LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Preventing DDoS Attacks Print E-mail
User Rating:      How can I rate this item?
Source: Blessen Cherian - Posted by Blessen Cherian   
Article Index
Preventing DDoS Attacks
Page 2
Features In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an anti-viral developed. So we should be carefull while dealing with it . Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack ,up to a certain extend .

What is a DDOS attack?

Simply said, DDOS is an advanced version of DOS attack . Like DOS , DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised.

Normally, DDOS consists of 3 parts . One is the Master ,Other the slave and atlast the victim. The master is the attack launcher ie the person/machine behind all this,sound's COOL right . The slave is the network which is being compromised by the Master and Victim is the target site/server . Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack.

In my term, Master is said to be the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target.

How do they Do it?

DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase that they install DDOS tools and starts attacking the victims machines/site. This Phase is called Distributed DoS attacks phase.

What Allowed them to do it?

The reasons are given below :-

1) Vulnerable softwares/Applications running on a machine or network.

2) Open network setup.

3) Network/ machine setup without taking security into account.

4) No monitoring or DataAnalysis are being conducted.

5) No regular Audit / Software upgrades being conducted.

What should we do if we are under attack?

First Identify if you are really under attack. If yes, follow the below steps :

Check if your machines load is high and you have large number of HTTP process running.

 

To find the load just use the command w or uptime -

---

Eg:

Blessen@work >w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

---

 

To find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l "

Eg:

--

[root@blessen root]# ps -aux|grep HTTP|wc -l

23

--

 

In a heavy server , the number of connection will go above 100. But during DDOS attack, the number will go even higher and thats when we need to find out from which all networks are these attacks coming. In DDOS the host machine doesn't have much importance. Its the network which is of importance here because, an attacker will use any machine on the compromised network or even will use all the machines in the network. Hence network address is of importance while fighting with the attack.

If you have high load (say 5 or more ) and you have large number of HTTP process then i would request you to do the following

 

1) At command prompt execute the below command

bash#netstat -lpn|grep :80 |awk '{print $5}'|sort

2) Check each block of ips. Like let me say , that you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify such ips/networks from the list you get

3) If more than 5 host/ip connects from the same network then its a clear sign of DDOS .

4) Block that ips/networks using iptables /Apf

iptables -A INPUT -s <Source IP> -j DROP

If you have apf then just add the ips which you want to block in the file /etc/apf/deny_hosts.rules

5) Keep on continuing this process untill the attack on the machine gets reduced.

 

There is no complete or perfect solution to DDOS . The logic is simple, NO softwares or measures could handle attacks from multiple servers say from 50 - 100 servers all at a time .

All that can be done is to take preventive measures .

 

How can we prevent or defend ourselves from these attacks?

Like said, Prevention is better than cure. Its very much true in the case of DDOS . In my Introduction, I had mentioned that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. Attackers use those security holes to compromise the servers in different network and install the DDOS tools (eg trinoo -DDOS tool )

To prevent DDOS in future, follow the below steps which has 12 major steps

Setup machine / network keeping security in mind (Implement Good Security policy)

Setup a firewall which does Ingress and Egress Filtering at Gateway

Eg: Steps to Install AFP

----

bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

bash# tar -zxf apf-current.tar.gz

bash# cd apf-<version number>

bash# ./install.sh

Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf

Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root's cron has an entry like the one below

*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1

-----

Install IDS on your gateway/hosts to alert you when someone tries to sniff In.

Eg: AIDE

----------

(a) Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz

(b) Untar it

tar -zxvf aide-0.7.tar.gz

(c) cd aide-0.7

(d) Then execute

./configure -with-gnu-regexp

(e) Final steps to install make;make install

(f) Now the main step..To configure AIDE.AIDE stores all its rule sets in the file called aide.conf. Lets populate it get more details of how to configure and all from man aide.conf

(g) Here I am taking an example .See below

 

Here is a sample short aide.conf:

Rule = p+i+u+g+n+s+md5

/etc p+i+u+g

/sbin Rule

/usr/local/apache/conf Rule

/var Rule

!/var/spool/.*

!/var/log/.*

In the above configuration listed , a rule called "Rule" is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn't. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place.

(h) After configuring AIDE should be initiated with all these rules.

For that execute aide -init

----------

Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications.

Use tools like RKDET(vancouver-webpages.com/rkdet),RKHUNTER(www.rootkit.nl) and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any.

Please find a simple Audit check List below to be done on a Hosts

Eg: Audit Check List

---

A quick checklist:

* Software Vulnerabilities.

* Kernel Upgrades and vulnerabilities.

* Check for any Trojans.

* Run chkrootkit.

* Check ports.

* Check for any hidden processes.

* Use audittools to check system.

* Check logs.

* Check binaries and RPMS.

* Check for open email relays.

* Check for malicious cron entries.

* Check /dev /tmp /var directories.

* Check whether backups are maintained.

* Check for unwanted users, groups, etc. on the system.

* Check for and disable any unneeded services.

* Locate malicious scripts.

* Querylog in DNS.

