[MUD-Dev] DDoS

Morten Andresen morten at mgon.com
Sat Apr 15 14:16:46 CEST 2000 

Ola Fosheim Grøstad wrote on the 12th april 2000:
> Some IRC maintainers are talking about dropping the service because of
> denial of service attacks (DoS), the equivalent of link-spamming.  There
> is also something called a distributed DoS (DDoS), which means that the
> attack comes from more than one source, maybe thousands of sources. Thus
> blocking the attack is difficult.

> I wonder what you guys are doing to protect yourself from this.  Have
> you thought about how much damage a banned phreak could cause you? Maybe
> even put you completely out of business?

> (I have some vague ideas that may reduce the DoS problem, but none that
> are definitive...)


	I'll start out by saying that if the hacker/cracker really wants to gain
access to your machine, or bring it to a crash, then he will succeed. If
he's a mere "scipt kiddie" on the other hand there are several things you
can do to prevent a great deal of damage from occuring. A lot of this
depends on the amount of access you have to the machine the MUD is running
on, as many of the smaller MUDs don't have a dedicated server, in which case
you will have to consult with the server admin. However, if you do have
complete access to the machine the first thing I would suggest would be to
disable "ping" (ICMP packets), and depending on the sort of MUD, also "UDP".
Of course this depends on the sort of firewall you're running (I would
suggest 'ipchains' - it comes with all newer (From Red Hat 6.0 (I can't
remember the exact version number in which the other distributors included
it)) linux distributions. To ignore all ICMP (ping requests etc.) you would
type:

> ipchains -I input -p icmp -j DENY -l

	The '-I input' specifies that this firewall rule applies to incomming
connection attempts (the ping request in this case), and that this rule is
among the first rules to be processed. '-p icmp' Tells the firewall which
network protocol to ignore. The most normal protocols to be written in this
field are: tcp, udp, icmp, and all (applies to everything), but any of the
protocol names or numbers from /etc/protocols are also allowed. '-j DENY'
indicates what the firewall should do with this request. The three
(technically four) dispositions are: ACCEPT (Ask no questions - just accept
it), DENY (Don't even allow it near the machine), and REJECT (tell the other
machine you don't want it). The fourth can only be used if the 'I' flag is
set to 'forward', and masquerades the internal network (useful for making it
harder for hackers to gain information about internal machines). The flag's
name is: MASQ. the last flag '-l' indicates that any such attempts should be
written into the log /var/log/messages. This is ALWAYS a good idea. My
suggestion after this is, that you write up a perl program that every day
searches through the /var/log/messages file, and then sends an e-mail to you
reporting the ammount of attempts, and from where it was (to reveal possible
port scanners etc.).

Terminology behind this form of attack:
	One of the first DoS attacks that were ever used, was the "Ping of Death",
in which several large ping packets were sent to the same server in rapid
sucession. The idea of the "PoD" is to be on a faster machine than the one
you're pinging, thus sending ping requests quicker than the recipent can
reply. But if the ping command is disabled (or configured not to accept any
requests from non-subnet machines), as I described earlier (I did a full
stop so it doesn't reply to ICMP requests from ANYONE), then the problem
isn't as big (although there are many other ways to accomplish this). UDP
flooding works in almost the same way, and can also be disabled (By
substituting '-p icmp' with '-p udp'). The banning of UDP packets should
rely on the sort of MUD you're running. Fx. 'Diablo' by Blizzard: It relies
solely on UDP packets for the data-transfer. The bottom line: If your
machine doesn't respond (or denies them if you're running a firewall ...


Best Wishes,
Morten Andresen
MGON International AB




_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
http://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list