Know your enemy, stop and prevent Denial Of Service attacks

Harden-it

Harden-it is a security tool for your Windows box to harden the TCP/IP stack and thereby provide protection from denial of service attacks. It also hardens your local system thereby blocking many worms and other sort of malware. Some of Harden-it features include enabling SYN flood protection once the attack is detected and specifying the maximum total amount of both free connections plus those in the SYN_RCVD state. You can download Harden-it from http://www.yasc.net/hardenit.shtml.

PC tools firewall plus

PC tools firewall plus is a freeware Windows firewall software that allows none-sophisticated users a change to setup the firewall easily however allows advanced users to write custom packet filtering rules.  Even though PC tools firewall plus is a firewall rather for home user than server you can also use it on Windows Server 2003. Download PC tools firewall plus from http://www.pctools.com/firewall/

WIPFW

WIPFW (Windows IP Firewall) is Windows version of open source FreeBSD project, IPFW, a packet filtering and accounting system. IPFW consists of 2 parts – firewall part that does packet filtering and IP accounting part that tracks the use of router.

You can download WIPFW here: http://sourceforge.net/project/showfiles.php?group_id=113599

Mod_evasive is an Apache module designed to prevent Denial of service attacks by monitoring traffic and blocking IP addresses when an attacks is detected.

Installing mod_evasive

First thing you must do is download mod_evasive source code from http://www.zdziarski.com/projects/mod_evasive/. After downloading the package you have to extract it using tar zvxf mod_evasive_1.10.1.tar.gz. After you have unpacked the files you are almost ready to compile mod_evasive, but you must have 2 dependencies installed (apache2-devel and  apache2-prefork). If you already have these dependencies installed or have finished installing them compile mod_evasive20.c file. For Apache 2.0 use /usr/local/apache/bin/apxs -i -a -c mod_evasive20.c and for 1.3 /usr/local/apache/bin/apxs -i -a -c mod_evasive.c. If your Apache is not located at /usr/local/apache/bin/apxs replace it with path your Apache directory.

Next thing you must do is enable mod_evasive whenever Apache is started, for that locate etc/sysconfig/apache2 and add mod_evasive20 to APACHE_MODULES if you are using Apache 2.0, just mod_evasive in case you are using Apache 1.3. Once you have done that create file mod_evasive.conf to your Apache directory with following content:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

That’s the most common mod_evasive configuration. You don’t probably need to change any of the configuration values. If you are installing mod_evasive to Apache 1.3 replace the <IfModule mod_evasive20.c> with <IfModule mod_evasive.c>. Now restart Apache webserver for the changes to take effect and mod_evasive to activate

Proxy shield technology allows you to have a „wall“ between the server and the internet that filters out all the malicious packets without having to have either software or hardware firewall. For unprotected server that suddenly becomes under attack, proxy shield is probably the best solution to eliminate the attack as fast as possible. As proxy shield is a service, not an application or physical device you can stop using it once the attack stops. Furthermore, proxy shields can do the job without you even having to relocate any of your data! Sounds neat? Yes, but it is as expensive.

Using proxy shield is only worth the money as a short term solution. However if you are looking for a long time security, consider investing the money in hardware and software based firewall and security consulting. Having said this I still have to stress, that proxy shields are efficient and probably one of the best solutions for a starting business or temporary service.

How to get Proxy wall? I’ll list some service providers as follows:

http://www.gtcomm.net/ddos-protection.php

http://gigenet.com/ddos-protection.htm

http://www.ddosprotection.com/ddos_protection.htm

http://dragonara.net/ddos-protection.html

http://www.blockdos.net/

http://www.armoraid.com/solutions/

Advanced Policy Firewall (APF) is, like (D)DoS fleat, a iptables based firewall software for Linux box. APF is a powerful, yet easy to install and configure firewall.

Installing APF

Type the following into shell:

cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh

After you have installed the firewall you will see a message: “Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
  Listening UDP ports: 53,55880“. This is just an output example, these ports are not auto configured. You have to configure the firewall manually.

Configuring APF

pico /etc/apf/conf.apf

At first you must enable development mode in the firewall configuration file. To do that, you must find DEVEL_MODE and set its value to 1.

Enabling ingress filtering

Find line # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD from configuration file. In next line you can list all the ports to which you want to apply ingress filtering, for example:
IG_TCP_CPORTS=”21,22,25,53,80,110,143″

Enabling egress filtering

Find line # Egress filtering [0 = Disabled / 1 = Enabled]. To enable egress filtering set EGF=”1″ followed by the list of ports where egress filtering will be applied. For example:

# Common egress (outbound) TCP ports

EG_TCP_CPORTS=”21,25,80″

#

# Common egress (outbound) UDP ports

EG_UDP_CPORTS=”20,21,53″

Configuring Anti DOS

AntiDOS is a new feature to APF, which is meant to protect your system from Denial of Service attacks. The configuration file is located at /etc/apf/and log file at /var/log/apfados_log.

Find USE_AD and set it to 1. Now make the machine rune AntiDOS in every 2 minutes. It is not recommended to run it more often because it will create a bottleneck. Running it with more than 5 minutes gaps will most likely blank it’s use, thereby 2 minutes it the most optimal setting.

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

You should also make APF start at boot time with chkconfig –level 2345 apf on

After you have finished configuring the firewall restart it with apf –r.

Now disable the development mode again by setting DEVEL_MODE to 0.