* Check for the suid scripts and nouser scripts.

* Check valid scripts in /tmp.

* Use intrusion detection tools.

* Check the system performance.

* Check memory performance (run memtest).

---

 

Enforce and Implement Security Measures on all hosts in the network.

Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status ``OK-to go live'' after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are uptodate and can fight any attacks.

Audit network on a regular basis to see if your network is vulnerable to attacks

Use Open Source Tools like NESSUS(www.nessus.org) ,NMAP(www.insecure.org/nmap),SAINT( www.saintcorporation.com/products/saint_engine.html),SARA (www-arc.com/sara/sara.html)for auditing a network to find its vulnerabilities.

Create a DSE (Dedicated Security Expert ) Team for your company.

Collect your networks and hosts data . Analysis them and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend,for sure.

Implement Sysctl protection against DDOS

Eg:

----------

bash# vi /etc/sysctl.conf

add the below code:

# Enable IP spoofing protection, turn on Source Address Verification

net.ipv4.conf.all.rp_filter = 1

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

Add the below code in /etc/rc.local and restart network

for f in /proc/sys/net/ipv4/conf/*/rp_filter;

do echo 1 > done

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

----------
 

Install Mod_dosevasive to your apache.

Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below

 

Eg: Install Mod_dosevasive

------

bash# wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

bash# tar -zxvf mod_evasive_1.10.1.tar.gz

bash# cd mod_evasive_1.10.1

bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c

Dont get scared by the variable ``$APACHE_ROOT'' . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)

bash# vi /usr/loca/apache/conf/httpd.conf

 

After this add the below code in httpd.conf

<IfModule mod_dosevasive.c>

DOSHashTableSize 3097

DOSPageCount 2

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10
</IfModule>
bash# /usr/loca/apache/bin/apachectl restart

------

 

Install Mod_security .

Since DDOS normally targets http. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below

 

Eg: Installation Steps

------

bash# http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz

bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz

bash# cd modsecurity-apache-1.9.2

bash# /usr/local/apache/bin/apxs -cia mod_security.c

Create a file named mod_security.conf under the folder /usr/local/apache/conf

bash# vi /usr/local/apache/conf/mod_security.conf

Create the rule with reference to the link http://www.modsecurity.org/documentation/quick-examples.html

and add it in the mod_security.conf file.

Add the location of mod_security.conf to httpd.conf

bash# vi /usr/local/apache/conf/httpd.conf

Add the string below Include /usr/local/apache/conf/mod_security.conf

bash# /usr/local/apache/bin/apachectl stop

bash# /usr/local/apache/bin/apachectl start

-------
 

Best solution to fight DDOS to a certain extend will be to setup load balancer for your services.

Creating awareness on Security

This is the most important part. People should be Security conscious. Then only they will understand the importance of Security measures . Server owner's and users should be made aware of the issues which can rise due to bad security measures .

Conclusion

DDOS can be prevented to a certain extend, if hosts and network are secure. So I advice each server owners and network owners to implement security measures on their network ,if they want to fight against DDOS.

About this document ...

Preventing DDOS attacks

Written By
Blessen Cherian
Sr.Executive Team Member of Bobcares.com
[ Head Of Installation,Security and Networking Department ]
Poornam Info Vision Pvt Ltd

Comments
What a load of rubbish.Written by Dom De Vitto on 2006-03-17 07:53:06
Turn on RPV and cookies, install dosevasive. 
TEST, TEST, TEST. 
 
None of the rest will help.
doesnt workWritten by root on 2006-03-19 01:31:23
i dont know why, trying multiple times, this command doesn t work  
 
[root@ns etc]# ps -aux|grep HTTP|wc -l 
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.3/FAQ 

[root@ns etc]# ps 
 
Sr.Executive team Member of Bobcares andWritten by Blessen Cherian on 2006-03-19 15:15:34
Use the below command 
 
ps aux|grep HTTP|wc -l  
 
 
 
Eg:  
 
---------------- 
 
[root@localhost blessen]# ps aux|grep htttp 
root 3849 0.0 0.1 3752 692 pts/3 R+ 01:44 0:00 grep htttp 
[root@localhost blessen]# ps aux|grep http 
root 3732 0.1 2.9 32572 14288 ? Ss 01:40 0:00 /usr/sbin/httpd 
apache 3734 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3735 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3736 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3737 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3738 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3739 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3740 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
apache 3741 0.0 2.9 32612 14380 ? S 01:40 0:00 /usr/sbin/httpd 
[root@localhost blessen]# ps aux|grep http|wc -l 
10 
 
-----------------
Security ConsultantWritten by John D on 2006-03-24 05:22:19
Mind blowing and technically sound Article !!!. It says it all about DDOS and the how to prevent it. I have read this guys other Article named "Are your Servers Secure" and that too was a great article. Both Article had great technical contents and are well said . 
 
Lets hope he writes more.
Written by PhaseBurn on 2006-03-29 16:36:13
While I applaud you on the topic and you do provide viable measures to stop a small DDoS on your web server, I have to disagree with a lot of the other conclusions you draw here. 
 
