What is a denial-of-service (DoS) attack?
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, web sites, online accounts (banking, etc.), or other services that rely on the affected computer.
The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you type a URL for a particular web site into your browser, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can't process your request. This is a "denial of service" because you can't access that site.
What is a distributed denial-of-service (DDoS) attack?
In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a web site or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.
How a "denial of service" attack works
In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.
In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.
Typical connection
"Denial of service" attack
How to block a "denial of service" attack
One of the more common methods of blocking a "denial of service" attack is to set up a filter, or "sniffer," on a network before a stream of information reaches a site's Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.
Enabling SYN cookies is a very simple way to defeat SYN flood attacks
while using only a bit more CPU time for the cookie creation and
verification. Since the alternative is to reject all incoming
connections, enabling SYN cookies is an obvious choice.
tcp_syncookies can be enabled with:
# /sbin/sysctl -w net.ipv4.tcp_syncookies=1
or
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Scripts
top -b -n 1 | awk '{if (NR <=7) print; else if ($8 == "D") {print; count++} } END {print "Total status D: "count}'
top -b -d 300 >> /path/to/topfile &
ps aux|grep -i HTTP|wc -l
Determine the attacking network
Executing the following command will show the IPs arranged in order of established connections
netstat -lpn|grep :80|awk '{print $5}'|sort
Block the attacking network
iptables -A INPUT -s <Source IP> -j DROP
‘netstat’ to check and show the number of connections a server has
-----------
netstat -na
Display all active Internet connections to the servers and only established connections are included.
-----------
netstat -an | grep :80 | sort
Show only active Internet connections to the server at port 80 and sort the results
------------------
netstat -n -p|grep SYN_REC | wc -l
Let users know how many active SYNC_REC are occurring and happening on the server. The number should be pretty low, preferably less than 5. On DoS attack incident or mail bombed, the number can jump to twins. However, the value always depends on system, so a high value may be average in another server.
------------------
netstat -n -p | grep SYN_REC | sort -u
List out the all IP addresses involved instead of just count.
----------------
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
List all the unique IP
addresses of the node that are sending SYN_REC connection status.
-------------------------
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Use netstat command to calculate and count the number of connections each IP address makes to the server.
------------------------
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
List count of number of connections the IPs are connected to the server using TCP
or UDP protocol.
--------------------
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.
----------------------
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.
------------------------
Memory usuage
To see only the memory resources occupied by each category of processes, such as Apache httpd, MySQL mysqld or Java, use the following command:
ps aux | awk '{print $4"\t"$11}' | sort | uniq -c | awk '{print $2" "$1" "$3}' | sort -nr
--------------------
Raid
====
tw_cli /c0 show
change the mail server ip
===========================
/sbin/iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source <ip_address>
Prevention
http://aplawrence.com/Security/ddos_prevention.html
Steps to prevent spamming in cpanel
-------------------------------------------------------
Change all default/catchall addresses from :blackhole: to :fail:
Then to change all default addresses to :fail: we’ll need to run two commands, one to change any :blackhole: settings and the other to change any default addresses that forward to another email address. First run this command in SSH …
Quote:
replace ‘:blackhole:’ ‘:fail:’ — /etc/valiases/*
… this will change any :blackhole: setting to the desired :fail: setting.
Change all default/catchall addresses to :fail:
Then the second command …
Quote:
sed -i ’s/^\*: [^ ]*$/*: :fail: ADDRESS DOES NOT EXIST/g’ /etc/valiases/*
… this will change any setting which sends the unrouted mail to another email address to the desired :fail: setting.
Now, running this command again should reveal no results because we have just changed all settings to :fail: …
Quote:
grep ‘*:’ /etc/valiases/* | egrep -v ‘:fail:’
March 12th, 2006
DDOS, or Distributed Denial of Service is an advanced version of DOS(Denial of Service) attack. Like DOS, DDOS also tries to deny important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised.
There is no 100% perfect solution for DDOS. We can just prevent it to certain extend by securing our networks and servers. Here I am trying to explain the DDOS on HTTP, which is common in the webhosting Industry
Normally, DDOS consists of 3 parts . The Master, the slave and at last the victim. The master is the attack launcher, i.e the person/machine behind all this. The slave is the network that is being compromised by the Master and Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim’s site/machine. Hence its also called co-ordinated attack.
Here is how I see it. Master is the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target.
DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase, that they install DDOS tools and start attacking the victims machines/site. This Phase is called Distributed DoS attack phase.
What Allowed them to do it? Simple.
1. Vulnerable softwares/Applications running on a machine or network.
2. Open network setup.
3. Network/ machine setup without taking security into account.
4. No monitoring or Data Analysis are being conducted.
5. No regular Audit / Software upgrades being conducted.
To find the load just use the command w or uptime -
#w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
To find if there is large number of HTTP process running use the command ” ps -aux|grep HTTP|wc -l “
# ps -aux|grep HTTP|wc -l
23
In a heavy server , the number of connections will go above 100. But during DDOS attack, the number will go even higher and thats when we need to find out from which all networks are these attacks coming. In DDOS the host machine doesn’t have much importance. Its the network which is of importance here because, an attacker will use any machine on the compromised network or even will use all the machines in the network. Hence network address is of importance while fighting with the attack.
At command prompt execute the below command
bash#netstat -lpn|grep :80 |awk '{print $5}'|sort
Check each block of ips. Lets assume you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify such ips/networks from the list you get
If more than 5 host/ip connects from the same network then its a clear sign of DDOS .
