HostedDB - Dedicated UNIX Servers
index_201
   UNCLASSIFIED Testing and Security Validation Version 1.0g  UNCLASSIFIED 201   DDoS agents.  For more information, visit:   http://www.iss.net/securing_e-business/security_products/   SAINT gathers information about remote hosts and networks by examining network services such as finger, NFS, NIS, ftp, tftp, rsh commands and other services.  The initial data collection can then be used to investigate any potential security problems.   SAINT can also be configured to examine trust and dependency relationships in the target network; this feature exposes the real security implications inherent in network trust and services.  For more information, including a FAQ, a tutorial and the latest version of SAINT, visit: http://www.wwdsi.com/saint/index.html SATAN was designed to help system administrators responsible for the security posture of their systems; it is a tool for investigating the vulnerabilities of remote systems.  SATAN systematically proceeds through a target network probing for common networking-related weaknesses and security problems.  The vulnerabilities discovered are then reported to the user without actually exploiting them.  For each problem found, SATAN offers a tutorial that explains the problem and the potential impact.  SATAN also provides corrective actions including configuration changes, installing vendor bugfixes, or possibly disabling services.  For more information or to download a copy of SATAN, visit the COAST file archive site: ftp://coast.cs.purdue.edu/pub/tools/unix/satan     6.3.4.    Detecting Attacks As mentioned in section 6.3.2 above, denial of service attacks are very common on the internet. IOS access lists can be used to characterize the different packet types and to tentatively identify DoS attacks.  Assume the following access list is applied to interface 14.2.0.20 of router North: access-list 102 permit icmp any any echo log-input access-list 102 permit icmp any any echo-reply log-input access-list 102 permit tcp any any established access-list 102 permit tcp any any log-input access-list 102 permit ip any any interface serial 0 ip access-group 102 in This access list does not filter out any traffic but does separate the traffic by types.   An analysis of the packets arriving on the serial interface can identify the specific attack being used, a necessary first step in countering DoS attacks.  To see the number of matches for each line in the access list, use the command show access- list 102. For more information about access lists, consult Section 4.3. The signature of a smurf attack where router North is the ultimate target would show most of the packets as ICMP echo replies.  If the incoming traffic consists mostly of ICMP echo requests, the attack is probably a smurf attack where North is a reflector.   In a typical smurf attack, the source addresses in the echo reply packets are limited to a few networks; these are the addresses of the reflector sites.