First off, I've seen many more DDoS attacks on services OTHER than http, by a factor of over 10 to 1. Everything from DNS to IRC to pure bandwidth-based attacks lobbing packets to totally closed ports, synfloods to every daemon listening, etc, has come my general way. 
 
In the perfect world, you get a DDoS attacking a service like http, with a server powerful enough to handle it + filtering, and enough incoming bandwidth to stay afloat. If that's the case, you have a very well written guide here that everybody should follow. But I must caution people that DDoS attacks can range into the gbit/sec range and/or 1,000,000+ pps going across your router. If you simply don't have a 1 gbit/sec connection to the internet when you get hit with something like this, not much you can do on-site. Maybe your upstream can do something about it, but aside from calling them, really there isn't much you can do (this is of course assuming you don't have access to your upstream router). Likewise if you're hit with more pps (packets-per-second) than your router's CPU can handle, you can't do a whole lot either with out blocking it upstream, or upgrading the router to something that can handle the situation better. 
 
I do agree with the author that it's a whole lot better to avoid a DDoS than to build a defense against one. There are attacks that, unless you're *in* a datacenter (and a really good one, at that), can take you down if you find yourself targetted. 
 
Just my $0.02 on the subject.
Sr.Executive Team Member of Bobcares (boWritten by Blessen Cherian on 2006-03-31 07:35:57
Fiirst of all i thank you "PhaseBurn" for providing me with a great feedback with suggestion for improving my article 
 
But let me clarify . In this article i tookup Preventing DDOS on http service which is common . So my measures are based on it. If i take the complete ddos and start explaining it then it will take me ages . I hope you are understanding. 
 
SupportWritten by Support on 2006-04-29 14:47:42
got this error while make;make install 
 
---- 
tiger.c:646: warning: conflicting types for built-in function 'round' 
tiger.c:854:1: pasting "->" and "a" does not give a valid preprocessing token 
tiger.c:854:1: pasting "->" and "a" does not give a valid preprocessing token 
tiger.c:854:1: pasting "->" and "a" does not give a valid preprocessing token 
tiger.c:854:1: pasting "->" and "a" does not give a valid preprocessing token 
tiger.c:854:1: pasting "->" and "a" does not give a valid preprocessing token 
tiger.c:854:1: pasting "->" and "a" does not give a valid preprocessing token 
----------
Good one manWritten by Aroop Maliakkal on 2006-04-30 06:11:05
Nice article buddy..Good work.
Enable TCP SYN Cookie ProtectionWritten by Aroop Maliakkal on 2006-04-30 06:17:22
I haven't seen much difference on enabling TCP SYN Cookies. ANy ideas ? 
 
Can u explain how does it actually works ? 
Sysctl protectionWritten by Jeyson David Polanco on 2006-05-09 09:08:38
this method dont works on virtualized machine (I think)[1].  
i'm not sure that this rules run on Virtuozzo[2] servers that made virtual network interfaces (vnets). 
 
nt: this errors come from execute #/etc/rc.d/init.d/network restart 
 
[1] 
error: unknown error 1 setting key 'net.ipv4.conf.default.rp_filter' 
error: unknown error 1 setting key 'net.ipv4.conf.all.rp_filter' 
error: unknown error 1 setting key 'net.ipv4.tcp_syncookies' 
 
[2]SWSoft 
 
Un saludo desde Colombia mis hispano hablantes  
FractuS
Written by My name on 2007-12-09 15:00:37
This article is pretty misleading, which as someone in this field, I knew better before I started to read it, but I was curious what it was going to cover. 
 
The fact of the matter is, any large DDoS and these things are fine to do, but can actually create more processing, once the request has been made from the attacking server. The only way to PREVENT a DDoS is to either not host site(s) that will be a target of one, or find a way to secure every server in the world yourself. The problem is at the source of the attack, and that's the solution, there's no such solution for the server side. 
 
Therefore, the article blaming the network or server admin, is foolish and untrue. I realize the Indian outsource "bobcares" guys are just general support guys, but I don't think this person has any business pretending to be a security expert and claiming people can stop DDoS attacks, and if they can't, that they are to blame. 
 
A small scale DDoS is easily dealt with, but no massive DDoS attack can be dealt with in this manner. There are better ways to automate detection, instead of those lame out of the box programs and commands mentioned in this article. But, still, eventually your server's memory will run out completely after so many chains are added to drop the requests from the source. You'll end up having to block C and B classes and then if it's still large enough, you are going to have to null route the IP. 
 
The only real preventative measures that could be implemented that would actually work, are not mentioned in this article at all, and those measures are proper planning and design, which I won't get into here on my comment about this article. I simply take issue with this article based on the lack of insight by the author and their desire to try and pretend to be a security expert to drum up business, when there's really nothing workable or useful in this article, other than throwing all too common and pointless solutions that actually won't help in the circumstance of a DDoS of any significant amount. 



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Google Removes SSLv3 Fallback Support From Chrome
Hacker Lexicon: What Is End-to-End Encryption?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.