'Preventing ddos attacks'

Harden-it

Harden-it is a security tool for your Windows box to harden the TCP/IP stack and thereby provide protection from denial of service attacks. It also hardens your local system thereby blocking many worms and other sort of malware. Some of Harden-it features include enabling SYN flood protection once the attack is detected and specifying the maximum total amount of both free connections plus those in the SYN_RCVD state. You can download Harden-it from http://www.yasc.net/hardenit.shtml.

PC tools firewall plus

PC tools firewall plus is a freeware Windows firewall software that allows none-sophisticated users a change to setup the firewall easily however allows advanced users to write custom packet filtering rules.  Even though PC tools firewall plus is a firewall rather for home user than server you can also use it on Windows Server 2003. Download PC tools firewall plus from http://www.pctools.com/firewall/

WIPFW

WIPFW (Windows IP Firewall) is Windows version of open source FreeBSD project, IPFW, a packet filtering and accounting system. IPFW consists of 2 parts – firewall part that does packet filtering and IP accounting part that tracks the use of router.

You can download WIPFW here: http://sourceforge.net/project/showfiles.php?group_id=113599

Mod_evasive is an Apache module designed to prevent Denial of service attacks by monitoring traffic and blocking IP addresses when an attacks is detected.

Installing mod_evasive

First thing you must do is download mod_evasive source code from http://www.zdziarski.com/projects/mod_evasive/. After downloading the package you have to extract it using tar zvxf mod_evasive_1.10.1.tar.gz. After you have unpacked the files you are almost ready to compile mod_evasive, but you must have 2 dependencies installed (apache2-devel and  apache2-prefork). If you already have these dependencies installed or have finished installing them compile mod_evasive20.c file. For Apache 2.0 use /usr/local/apache/bin/apxs -i -a -c mod_evasive20.c and for 1.3 /usr/local/apache/bin/apxs -i -a -c mod_evasive.c. If your Apache is not located at /usr/local/apache/bin/apxs replace it with path your Apache directory.

Next thing you must do is enable mod_evasive whenever Apache is started, for that locate etc/sysconfig/apache2 and add mod_evasive20 to APACHE_MODULES if you are using Apache 2.0, just mod_evasive in case you are using Apache 1.3. Once you have done that create file mod_evasive.conf to your Apache directory with following content:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>

That’s the most common mod_evasive configuration. You don’t probably need to change any of the configuration values. If you are installing mod_evasive to Apache 1.3 replace the <IfModule mod_evasive20.c> with <IfModule mod_evasive.c>. Now restart Apache webserver for the changes to take effect and mod_evasive to activate

Proxy shield technology allows you to have a „wall“ between the server and the internet that filters out all the malicious packets without having to have either software or hardware firewall. For unprotected server that suddenly becomes under attack, proxy shield is probably the best solution to eliminate the attack as fast as possible. As proxy shield is a service, not an application or physical device you can stop using it once the attack stops. Furthermore, proxy shields can do the job without you even having to relocate any of your data! Sounds neat? Yes, but it is as expensive.

Using proxy shield is only worth the money as a short term solution. However if you are looking for a long time security, consider investing the money in hardware and software based firewall and security consulting. Having said this I still have to stress, that proxy shields are efficient and probably one of the best solutions for a starting business or temporary service.

How to get Proxy wall? I’ll list some service providers as follows:

http://www.gtcomm.net/ddos-protection.php

http://gigenet.com/ddos-protection.htm

http://www.ddosprotection.com/ddos_protection.htm

http://dragonara.net/ddos-protection.html

http://www.blockdos.net/

http://www.armoraid.com/solutions/

(D)DoS Fleat is one of the best software based solutions for protection your Linux box against Ddos attacks.  Like many best things in life, (D)DoS Fleat is freeware and open source. Developed by MediaLayer, it is probably the cheapest solution to defend your system. Of cause just software based solution is not enough to provide sufficient protection, but it is a start.

Installing (D)DoS fleat is very easy. Start by logging to your box as a root and type into schell:

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

By default (D)DoS fleat is configured to

FREQ=1
NO_OF_CONNECTIONS=50
APF_BAN=1
KILL=1
EMAIL_TO=”root”
BAN_PERIOD=600

In ddos.conf – Fleats configuration file. You can change these settings easily.   

If you suspect that your system might be under ddos attack it is definitely worth your time to further investigate the problem and take actions if necessary. Some of the symptoms of ddos attack (like slow network connection) might be cause by other conditions, but if they continue over longer period of time you can be pretty sure, that this is an attack.

First you should check your system load using uptime command. This will give you a line that looks something like this:  18:43:32 up 9 days, 21:09, 1 user, load average: 5.33, 6.42, 14.25. If the load average is bigger than usually (or if you haven’t checked it before – just ridiculously large like over 40 for a system that is not under heavy load under normal circumstances) you can suspect ddos attack.

Next thing you should do is check the active connections to your computer. You can do that with netstat -an command.  Some other useful commands include netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n which lists the connections taking most bandwidth.

Now you can see active connections to your server and the ones that take the most of your resources. If you can see several connections from one IP address or some connection taking much more bandwidth than it should add it to the list of blocked IP addresses using command route add ip-address-to-be-banned reject. After you have blacklisted all the suspicious IP addresses kill all connections to your HTTP server and restart it using killall -KILL httpd and service httpd startssl.

Alternatively you can install a shell script to do that for you. Sadly I don’t know the author of the script, so I can’t name him/her. What that script does is it automatically checks for double connections from same IP address and blocks them if it finds any. Install it using

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

Ingress and egress filtering are firewall/network configuration methods that help to secure your system from Denial of service attacks. Ingress filtering controls the traffic thats entering your network, egress filtering is the same for traffic leaving your network. Using ingress filtering rulebase you can sort out all the spoofed packets heading for your network. No packets with private IP address should be allowed to pass the filter. This might block some none-malicious traffic, but ensures network safety. You can configure the filter to either just ignore the packet that has been detected as malicious or send it back to the source saying it has been denied.

Egress filtering restricts traffic not bearing an IP address of your network from heading out of your network. This ensures that your computer cannot be used as an amplifier for SMURF attacks. Of cause you can develop more complicated rulesets like limiting traffic by ports but just validating IP addresses for inbound and outbound traffic is almost foolproof and easiest way to prevent Ddos attacks.

You can use mixture of ingress and egress filtering for your maximum security or just stick to one of them. Ideally you wouldn’t need egress filtering if you have a perfect ingress filter as malicious packets can’t enter your network and thereby you can’t broadcast any spoofed packets. But we all know that nothing is perfect and it’s better to have more security, thereby I advise to implement both.