Bulletproof web design - 197Chapter 6Securing LinuxYou can allow specific hosts or
197Chapter 6Securing LinuxYou can allow specific hosts or domains to relay mail through your system byadding those senders to your /etc/mail/accessfile with keyword RELAY. Bydefault, relaying is allowed only from the local host. Refer to the sendmail docu- mentation for more information. One package you might consider using to filter out spam on your mail server isspamassassin, which examines the text of incoming mail messages and attemptsto filter out messages that it determines to be spam. Spamassassin is described inChapter 24. Smurf Amplification AttackSmurfingrefers to a particular type of Denial of Service attack aimed at floodingyour Internet connection. It can be a difficult attack to defend against because itisn t easy to trace it back to the attacker. The attack makes use of the ICMP protocol, a service intended for checking thespeed and availability of network connections. Using the pingcommand, you cansend a network packet from your computer to another computer on the Internet. The remote computer recognizes the packet as an ICMP request and echoes a replypacket to your computer, which can then print a message revealing that the remotesystem is up and telling you how long it took to reply to the ping. A smurfing attack uses a malformed ICMP request to bury your computer in net- work traffic. The attacker bounces a ping request off an unwitting third party insuch a way that the reply is duplicated dozens or even hundreds of times. An orga- nization with a fast Internet connection and a large number of computers is used asthe relay. The destination address of the ping is set to an entire subnet instead of asingle host. The return address is forged to be your machine s address instead ofthe actual sender s. When the ICMP packet arrives at the unwitting relay s network, every host on that subnet replies to the ping! Furthermore, they reply to your com- puter instead of to the actual sender. If the relay s network has hundreds of comput- ers, your Internet connection can be quickly flooded. The best fix is to contact the organization being used as a relay, informing it of theabuse. That organization usually need only reconfigure its Internet router to stopany future attacks. If the organization is uncooperative, you can minimize the effectof the attack by blocking the ICMP protocol on your router, which at least keeps thetraffic off your internal network. It helps even more if you can persuade your ISP toblock ICMP packets aimed at your network. Protecting Against Distributed DoS AttacksA DDoS attack is much harder to initiate and nearly impossible to stop. It begins withthe penetration of hundreds or even thousands of weakly secured machines. Thesemachines are then directed to attack a single host based on the desire of the attacker. Tip12_