In this article I am trying to explain what DDOS is and how it can be
prevented. DDOS happens due to lack of security awareness of the
network/server owners. On a daily basis we hear that a particular
machine is under DDOS attack or NOC has unplugged the machine due to
DDOS attack . So DDOS has become one of the common issues in this
electronics world. DDOS is like a disease which doesn't have an
anti-viral developed. So we should be carefull while dealing with it .
Never take it lightly. In this article i am trying to explain the
steps/measures which will help us defend from DDOS attack ,up to a
certain extend .
What is a DDOS attack?[adsense:468x60:7403224149]
Simply said,
DDOS is an advanced version of DOS attack . Like DOS , DDOS also tries
to deny the important services running on a server by broadcasting
packets to the destination server in a way that the Destination server
cannot handle it. The speciality of the DDOS is that, it relays attacks
not from a single network/host like DOS. The DDOS attack will be
launched from different dynamic networks which has already been
compromised.
Normally, DDOS consists of 3 parts . One is the
Master ,Other the slave and atlast the victim. The master is the attack
launcher ie the person/machine behind all this,sound's COOL right . The
slave is the network which is being compromised by the Master and
Victim is the target site/server . Master informs the compromised
machines, so called slaves to launch attack on the victim's
site/machine. Hence its also called co-ordinated attack.
In
my term, Master is said to be the Master Brain, Slave is said to be the
launch pad for the attack and Victim is the target.
How do they Do it?[adsense:468x60:7403224149]
DDOS is done in 2 phases. In the first phase they try to compromise
weak machines in different networks around the world. This phase is
called Intrusion Phase. Its in the next phase that they install DDOS
tools and starts attacking the victims machines/site. This Phase is
called Distributed DoS attacks phase.
What Allowed them to do it?
The reasons are given below :-
1) Vulnerable softwares/Applications running on a machine or network.
2) Open network setup.
3) Network/ machine setup without taking security into account.
4) No monitoring or DataAnalysis are being conducted.
5) No regular Audit / Software upgrades being conducted.
What should we do if we are under attack? First Identify if you are really under attack. If yes, follow the below steps :
Check if your machines load is high and you have large number of HTTP process running.
To find the load just use the command w or uptime -
Eg:
---
Blessen@work >w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
---
To find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l "
Eg:
--
[root@blessen root]# ps -aux|grep HTTP|wc -l
23
--
In a heavy server , the number of connection will go above 100. But
during DDOS attack, the number will go even higher and thats when we
need to find out from which all networks are these attacks coming. In
DDOS the host machine doesn't have much importance. Its the network
which is of importance here because, an attacker will use any machine
on the compromised network or even will use all the machines in the
network. Hence network address is of importance while fighting with the
attack.
If you have high load (say 5 or more ) and you have large number of HTTP process then i would request you to do the following
1) At command prompt execute the below command
bash#netstat -lpn|grep :80 |awk '{print $5}'|sort
2) Check each block of ips. Like let me say , that you have more than
30 connection from a single ip. Under normal cases there is no need for
that many number of connection requests from a single IP. Try to
identify such ips/networks from the list you get
3) If more than 5 host/ip connects from the same network then its a clear sign of DDOS .
4) Block that ips/networks using iptables /Apf
iptables -A INPUT -s <Source IP> -j DROP
If you have apf then just add the ips which you want to block in the file /etc/apf/deny_hosts.rules
5) Keep on continuing this process untill the attack on the machine gets reduced.
There is no complete or perfect solution to DDOS. The logic is simple,
NO softwares or measures could handle attacks from multiple servers say
from 50 - 100 servers all at a time. All that can be done is to take
preventive measures.
How can we prevent or defend ourselves from these attacks?
Like said, Prevention is better than cure. Its very much true in the
case of DDOS . In my Introduction, I had mentioned that DDOS happens
because of vulnerable softwares/applications running on a machines in a
particular network. Attackers use those security holes to compromise
the servers in different network and install the DDOS tools (eg trinoo
-DDOS tool )
To prevent DDOS in future, follow the below steps which has 12 major steps
Setup a firewall which does Ingress and Egress Filtering at Gateway
Eg: Steps to Install AFP
----
bash# wget
http://www.rfxnetworks.com/downloads/apf-current.tar.gz bash# tar -zxf apf-current.tar.gz
bash# cd apf-<version number>
bash# ./install.sh
Notes: Go through the Document in the Apf and configure it for your
needs. All configuration is set at conf.apf which is normally located
at /etc/apf/conf.apf
Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root's cron has an entry like the one below
*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
Install IDS on your gateway/hosts to alert you when someone tries to sniff In.
Eg: AIDE
----------
(a) Wget
ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz ( Untar it
tar -zxvf aide-0.7.tar.gz
© cd aide-0.7
(d) Then execute
./configure -with-gnu-regexp
(e) Final steps to install make;make install
(f) Now the main step..To configure AIDE.AIDE stores all its rule sets
in the file called aide.conf. Lets populate it get more details of how
to configure and all from man aide.conf
(g) Here I am taking an example .See below
Here is a sample short aide.conf:
Rule = p+i+u+g+n+s+md5
/etc p+i+u+g
/sbin Rule
/usr/local/apache/conf Rule
/var Rule
!/var/spool/.*
!/var/log/.*
In the above configuration listed , a rule called "Rule" is set to
check permissions (p), inode (i), user (u), group (g), number of links
(n), size (s), and md5 checksum (md5). This rules are applied to all
files in /bin, /sbin, /var, and /usr/local/apache/conf because they
should rarely if ever change. Files in /etc are checked for changes in
only permissions, inode, user, and group because their size may change,
but other things shouldn't. Files and directories in /var/spool and
/var/log are not checked because those are folders where maximum
updation takes place.