Start the firewall with /usr/local/sbin/apf -s

(D)DoS Fleat is one of the best software based solutions for protection your Linux box against Ddos attacks.  Like many best things in life, (D)DoS Fleat is freeware and open source. Developed by MediaLayer, it is probably the cheapest solution to defend your system. Of cause just software based solution is not enough to provide sufficient protection, but it is a start.

Installing (D)DoS fleat is very easy. Start by logging to your box as a root and type into schell:

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

By default (D)DoS fleat is configured to

FREQ=1
NO_OF_CONNECTIONS=50
APF_BAN=1
KILL=1
EMAIL_TO=”root”
BAN_PERIOD=600

In ddos.conf – Fleats configuration file. You can change these settings easily.   

Using HTTP flood hacker sends randomized HTTP queries at victim system. It is hard to deal with HTTP flood attacks because there is almost no way to identify legitimate packets from the ones sent by the hacker. Furthermore, unlike with ICMP flood attacks, you cannot block all HTTP traffic without making your web server inaccessible. The target of HTTP flood ddos attack is not just the servers TCP/IP stack but the web server running on it making the attack much more dangerous in terms of crashing the server.

How to block and prevent HTTP flood?

The most efficient way o fight HTTP flood is a technique called tarpitting. You can enable tarpitting on Linux based systems by iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT . Tarpitting automatically sets connections window size to few bytes once it is established. According to TCP/IP protocol design, the connecting device will initially only send as much data to target as it takes to fill the window until the server responds. If the connecting device does not receive out response it will start sending the packets again and again over longer period of time. The point of tarpitting is not to respond again to the packets, that didn’t get the response at first time (and were thereby spoofed).

Using UDP (User Datagram Protocol) computers can exchange short messages called datagrams.  During UDP attack hacker will send a large amount of UDP packets with spoofed source addresses at victim. As UDP is a connectionless protocol it does not require a connection to be set up between computers to be processed. Victim system will search for applications using the port and if it can’t find any it will respond with a ICMP Destination Unreachable packet.

With many UDP packets sent, the victim system will respond with a huge amount of ICMP packets thereby not being able to respond to legimate traffic.

How to stop and prevent UDP attack?

1.  Disable all unused UDP services
2. Block all IP addresses sending UDP packets to ports not used by any application installed to the server.

If you suspect that your system might be under ddos attack it is definitely worth your time to further investigate the problem and take actions if necessary. Some of the symptoms of ddos attack (like slow network connection) might be cause by other conditions, but if they continue over longer period of time you can be pretty sure, that this is an attack.

First you should check your system load using uptime command. This will give you a line that looks something like this:  18:43:32 up 9 days, 21:09, 1 user, load average: 5.33, 6.42, 14.25. If the load average is bigger than usually (or if you haven’t checked it before – just ridiculously large like over 40 for a system that is not under heavy load under normal circumstances) you can suspect ddos attack.

Next thing you should do is check the active connections to your computer. You can do that with netstat -an command.  Some other useful commands include netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n which lists the connections taking most bandwidth.

Now you can see active connections to your server and the ones that take the most of your resources. If you can see several connections from one IP address or some connection taking much more bandwidth than it should add it to the list of blocked IP addresses using command route add ip-address-to-be-banned reject. After you have blacklisted all the suspicious IP addresses kill all connections to your HTTP server and restart it using killall -KILL httpd and service httpd startssl.

Alternatively you can install a shell script to do that for you. Sadly I don’t know the author of the script, so I can’t name him/her. What that script does is it automatically checks for double connections from same IP address and blocks them if it finds any. Install it using

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

Ingress and egress filtering are firewall/network configuration methods that help to secure your system from Denial of service attacks. Ingress filtering controls the traffic thats entering your network, egress filtering is the same for traffic leaving your network. Using ingress filtering rulebase you can sort out all the spoofed packets heading for your network. No packets with private IP address should be allowed to pass the filter. This might block some none-malicious traffic, but ensures network safety. You can configure the filter to either just ignore the packet that has been detected as malicious or send it back to the source saying it has been denied.

Egress filtering restricts traffic not bearing an IP address of your network from heading out of your network. This ensures that your computer cannot be used as an amplifier for SMURF attacks. Of cause you can develop more complicated rulesets like limiting traffic by ports but just validating IP addresses for inbound and outbound traffic is almost foolproof and easiest way to prevent Ddos attacks.

You can use mixture of ingress and egress filtering for your maximum security or just stick to one of them. Ideally you wouldn’t need egress filtering if you have a perfect ingress filter as malicious packets can’t enter your network and thereby you can’t broadcast any spoofed packets. But we all know that nothing is perfect and it’s better to have more security, thereby I advise to implement both.

Most operating systems to year 1998 had defined maximum size of ping packet to 64 bytes. During ping of death attack, hacker sent packets larger than 64 bytes to the system to crash it. This vulnerability is fixed in all of modern Operating systems making it rather historical bug, though still worth examining. Even though packers that large weren’t not allowed in network protocol they could be sent in fragments and caused buffer overflow while receiving system reassembled back together. Buffer overflow means, that application is trying to store more data than it’s allowed in memory space defined for it thereby pushing additional bytes to random locations in computer memory. Ping of death attacks were especially dangerous because most operating systems were vulnerable to it and attacker didn’t have to have any information about the target system other than it’s IP address. As all the requests could be spoofed, identifying the attacker was nearly impossible.
Even though ping of death attack in it’s literal sense is dead a modern day equivalent for it is just sending more ping requests to victim than their system can handle, thereby causing a denial of service.