Network Security You Decide Activity

• Denial-of-Service attacks (DoS) can be mitigate by disabling unneeded and unnecessary services since many operating systems have numerous services enabled by default and unnecessarily exposing networks to attacks that aren’t even related to the particular service they intend to provide. Hide the internals of your network. Filter all non-essential traffic as close to the source as possible. By dropping unneeded traffic as early as possible in a network. Minimize internal servers’ dependency on external services. Use multiple operating systems to create “biodiversity.” Most worms, viruses, and DoS tools target specific operating systems. Using multiple operating systems may aid survivability in the event of an operating-system-specific attack.

• Distributed Denial-of-Service attacks (DDoS) can be mitigate by sampling router logs to determine which of external routers is routing the most DDoS traffic and identify which IP blocks are your biggest offenders. On those routers, adjust the routing statements to “black-hole” the IP blocks, and adjust the network masks to isolate only the offending IP addresses. Network service should be available but congested for legitimate traffic. You can remove all of your router reject statements except the ones on the border routers facing the attacking networks. If your ISP and the upstream ISP from the attacking network put up any network blocks, your inbound traffic should normalize quickly

• Masquerading and IP Spoofing can be mitigate by deny all localhost addresses, which are the 127.0.0.0/8 class IP addresses and also deny all reserved IP address spaces as described in RFC 1918. However, it is recommended that reserved IP addresses be blocked on interfaces connecting to the ISP's backbone. Most importantly, deny any addresses that have the same source address as the protected network. When securing routers against outbound IP spoofing, make sure you do not allow outbound IP datagrams with source addresses other than the...