The recent widespread DoS attacks directed at a number of sites in the wake of l’affaire Assange has prompted several of our customers to ask how Fortinet can help them reduce the effects of a DoS attack.

The news has been full of examples of how participants in the so-called “Operation Payback” were able to affect operations for some financial services companies and payment processors in the wake of the Wikileaks document drops.

Although it is difficult to prevent a widespread DoS or DDOS attack from affecting your network operations, each FortiGate platform includes the FortiGate DoS Sensor to reduce the effect of a DoS attack. The Sensor can detect 12 types of network anomalies including syn_flood, port_scan, udp_flood and others that are common to DoS attack. Network administrators can set thresholds to moderate spikes in traffic load caused by DoS attacks.

As they say in medicine, prevention is often the best cure. The same is true for reducing the potential damage a DoS attack can cause any targeted system or domain. FortiGate platforms also enable you to implement a range of industry best practices that improve the overall health of the communal “bath water” we all share.

Fundamental to preventing DoS attacks is policy enforcement on both your network and client, to prevent the distribution of a botnet within your network. Additionally, blocking the communication between the command and control (C&C) server that manages the botnet and any compromised systems within your environment will reduce the threat, as will blocking botnet-generated traffic leaving your network.

Here are some industry best practices for reducing the DoS threat:

Ingress/egress filtering on the firewall
Ingress filtering can provide control to the incoming traffic and protect the network from being attacked and egress filtering can help contain the botnet activity and keep it from affecting other areas. FortiGate platforms include ingress/egress filtering.

Antispam filtering
The vast majority of bots are distributed via email, making it essential to deploy antispam technologies to block the malware from making a beachhead in your network. FortiGate platforms include antispam filtering. FortiMail provides advanced messaging security, including antispam filtering.

Enforce security measures on all hosts
Having proper host protection is one of the most effective measures against the propagation of the malicious software that turns systems into bots. Endpoint protection can prevent the installation of malicious code on systems. Network Access Control (NAC) can also enforce system hygiene requirements before allowing a system to connect to the network. Fortinet offers FortiClient endpoint protection for PCs and notebooks, and FortiGate includes key NAC functionality.

Audit Network on a regular basis
Regular network audits and vulnerability scans provide essential data regarding systems and applications that may reside on your network without your knowledge, as well as systems that need patches. These audits and scans identity potential weaknesses in your network, giving you the necessary action to plug those holes before the next attack. FortiAnalyzer, FortiScan and FortiGate platforms can perform vulnerability management scanning to increase your visibility of your network status.

Install IPS on your gateway
IPS can detect anomalous traffic, enabling you to block abnormal network activity and limit the damage from the attack. Implementing IPS at the edge of the network adds an essential layer of protection to the network. An integrated IPS/Firewall gateway reduces the complexity at the edge and provides a single management interface to deploy multiple layers of protection. FortiGate platforms include IPS functionality.

It’s a little known fact that the month of May is actually Zombie Awareness Month.  While many pay homage with movie marathons and even reenacting zombie activities (well, some zombie activities) during pub crawls and horror conventions, we thought we’d give you some life-saving details on how to stop a different kind of zombie… The Zombie Computer! While an infected zombie computer won’t eat your brains for sustenance, they can still inflict a great deal of pain and misery to computer users.

A zombie computer allows an unauthorized person to gain control over another user’s computer. The infection is typically the result of a hacker, malicious Web site, email or even thumb drive. When the zombie computer is active, it can be found mindlessly roaming cyberspace, receiving commands and carrying out tasks. Commands often include downloading malicious software, spamming and launching distributed denial of service (DDoS) attacks. While older zombies were interested in fame, glory and your computer’s brains, today’s zombies are far more nefarious in that they’re now finding ways to trap your keystrokes in order to gain access into your bank accounts!

This brings us to today’s zombie computer survival guide.

The most likely way a computer becomes infected is by landing on a malicious link. To give you an example of how links can come from anywhere, take a look at the Koobface botnet that continues to infect Facebook users. That virus was spread through video links via Facebook friend messages.

While it’s not always easy to tell when you’ve become infected, sometimes you can pick up clues from other sources such as your friends. In the example of Koobface, it may have sent an infected video link to one of your friends with the caption “LOL, you have to check this video out.” Your friend who received the link may know that:

1.       You don’t ever send video links to your friends

2.       You never use the term LOL in your texted conversations

In either of these cases, a smart friend will ping you back and ask, “Why did you send this video to me?” If you know you didn’t send a video link to your friend, you can pretty much bet you’ve become infected or that your account has been compromised.

While you can’t kill a zombie computer by shooting it in the head, the best way to disable it and then kill it is to quarantine it (and the best way to do that is to disconnect the suspected zombie from the network). Then run a virus scan, which, if your software’s up to date, should find it and rub it out.

While real-life zombies aren’t too bright or fast on their feet, zombie computers can be quite devious. Therefore, the best line of defense is to prevent infection in the first place; an initial infection can grow worse over time and, well, you know what happens. And nobody likes a zombie.

Derek Manky contributed research to this report