Harden-it is a security tool for your Windows box to harden the TCP/IP stack and thereby provide protection from denial of service attacks. It also hardens your local system thereby blocking many worms and other sort of malware. Some of Harden-it features include enabling SYN flood protection once the attack is detected and specifying the maximum total amount of both free connections plus those in the SYN_RCVD state. You can download Harden-it from http://www.yasc.net/hardenit.shtml.

PC tools firewall plus

PC tools firewall plus is a freeware Windows firewall software that allows none-sophisticated users a change to setup the firewall easily however allows advanced users to write custom packet filtering rules.  Even though PC tools firewall plus is a firewall rather for home user than server you can also use it on Windows Server 2003. Download PC tools firewall plus from http://www.pctools.com/firewall/

WIPFW

WIPFW (Windows IP Firewall) is Windows version of open source FreeBSD project, IPFW, a packet filtering and accounting system. IPFW consists of 2 parts – firewall part that does packet filtering and IP accounting part that tracks the use of router.

You can download WIPFW here: http://sourceforge.net/project/showfiles.php?group_id=113599

Using proxy shield is only worth the money as a short term solution. However if you are looking for a long time security, consider investing the money in hardware and software based firewall and security consulting. Having said this I still have to stress, that proxy shields are efficient and probably one of the best solutions for a starting business or temporary service.

How to get Proxy wall? I’ll list some service providers as follows:

http://www.gtcomm.net/ddos-protection.php

http://gigenet.com/ddos-protection.htm

http://www.ddosprotection.com/ddos_protection.htm

http://dragonara.net/ddos-protection.html

http://www.blockdos.net/

http://www.armoraid.com/solutions/

Installing APF

Type the following into shell:

cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh

After you have installed the firewall you will see a message: “Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
  Listening UDP ports: 53,55880“. This is just an output example, these ports are not auto configured. You have to configure the firewall manually.

Configuring APF

pico /etc/apf/conf.apf

At first you must enable development mode in the firewall configuration file. To do that, you must find DEVEL_MODE and set its value to 1.

Enabling ingress filtering

Find line # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD from configuration file. In next line you can list all the ports to which you want to apply ingress filtering, for example:
IG_TCP_CPORTS=”21,22,25,53,80,110,143″

Enabling egress filtering

Find line # Egress filtering [0 = Disabled / 1 = Enabled]. To enable egress filtering set EGF=”1″ followed by the list of ports where egress filtering will be applied. For example:

# Common egress (outbound) TCP ports

EG_TCP_CPORTS=”21,25,80″

#

# Common egress (outbound) UDP ports

EG_UDP_CPORTS=”20,21,53″

Configuring Anti DOS

AntiDOS is a new feature to APF, which is meant to protect your system from Denial of Service attacks. The configuration file is located at /etc/apf/and log file at /var/log/apfados_log.

Find USE_AD and set it to 1. Now make the machine rune AntiDOS in every 2 minutes. It is not recommended to run it more often because it will create a bottleneck. Running it with more than 5 minutes gaps will most likely blank it’s use, thereby 2 minutes it the most optimal setting.

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

You should also make APF start at boot time with chkconfig –level 2345 apf on

After you have finished configuring the firewall restart it with apf –r.

Now disable the development mode again by setting DEVEL_MODE to 0.

Start the firewall with /usr/local/sbin/apf -s

Installing (D)DoS fleat is very easy. Start by logging to your box as a root and type into schell:

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

By default (D)DoS fleat is configured to

FREQ=1
NO_OF_CONNECTIONS=50
APF_BAN=1
KILL=1
EMAIL_TO=”root”
BAN_PERIOD=600

In ddos.conf – Fleats configuration file. You can change these settings easily.   

How to block and prevent HTTP flood?

The most efficient way o fight HTTP flood is a technique called tarpitting. You can enable tarpitting on Linux based systems by iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT . Tarpitting automatically sets connections window size to few bytes once it is established. According to TCP/IP protocol design, the connecting device will initially only send as much data to target as it takes to fill the window until the server responds. If the connecting device does not receive out response it will start sending the packets again and again over longer period of time. The point of tarpitting is not to respond again to the packets, that didn’t get the response at first time (and were thereby spoofed).

With many UDP packets sent, the victim system will respond with a huge amount of ICMP packets thereby not being able to respond to legimate traffic.

How to stop and prevent UDP attack?

1.  Disable all unused UDP services
2. Block all IP addresses sending UDP packets to ports not used by any application installed to the server.

First you should check your system load using uptime command. This will give you a line that looks something like this:  18:43:32 up 9 days, 21:09, 1 user, load average: 5.33, 6.42, 14.25. If the load average is bigger than usually (or if you haven’t checked it before – just ridiculously large like over 40 for a system that is not under heavy load under normal circumstances) you can suspect ddos attack.

Next thing you should do is check the active connections to your computer. You can do that with netstat -an command.  Some other useful commands include netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n which lists the connections taking most bandwidth.

Now you can see active connections to your server and the ones that take the most of your resources. If you can see several connections from one IP address or some connection taking much more bandwidth than it should add it to the list of blocked IP addresses using command route add ip-address-to-be-banned reject. After you have blacklisted all the suspicious IP addresses kill all connections to your HTTP server and restart it using killall -KILL httpd and service httpd startssl.

Alternatively you can install a shell script to do that for you. Sadly I don’t know the author of the script, so I can’t name him/her. What that script does is it automatically checks for double connections from same IP address and blocks them if it finds any. Install it using

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod 0700 install.sh

./install.sh

Egress filtering restricts traffic not bearing an IP address of your network from heading out of your network. This ensures that your computer cannot be used as an amplifier for SMURF attacks. Of cause you can develop more complicated rulesets like limiting traffic by ports but just validating IP addresses for inbound and outbound traffic is almost foolproof and easiest way to prevent Ddos attacks.

You can use mixture of ingress and egress filtering for your maximum security or just stick to one of them. Ideally you wouldn’t need egress filtering if you have a perfect ingress filter as malicious packets can’t enter your network and thereby you can’t broadcast any spoofed packets. But we all know that nothing is perfect and it’s better to have more security, thereby I advise to implement both.