|
Preventing DDOS Attacks!!
Written By :
Blessen Cherian
Published In
: linuxsecurity.com
http://www.linuxsecurity.com/content/view/121960/171/
In this article I am
trying to explain what DDOS is and how it can be prevented.
DDOS happens due to lack of security awareness of the
network/server owners. On a daily basis we hear that a
particular machine is under DDOS attack or NOC has unplugged
the machine due to DDOS attack . So DDOS has become one of the
common issues in this electronics world. DDOS is like a
disease which doesn't have an anti-viral developed. So we
should be carefull while dealing with it . Never take it
lightly. In this article i am trying to explain the
steps/measures which will help us defend from DDOS attack ,up
to a certain extend .
Simply
said, DDOS is an advanced version of DOS attack . Like DOS ,
DDOS also tries to deny the important services running on a
server by broadcasting packets to the destination server in
a way that the Destination server cannot handle it. The
speciality of the DDOS is that, it relays attacks not from a
single network/host like DOS. The DDOS attack will be
launched from different dynamic networks which has already
been compromised.
Normally,
DDOS consists of 3 parts . One is the Master ,Other the
slave and atlast the victim. The master is the attack
launcher ie the person/machine behind all this,sound's COOL
right . The slave is the network which is being compromised
by the Master and Victim is the target site/server . Master
informs the compromised machines, so called slaves to launch
attack on the victim's site/machine. Hence its also called
co-ordinated attack.
In my term,
Master is said to be the Master Brain, Slave is said to be
the launch pad for the attack and Victim is the target.
DDOS is
done in 2 phases. In the first phase they try to compromise
weak machines in different networks around the world. This
phase is called Intrusion Phase. Its in the next phase that
they install DDOS tools and starts attacking the victims
machines/site. This Phase is called Distributed DoS attacks
phase.
The reasons
are given below :-
1)
Vulnerable softwares/Applications running on a machine or
network.
2) Open
network setup.
3) Network/
machine setup without taking security into account.
4) No
monitoring or DataAnalysis are being conducted.
5) No
regular Audit / Software upgrades being conducted.
First
Identify if you are really under attack. If yes, follow the
below steps :
To find the
load just use the command w or uptime -
Eg:
-------------------
Blessen@work >w 12:00:36 up 1 day, 20:27,
5 users, load average: 0.70, 0.70, 0.57
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
----------------------
To find
if there is large number of HTTP process running use the
command " ps -aux|grep HTTP|wc -l "
Eg:
-------------------
[root@blessen root]# ps -aux|grep HTTP|wc
-l
23
-------------------
In a heavy
server , the number of connection will go above 100. But
during DDOS attack, the number will go even higher and
that's when we need to find out from which all networks are
these attacks coming. In DDOS the host machine doesn't have
much importance. Its the network which is of importance here
because, an attacker will use any machine on the compromised
network or even will use all the machines in the network.
Hence network address is of importance while fighting with
the attack.
1) At
command prompt execute the below command
bash#netstat -lpn|grep :80 |awk '{print
$5}'|sort
2) Check
each block of ips. Like let me say , that you have more than
30 connection from a single ip. Under normal cases there is
no need for that many number of connection requests from a
single IP. Try to identify such ips/networks from the list
you get
3) If more
than 5 host/ip connects from the same network then its a
clear sign of DDOS .
4) Block
that ips/networks using iptables /Apf
iptables -A INPUT -s <Source IP> -j DROP
If you have
apf then just add the ips which you want to block in the
file /etc/apf/deny_hosts.rules
5) Keep on
continuing this process untill the attack on the machine
gets reduced.
There is no
complete or perfect solution to DDOS . The logic is simple,
NO softwares or measures could handle attacks from multiple
servers say from 50 - 100 servers all at a time .
All that
can be done is to take preventive measures .
Like said,
Prevention is better than cure. Its very much true in the
case of DDOS . In my Introduction, I had mentioned that DDOS
happens because of vulnerable softwares/applications running
on a machines in a particular network. Attackers use those
security holes to compromise the servers in different
network and install the DDOS tools (eg trinoo -DDOS tool )
To prevent
DDOS in future, follow the below steps which has 12 major
steps
Eg: Steps to Install AFP
----------------------
bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
bash# tar -zxf apf-current.tar.gz
bash# cd apf-<version number>
bash# ./install.sh
Notes: Go through the Document in the Apf
and configure it for your needs. All configuration is set at
conf.apf which is normally located at /etc/apf/conf.apf
Enable Anit-DOS mode in Apf (ie in
conf.apf) . Also make sure that your root's cron has an
entry like the one below
*/8 * * * * root /etc/apf/ad/antidos -a
>> /dev/null 2>&1
--------------------------
Eg: AIDE
----------------------------
(a) Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz
(b) Untar it
tar -zxvf aide-0.7.tar.gz
(c) cd aide-0.7
(d) Then execute
./configure -with-gnu-regexp
(e) Final steps to install make;make
install
(f) Now the main step..To configure
AIDE.AIDE stores all its rule sets in the file called
aide.conf. Lets populate it get more details of how to
configure and all from man aide.conf
(g) Here I am taking an example .See
below
Here is a sample short aide.conf:
Rule = p+i+u+g+n+s+md5
/etc p+i+u+g
/sbin Rule
/usr/local/apache/conf Rule
/var Rule
!/var/spool/.*
!/var/log/.*
In the above configuration listed , a
rule called "Rule" is set to check permissions (p), inode (i),
user (u), group (g), number of links (n), size (s), and md5
checksum (md5). This rules are applied to all files in /bin,
/sbin, /var, and /usr/local/apache/conf because they should
rarely if ever change. Files in /etc are checked for changes
in only permissions, inode, user, and group because their
size may change, but other things shouldn't. Files and
directories in /var/spool and /var/log are not checked
because those are folders where maximum updation takes
place.
