by_hacker

Internet'in baglanti dunyasinda, kotu niyetli bir kac kullanici herkese acik olan networklerdeki sistemlerin korunmasi konusunda administratorlerin basini epeyce agritabilir. Son gunlerde web'in en meshur sitelerine yapilan "Denial Of Service" saldirilari bunu dahada belirginlestirdi. Bu saldirilarin cogu buyuk capta TCP/IP trafigi yaratmakta. Agdaki yuksek yogunluk yuzunden web server disardan gelenlere cevap veremezken icerde web serverlarin bu saldiridan etkilendigi farkedilmeyebilir.

Windows-ailesi isletim sistemlerinin bir parcasi olan "Microsoft TCP/IP stack" bir cok saldiriya karsi koyacak sekilde test edilip kanitlandi ve default durumundayken bir cok genel saldiriya karsi koyacak gucte. Bu ozelliklere ek olarak, bir web sitesinin bu saldirilardan ve digerlerinden zarar gormesi riskini dusurebilmek icin yapilabilecek bazi genel islemler var:

a) Network'un sinirlarini saldirilari farkedebilmek icin izleyin. Bircok firma bu saldiri tiplerini detect eden programlar sunuyor. ( En genis kullanimda olan "Intrusion Detection" programi (RealSecure) [ÜYE OLMADAN LİNKLERİ GÖREMEZSİNİZ. BURAYA TIKLAYARAK BEDAVA ÜYE OLUN...] adresinden temin edilebilir.)

b) Router'larin layer3 broadcast'leri layer2 broadcast'lere cevirmediginden emin olun. Cisco da bunu disable etmek icin : no ip directed-broadcast komutunu kullanabilirsiniz. Bu IOS 12.0 kullanan routerlarin zaten default ayari.

c) Routerlari sadece sitenin calismasi icin gerekli olan portlari kullandiracak sekilde kisitlayin.

d) Gereksiz yada istege bagli servisleri kapatin. (ornegin IIS sunucusu uzerinde Client for Microsoft Networks)

e) "TCP/IP filtering" i calisir hale getirin ve sadece sunucunun calismasi icin gerekli portlara izin verin. ( Windows servislerinin kullandigi portlarin listesini gormek icin Q150543 'e (Microsoft Knowledgebase) bakin.)

f) Gerekli olmayan yerlerde "NetBIOS over TCP/IP" yi Unbind edin.

g) Disariya acik olan network kartlari icin statik IP adresleri ve parametreleri kullanin.

h) Maksimum korunma icin registry ayarlarini yapin.

i) Windows NT ve IIS'i "IIS security checklist" de anlatildigi sekilde ayarlayin.

j) Guvenlik duyurulari icin Duzenli olarak Microsoft guvenlik web sitesine danisin.

Network saldirilarindan maksimum korunma icin Registry ayarlari:
Asagidaki registry ayarlari, WindowsNT ve 2000 "network stack" inin DoS saldirilarina karsi dayanikliligini arttirmada yardimci olacaktir.

SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1, 2
0 (no synattack protection)
1 (reduced retransmission retries and delayed RCE (route cache entry)
creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.)
2 (in addition to 1 a delayed indication to Winsock is made.)

Note: When the system finds itself under attack the following options on any socket can no longer be enabled : Scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size). This is because when protection is functioning the route cache entry is not queried before the SYN-ACK is sent and the Winsock options are not available at this stage of the connection.

Default: 0 (False) Recommendation: 2 Description: Synattack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce the time for which resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 2, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded.

TcpMaxHalfOpen Key: Tcpip\Parameters Value Type: REG_DWORD-Number Valid Range: 100-0xFFFF Default: 100 (Professional, Server), 500 (advanced server) Recommendation: default Description: This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port you want to protect(see Backlog Parameters for more information) . See the SynAttackProtect parameter for more details.

TcpMaxHalfOpenRetried Key: Tcpip\Parameters Value Type: REG_DWORD-Number Valid Range: 80-0xFFFF Default: 80 (Professional, Server), 400 (Advanced Server) Recommendation: default Description: This parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. See the SynAttackProtect parameter for more details.

EnablePMTUDiscovery Key: Tcpip\Parameters Value Type: REG_DWORD-Boolean Valid Range: 0, 1 (False, True) Default: 1 (True) Recommendation: 0 Description: When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet.

NoNameReleaseOnDemand Key: Netbt\Parameters Value Type: REG_DWORD-Boolean Valid Range: 0, 1 (False, True) Default: 0 (False) Recommendation: 1 Description: This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the machine against malicious name-release attacks.

EnableDeadGWDetect Key: Tcpip\Parameters Value Type: REG_DWORD-Boolean Valid Range: 0, 1 (False, True) Default: 1 (True) Recommendation: 0 Description: When this parameter is 1, TCP is allowed to perform dead-

Aytaç

paylaşım için teşekkürler...