Poorly configured firewalls make distributed denial-of-service attacks too easy for hackers

Companies should check their firewall configurations to ensure they do not fall victim to distributed denial of service (DDoS) attacks, or unwittingly participate in them, according to David Morgan of Internet security firm ISS.

Morgan said a fifth of systems audited by ISS have misconfigured firewalls that put their owners at risk. The news follows a recent DDoS attack against 13 of the Internet's root name servers. Properly configured firewalls would have prevented the attack.

Organisations should set up firewalls to prevent all ping packets from entering their networks, Morgan advised. Ping packets request status information about remote computers.

"Firms should not allow ping packets through their firewalls unless they have a specific need to do so," Morgan said. He added that public-facing systems such as DNS or Web servers should not be exposed to ping packets.

In addition, firewalls should be configured to drop packets that contain obviously bogus source or destination addresses. "This protects other Net users from spoofed attacks originating from your own network. But it does not stop hackers forging your IP address and using it in an attack that does not pass through your network," said Morgan. "This is why firewall rules must be implemented everywhere, especially at ISPs."
Source: www.vnunet.com/