(h) After configuring AIDE should be initiated with all these rules.
For that execute aide -init
Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications.
Use tools like
RKDET(vancouver-webpages.com/rkdet),RKHUNTER(
www.rootkit.nl) and
CHKROOTKIT(
www.chkrootkit.org) to find if any rootkit has been already
installed and to locate the effected binaries in the machine, if any.
Please find a simple Audit check List below to be done on a Hosts
Eg: Audit Check List
---
A quick checklist:
* Software Vulnerabilities.
* Kernel Upgrades and vulnerabilities.
* Check for any Trojans.
* Run chkrootkit.
* Check ports.
* Check for any hidden processes.
* Use audittools to check system.
* Check logs.
* Check binaries and RPMS.
* Check for open email relays.
* Check for malicious cron entries.
* Check /dev /tmp /var directories.
* Check whether backups are maintained.
* Check for unwanted users, groups, etc. on the system.
* Check for and disable any unneeded services.
* Locate malicious scripts.
* Querylog in DNS.
* Check for the suid scripts and nouser scripts.
* Check valid scripts in /tmp.
* Use intrusion detection tools.
* Check the system performance.
* Check memory performance (run memtest).
Enforce and Implement Security Measures on all hosts in the network.
Machines new or old should only be allowed to run on your network, if
your Security Admin or DSE (Dedicated Security Expert) member approves
it with status ``OK-to go live'' after auditing the box. All Host in
the network should be checked on a regular basis by your DSE team to
make sure that all hosts are uptodate and can fight any attacks.
Audit network on a regular basis to see if your network is vulnerable to attacks
Use Open Source Tools like NESSUS(
www.nessus.org)
,NMAP(
www.insecure.org/nmap),SAINT(
http://www.saintcorporation.com/prod...ine.html),SARA
(www-arc.com/sara/sara.html)for auditing a network to find its
vulnerabilities.
Create a DSE (Dedicated Security Expert ) Team for your company.
Collect your networks and hosts data . Analysis them and study them to
see from where and what kind of attacks are coming into the network.
This step will help us to understand what kind of attacks we are facing
and will help us to strengthen the preventive measures. Let me tell you
this move is worth the money you spend,for sure.
Implement Sysctl protection against DDOS
Eg:
----------
bash# vi /etc/sysctl.conf
add the below code:
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and restart network:
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Install Mod_dosevasive to your apache.
Mod_dosevasive is module for Apache to perform evasive action in the
event of an HTTP DDoS attack or brute force attack. Please find the
installation step of mod_dosevasive in DSO mode below
Eg: Install Mod_dosevasive
------
bash# wget
http://r00tsecurity.org/xfer/?r=http://www.nuclearelephant.com/projects/... bash# tar -zxvf mod_evasive_1.10.1.tar.gz
bash# cd mod_evasive_1.10.1
bash# $APACHE_ROOT/bin/apxs -iac mod_evasive.c
Dont get scared by the variable ``$APACHE_ROOT'' . Its nothing, but a
simple variable which stores the location of the apache installation
(eg $APACHE_ROOT =/usr/local/apache)
bash# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf
<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
bash# /usr/loca/apache/bin/apachectl restart
Install Mod_security
Since DDOS normally targets http. Its always good to have a filtering
system for apache . So that the request gets analyzed before web server
handles it. Please find the installation step of mod_security in DSO
mode below
Eg: Installation Steps
------
bash#
http://r00tsecurity.org/xfer/?r=http://www.modsecurity.org/download/mods... bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz
bash# cd modsecurity-apache-1.9.2
bash# /usr/local/apache/bin/apxs -cia mod_security.c
Create a file named mod_security.conf under the folder /usr/local/apache/conf
bash# vi /usr/local/apache/conf/mod_security.conf
Create the rule with reference to the link
http://www.modsecurity.org/documentation/quick-examples.html and add it in the mod_security.conf file.
Add the location of mod_security.conf to httpd.conf
bash# vi /usr/local/apache/conf/httpd.conf
Add the string below Include /usr/local/apache/conf/mod_security.conf
bash# /usr/local/apache/bin/apachectl stop
bash# /usr/local/apache/bin/apachectl start
Best solution to fight DDOS to a certain extend will be to setup load balancer for your services.
Creating awareness on Security
This is the most important part. People should be Security conscious.
Then only they will understand the importance of Security measures .
Server owner's and users should be made aware of the issues which can
rise due to bad security measures .
Conclusion DDOS can
be prevented to a certain extend, if hosts and network are secure. So I
advice each server owners and network owners to implement security
measures on their network ,if they want to fight against DDOS.
Technorati Tags: 