Block that ips/networks using iptables /Apf
iptables -A INPUT -s -j DROP
If you have APF, then just add the IPs which you want to block in the file /etc/apf/deny_hosts.rules
Continue this process untill the attack on the machine gets reduced. There is no complete or perfect solution to DDOS . The logic is simple, NO software or measures could handle attacks from multiple servers say from 50 - 100 servers all at a time. All that can be done is to take preventive measures .
Prevention is better than cure. Its very much true in the case of DDOS . In my Introduction, I had mentioned that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. Attackers use those security holes to compromise the servers in different network and install the DDOS tools (eg trinoo -DDOS tool). To prevent DDOS in future, follow these steps.
Setup machine / network keeping security in mind (Implement Good Security policy)
Setup a firewall which does Ingress and Egress Filtering at Gateway
Steps to Install APF
bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
bash# tar -zxf apf-current.tar.gz
bash# cd apf-
bash# ./install.sh
Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf
Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root’s cron has an entry like the one below
*/8 * * * * root /etc/apf/ad/antidos -a >>
/dev/null 2>&1
Install IDS on your gateway/hosts to alert you when someone tries to sniff In.
(a) Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz
(b) Untar it
tar -zxvf aide-0.7.tar.gz
cd aide-0.7
(d) Then execute
./configure -with-gnu-regexp
(e) Final steps to install
make;make install
(f) Now the main step. To configure AIDE. AIDE stores all its rule sets in the file called aide.conf. To get more details on how to configure from ‘man aide.conf’
(g) Here is a sample short aide.conf:
Rule = p+i+u+g+n+s+md5
/etc p+i+u+g
/sbin Rule
/usr/local/apache/conf Rule
/var Rule
!/var/spool/.*
!/var/log/.*
In this configuration, a rule called “Rule” is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn’t. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place.
(h) After configuring AIDE should be initiated with all these rules.
For that execute
aide -init
Use tools like RKDET(vancouver-webpages.com/rkdet), RKHUNTER(www.rootkit.nl) and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any.
This is a simple Audit check List to check for.
* Software Vulnerabilities.
* Kernel Upgrades and vulnerabilities.
* Check for any Trojans.
* Run chkrootkit.
* Check ports.
* Check for any hidden processes.
* Use audit tools to check system.
* Check logs.
* Check binaries and RPMS.
* Check for open email relays.
* Check for malicious cron entries.
* Check /dev /tmp /var directories.
* Check whether backups are maintained.
* Check for unwanted users, groups, etc. on the system.
* Check for and disable any unneeded services.
* Locate malicious scripts.
* Querylog in DNS.
* Check for the suid scripts and nouser scripts.
* Check valid scripts in /tmp.
* Use intrusion detection tools.
* Check the system performance.
* Check memory performance (run memtest).
Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status “OK-to go live” after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are up-to-date and can fight any attacks.
Use Open Source Tools like NESSUS (www.nessus.org), NMAP(www.insecure.org/nmap), SAINT( www.saintcorporation.com/products/saint_engine.html), SARA (www-arc.com/sara/sara.html) for auditing a network to find its vulnerabilities.
Collect your network and hosts data. Analyse and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend, for sure.
bash# vi /etc/sysctl.conf
Add this code to this file:
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and restart network
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below
Eg: Install Mod_dosevasive
# wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar -zxvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive_1.10.1
# $APACHE_ROOT/bin/apxs -iac mod_evasive.c
“$APACHE_ROOT” is a variable that stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Then restart Apache
# /usr/local/apache/bin/apachectl restart
Since DDOS normally targets HTTP. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below
<br
bash# http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz
bash# cd modsecurity-apache-1.9.2
bash# /usr/local/apache/bin/apxs -cia mod_security.c
Create a file named mod_security.conf under the folder /usr/local/apache/conf
bash# vi /usr/local/apache/conf/mod_security.conf
Create the rule with reference to the link http://www.modsecurity.org/documentation/quick-examples.html and add it in the mod_security.conf file.
Add the location of mod_security.conf to httpd.conf
bash# vi /usr/local/apache/conf/httpd.conf
by adding the string below
Include /usr/local/apache/conf/mod_security.conf
Restart apache
# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl start
Optimizing the httpd.conf file
# vi /usr/local/apache/conf/httpd.conf
Change the bellow options as follows, original values are shown in the bracket.
MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)
Also edit the following options too, according to the situation.
Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients
Install/Configure 3rd party DDOS prevention tools
We can also use the most trusting 3rd party script 'DDoS-Deflate' for preventing DDOS attack effectively.
Steps to install this script are as follows.
# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh
Add the script '/usr/local/ddos/ddos.sh' to cron as follows
# crontab -e
*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1
In csf:
vi /etc/csf/csf.conf
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD_RATE = “5/s”
SYNFLOOD_BURST = “3″
my eg:
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
SYNFLOOD
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
PORTFLOOD
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.
--------------------------------------------------------------------------------------------------------
search for option called CT_LIMIT, by default it will be like CT_LIMIT=0 , change this to CT_LIMIT=60 ,here 60 is the max no.of connections from an IP to your server ( choose this value according to your server usage )
Next search for option called CT_PORTS.This option is used to specify the port for which you want prevent DOS attack.Since our aim is to prevent the DOS attck to apache - port 80 , change CT_PORTS = "" to CT_PORTS = "80"
When you do the above steps ,then if your server have 60 established connection from a IP to apache ,it considered as DOS attack and that IP is blocked in firewall
Note: In CT_PORTS you can sepcify the ports to be prevented for DOS attack,that is if want prevent DOS attack to mail server that specify CT_PORTS="25".You can specify any no.of ports in a comma seprated format,like CT_PORTS="80,25,110"
---------------------------------------------