| |
Firewall Testing About VESARiA |
|
|
4.3 What about denial of service?
Denial of service is when someone decides to make your network or
firewall useless by disrupting it, crashing it, jamming it, or
flooding it. The problem with denial of service on the Internet is
that it is impossible to prevent. The reason has to do with the
distributed nature of the network: every network node is connected via
other networks which in turn connect to other networks, etc. A
firewall administrator or ISP only has control of a few of the local
elements within reach. An attacker can always disrupt a connection
``upstream'' from where the victim controls it. In other words, if
someone wanted to take a network off the air, they could do it either
by taking the network off the air, or by taking the networks it
connects to off the air, ad infinitum. There are many, many, ways
someone can deny service, ranging from the complex to the brute-force.
If you are considering using Internet for a service which is
absolutely time or mission critical, you should consider your
fall-back position in the event that the network is down or damaged.
TCP/IP's UDP echo service is trivially abused to get two servers to
flood a network segment with echo packets. You should consider
commenting out unused entries in /etc/inetd.conf of Unix hosts,
adding no ip small-servers to Cisco routers, or the equivalent
for your components.
|
 |
Vesaria
3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044
|
