISP level if it's a true DDOS. You can stop a DOS (if it is a network based DOS coming from outside your network perimeter) by making a simple ACL on the fly to drop the offending packets. It may still kill your bandwidth though, if it is already flooding a T-1 line (or T-3, or whatever), then dropping the packets at your own front door isn't going to help much. That's why it usually needs to be done at the ISP level, where the pipes ar bigger.

!30 wrote:

How do you catch those user's in our network ( if you are a network admin ) , if they do Arp spoofing ?

Static arp works well enough in a small environment with linux machines, but static arp entries (believe it or not) can be over written by flooding a Windows machine with bogus arp entries. Not sure if this got fixed in W2K3 R2.

There are no defences built into arp itself, though. Other defences would be to use IPSec to establish a security association between peers. Using static mac entries on switches can help too (sometimes called port security, or sticky ports). Arpwatch is another option, but you need to configure a port on the switch to use mirroring.

There are tools that let you scan your network for nics running in promiscous mode, which generally means they are running a sniffer, possibly after poisoning the arp on a switch to see more traffic.

You can also configure a network IDS to alert you to the possibility of arp poisoning, it watches for a lot of bogus "who has w.x.y.z, tell a.b.c.d" traffic.

!30

Could you give me an example of tool's which catch nics running in promiscous mode ? for spoofing .. you mention about them

sprkymrk

Here is one for MS networks:
http://support.microsoft.com/?kbid=892853

Danman32

You can't really stop a generic DOS/DDOS any more than you could stop someone (or group of people) from approaching your house and blocking you from coming out or from someone legit to come in by yourself.

Specific means of DOS/DDOS can be prevented from succeeding or lessen its impact by dropping the packet as soon as you can determine it is illegitimate. Even then though, if bad packets came in fast enough, they would displace the wanted packets.