A.25 Chapter 24: Denial of Service Attacks and Solutions

  • Ensure good physical security for computers, network cables, and connectors.

  • If user quotas are available on your system, enable them.

  • Configure appropriate process and user limits on your system.

  • Don't test new software while running as root.

  • Educate your users on polite methods of sharing system resources.

  • Run long-running tasks in the background, setting the nice to a positive value.

  • Partition disks to isolate critical partitions from those that might be filled by mail or file uploads.

  • Configure disk partitions to have sufficient inodes and storage.

  • Make sure that you have appropriate swap space configured.

  • Monitor disk usage and encourage users to archive and delete old files.

  • Consider investing in a network monitor appropriate for your network. Have a spare network connection available, in case you need it.

  • Install a firewall to prevent and react to network problems.

  • Keep an up-to-date paper list of low-level network addresses (e.g., Ethernet addresses), IP addresses, and machine names available.

  • Enable SYN cookies if your kernel supports them.

  • Use egress filters on border routers to prevent spoofed packets from being sent out from your network.

    Part VI: Appendixes