(h) After configuring AIDE should be
initiated with all these rules.
For that execute aide -init
-----------------------------------
Use tools like
RKDET(vancouver-webpages.com/rkdet),RKHUNTER(www.rootkit.nl)
and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit
has been already installed and to locate the effected
binaries in the machine, if any.
Please find a simple Audit check List
below to be done on a Hosts
Eg: Audit Check List
--------------------------
A quick checklist:
* Software Vulnerabilities.
* Kernel Upgrades and vulnerabilities.
* Check for any Trojans.
* Run chkrootkit.
* Check ports.
* Check for any hidden processes.
* Use audittools to check system.
* Check logs.
* Check binaries and RPMS.
* Check for open email relays.
* Check for malicious cron entries.
* Check /dev /tmp /var directories.
* Check whether backups are maintained.
* Check for unwanted users, groups, etc.
on the system.
* Check for and disable any unneeded
services.
* Locate malicious scripts.
* Querylog in DNS.
* Check for the suid scripts and nouser
scripts.
* Check valid scripts in /tmp.
* Use intrusion detection tools.
* Check the system performance.
* Check memory performance (run memtest).
-------------------
Machines
new or old should only be allowed to run on your network, if
your Security Admin or DSE (Dedicated Security Expert)
member approves it with status ``OK-to go live'' after
auditing the box. All Host in the network should be checked
on a regular basis by your DSE team to make sure that all
hosts are uptodate and can fight any attacks.
Use Open
Source Tools like NESSUS(www.nessus.org) ,NMAP(www.insecure.org/nmap),SAINT(
www.saintcorporation.com/products/saint_engine.html),SARA
(www-arc.com/sara/sara.html)for auditing a network to find
its vulnerabilities.
Collect
your networks and hosts data . Analysis them and study them
to see from where and what kind of attacks are coming into
the network. This step will help us to understand what kind
of attacks we are facing and will help us to strengthen the
preventive measures. Let me tell you this move is worth the
money you spend,for sure.
Eg:
-----------------------------
bash# vi /etc/sysctl.conf
add the below code:
# Enable IP spoofing protection, turn on
Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and
restart network
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-----------------------------
Mod_dosevasive is module for Apache to perform evasive
action in the event of an HTTP DDoS attack or brute force
attack. Please find the installation step of mod_dosevasive
in DSO mode below
Eg: Install Mod_dosevasive
-------------------------
bash# wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
bash# tar -zxvf mod_evasive_1.10.1.tar.gz
bash# cd mod_evasive_1.10.1
bash# $APACHE_ROOT/bin/apxs -iac
mod_evasive.c
Dont get scared by the variable ``$APACHE_ROOT''
. Its nothing, but a simple variable which stores the
location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
bash# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in
httpd.conf
<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
bash# /usr/loca/apache/bin/apachectl
restart
-------------------------
Since DDOS
normally targets http. Its always good to have a filtering
system for apache . So that the request gets analyzed before
web server handles it. Please find the installation step of
mod_security in DSO mode below
Eg: Installation Steps
-------------------------
bash# http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
bash# tar -zxvf
modsecurity-apache-1.9.2.tar.gz
bash# cd modsecurity-apache-1.9.2
bash# /usr/local/apache/bin/apxs -cia
mod_security.c
Create a file named mod_security.conf
under the folder /usr/local/apache/conf
bash# vi /usr/local/apache/conf/mod_security.conf
Create the rule with reference to the
link http://www.modsecurity.org/documentation/quick-examples.html
and add it in the mod_security.conf file.
Add the location of mod_security.conf to
httpd.conf
bash# vi /usr/local/apache/conf/httpd.conf
Add the string below Include /usr/local/apache/conf/mod_security.conf
bash# /usr/local/apache/bin/apachectl
stop
bash# /usr/local/apache/bin/apachectl
start
--------------------------
This is the
most important part. People should be Security conscious.
Then only they will understand the importance of Security
measures . Server owner's and users should be made aware of
the issues which can rise due to bad security measures .
DDOS can be
prevented to a certain extend, if hosts and network are
secure. So I advice each server owners and network owners to
implement security measures on their network ,if they want
to fight against DDOS.
Preventing DDOS attacks
By
Blessen Cherian ,
Member of Eecutive team,
Poornam Info Vision Pvt Ltd
Bobcares.com, Poornam.com, Blessen.com
|