Flood Guards – CompTIA Security+ SY0-401: 1.2

A relatively easy way to overwhelm network devices is to attack them with a flood of network packets. In this video, you’ll learn about some of the more popular methods of flooding a network and how to help prevent these denial of service attacks.

<< Previous Video: Port Security and 802.1XNext: Spanning Tree Protocol and Loop Protection >>

One very common network administration function for security professionals is looking for and trying to stop floods on the network. You often see these identified on intrusion prevention or intrusion detection systems, and that’s because those devices are always on the network. So they’re able to keep track of just how much traffic is coming into the network, and just how much there is of what type.

You’re really interested in floods because of something called DoS or DDoS, and that stands for Denial of Service and Distributed Denial of Service. That’s a bad term. You don’t want services that you’re providing on your website, the applications you’re providing to third parties, to be denied to them.

And unfortunately floods that are coming through the network from many different locations can very quickly overwhelm the technologies that we might have for a web server or a firewall or our routers, and because of that we have to keep track of this.

And if we happen to see a large number of Denial of Service or Distributed Denial of Services that are coming from many different places, then we’ll need to somehow start affecting that in some way. Turning them off, making sure that the services that we’re providing continue to be available to everyone.

One very common type of flood is a SYN flood. If you recall from your network plus studies, a SYN is the first packet sent to a server. There’s that three way handshake that occurs for TCP. There’s a SYN that is sent, you get a SYN-ACK back, and then you would send an acknowledgement that is the third packet.

Well, if a system is simply sending SYNs, there’s a possibility that they could now overwhelm the sessions that are available on a server. A web server, a file server, any type of server, really.

So keeping track of just how many SYNs are coming in can give you an idea on if somebody’s really trying to attack you or not. And if the number of SYNs suddenly spikes up and starts using up more resources than you would like inside of your servers, or inside of your firewall, or inside of your router, you now have something that you can do to prevent some of that from happening.

So you need to look at those opportunities that people might have to flood your network with SYNs and keep track of that as just another thing that would be available. Normally your firewalls are going to block that right at the firewall, so hopefully your services will not be affected.

Another common type of flood that you would see on the network is a ping flood, or a ping scan. If somebody’s outside of your network and they’re just trying to find out are there some devices turned on on your network? Because as soon as I find the device, I’m going to try to find an exploit that will get me into the device.

So a common first step is for someone to send pings around to try to find those devices. If they really want to be malicious, they might turn up the volume of those pings, if you will, where they start flooding your network with pings and requiring that your devices now send back responses to those. And of course, that just creates more and more traffic on your network and quickly overwhelms those devices.

So if you start to see ping floods on your network, again, identified by your IPS or your IDS, that’s another thing to look for. Maybe somebody’s doing reconnaissance, or if it’s a lot of them, maybe it’s somebody trying to bring down a part of your network.

Another type of flood that you’ll see is a port flood or a port scan. Once somebody identifies a machine, they might want to know what services are running inside of that machine. Is it a web server, is it an email server, is it a time server? What is it?

I want to know more about it, because if I can figure out what service is running on that server, I can then cross reference the versions of what might be running there to find out if there’s any known exploits.

If it’s an email server, I can send some carefully crafted email messages to attempt to bring it down.

So there’s things that are going to happen at every step along the way. The SYN floods, the ping floods, the port floods, that would either provide somebody with information about what’s happening on the network or provide a way for people to stop the services, deny the services, that are on those particular devices.

In any case, you want to be able to identify them as quickly as possible, and then find ways to mitigate this coming through, whether that’s from a firewall or from the server itself, and turn off some of those floods that are hitting your network.