Join/Renew Benefits Sage Programs SysAdmin Resources Jobs Board SAGE Home
The USENIX Special Interest Group for Sysadmins

Defenses Against DoS Attacks

Return to Main

Turning Off IP Forwarding

For Solaris 2.5 and above:
Create the (empty) file /etc/notrouter

For Solaris 2.4 and earlier:
Add the following lines at the end of /etc/init.d/inetinit:
  ndd -set /dev/ip ip_forward_src_routed 0
  ndd -set /dev/ip ip_forwarding 0

Preventing incoming broadcast packets from entering your network

Add the following at the end of /etc/rc2.d/S69inet:
  ndd -set /dev/ip ip_forward_directed_broadcasts 0

Preventing the system from responding to incoming broadcast packets

Add the following command at the end of /etc/rc2.d/S69inet:
  ndd -set /dev/ip ip_respond_to_echo_broadcast 0

TCP Wrappers

The source code for this freeware tool, written by Wietse Venema, is compiled to produce the tcpd binary, which can be used to wrap a number of network services (e.g., ftp, telnet, finger). The package also provides the capability to capture client host name and requested service information. When used to wrap TCP services, the package provides the following optional features:

  •   Access control to restrict the network daemons to which specifed systems can connect
  •   Client user name lookups
  •   Additional protection against host ID and IP address spoofing

S/Key

S/Key is a one-time password mechanism. It provides protection against password replay attacks. With S/Key, you use information presented in the remote system's login challenge, along with a password, to compute a passphrase on your local host. If the computed passphrase is correct, you are given access the remote host, and the remote system marks the computed passphrase so it cannot be used for future sessions.

WU-ftpd

Wu-ftp provides additional access controls and extensive logging facilities.