DDOS and SYN_Recv Attacks And some SOlutions
Posted in: zjnq.com Date: March 11th, 2010
Latest attacks such as Ip spoofing and such really makes me so helpless.
i found a couple of tweaks hacks and scripts for such purpose .
These may or may not help
If i Did Sthg wrong mods can delete the subject if they like.
Just wanna share what i found,
May be you guys can give us some solutions and what to do in case of SYN Flood attacks or DDOs.
At least minimize the chances of Kids that have scripts in hand attacking the server.
Any advice in terms of DC, software or Hardware any solutions will help all community I guess
this script is really perfect for stopping synflood please someone solve the warning got a bogus error problem and script is perfect !
Many thanx to gorsan from ev1forums
here is the script please solve the warning problem
#!/usr/bin/perl
####################
# controls number of connections to the server from single ip
# blocks ip if there are > $allowed connections
###################
# delay betwens checks (in sec)
$delay = 60;
# number of allowed connections from single ip
$allowed = 150;
open(STDERR, ">load.log");
print STDERR "load balancer starting " . `date`;
if (fork) { exit(0); }
$SIG{ALRM} = 'IGNORE';
while (1) {
sleep($delay);
&check_load();
}
sub check_load {
if($blocked && ((time) - $blocked) > 3600) {
system("apf -r");
$cdate = localtime((time));
print STDERR "$cdate firewall restart load: " . `date`;
$blocked = "";
return;
}
undef(%u);
open(CONN,"netstat -an");
@conn =
foreach $c (@conn) {
if($c =~ m!^tcp +d+ +d+ +(d{1,13}.d{1,13}.d{1,13}.d{1,13}):80 +(d{1,13}.d{1,13}.d{1,13}.d{1,13}):d+!) {
$u{$2}++;
}
}
$t = 0;
foreach $i (keys %u) {
$t += $u{$i};
if($u{$i} > $allowed) {
system("apf -d $i");
$blocked = (time);
$cdate = localtime((time));
print STDERR "$cdate blocked: $i ( $u{$i} ) total connections: $t load: " . `uptime`;
}
}
close(CONN);
}
Another quote form WHT
here is my advice....
Just use this command and findout the ips from which the Dos atacking is coming
netstat -apngrep :80 awk '{print $5}'sort
The above command will dsiplay all the ips connected to the box.find out the ips which has the max connection....please block it....using iptables
----------
eg : iptables -A INPUT -s
----------
Now lets get into the process of preventing this DOS attack
################################################## #
1) Execute this bash script to set everything to prevent the DOS attack
-----------------------------------------
#!/bin/bash
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
rm /root/.dyn*
echo "Setting kernel tcp parameters to reduct DoS effects"
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#ANTISPOOFING
for a in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $a
done
##
#NO SOURCE ROUTE
for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $z
done
#SYN COOKIES
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo $ICMP_ECHOREPLY_RATE > /proc/sys/net/ipv4/icmp_echoreply_rate
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# NUMBER OF CONNECTIONS TO TRACK
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
# Set default policies
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -d 127.0.0.0/8 -j REJECT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
### chains to DROP too many SYN-s ######
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP
-------------------------------------------------------
################################################## ###########
2) Install the apf ( A very good firewall )
Installation steps below
-------------------------------------------
Login to your server through SSH and su to the root user.
1. cd /root/downloads or another temporary folder where you store your files.
2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
3. tar -xvzf apf-current.tar.gz
4. cd apf-0.9.3_3/ or whatever the latest version is.
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
6. Lets configure the firewall: pico /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
Stop the firewall from automatically starting at boot time, possibly locking yourself out of your server!
We recommend changing this back to "1" after you've had a chance to ensure everything is working well and tested the server out.
FIND: DEVM="1"
CHANGE TO: DEVM="0"
We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
7. Configuring Firewall Ports:
Cpanel Servers
We like to use the following on our Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,30000_35000"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Ensim Servers
We have found the following can be used on Ensim Servers - although we have not tried these ourselves as I don't run Ensim boxes.
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Save the changes: Ctrl+X then Y
8. Starting the firewall
/usr/local/sbin/apf -s
Other commands:
usage /usr/local/sbin/apf [OPTION]
-s--start ............. load firewall policies
-r--restart ........... flush & load firewall
-f--flush--stop ...... flush firewall
-l--list .............. list chain rules
-st--status ........... firewall status
-a HOST--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall
-d HOST--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall
---------------------------------------------------
##################################################
3) Install apache module called mod_dosevasive to prevent DOS attack.This will make sure that apache doesnt crash
---------------------------------------------------
Installation is real easy....i have tested it.....
=================================================
HOW TO INSTALL
APACHE v1.3
-----------
Without DSO Support: (Not our case because i most of the server that we support has DSO enabled )
1. Extract this archive into src/modules in the Apache source tree
2. Run ./configure --add-module=src/modules/dosevasive/mod_dosevasive.c
3. make, install
4. Restart Apache
With DSO Support, Ensim, or CPanel: (this is what we should be do )
1. $APACHE_ROOT/bin/apxs -iac mod_dosevasive.c
2. Restart Apache
APACHE v2.0
-----------
1. Extract this archive
2. Run $APACHE_ROOT/bin/apxs -i -a -c mod_dosevasive20.c
3. The module will be built and installed into $APACHE_ROOT/modules, and loaded into your httpd.conf
4. Restart Apache
==============================================
How to configure it ?
===========================================
CONFIGURATION
mod_dosevasive has default options configured, but you may also add the
following block to your httpd.conf:
APACHE v1.3
-----------
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
APACHE v2.0
-----------
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Optionally you can also add the following directives:
DOSEmailNotify you@yourdomain.com
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
You will also need to add this line if you are building with dynamic support:
APACHE v1.3
-----------
AddModule mod_dosevasive.c
APACHE v2.0
-----------
LoadModule dosevasive20_module modules/mod_dosevasive20.so
(This line is already added to your configuration by apxs)
DOSHashTableSize
----------------
The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).
DOSPageCount
------------
This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.
DOSSiteCount
------------
This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.
DOSPageInterval
---------------
The interval for the page count threshhold; defaults to 1 second intervals.
DOSSiteInterval
---------------
The interval for the site count threshhold; defaults to 1 second intervals.
DOSBlockingPeriod
-----------------
The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.
DOSEmailNotify
--------------
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
NOTE: Be sure MAILER is set correctly in mod_dosevasive.c
(or mod_dosevasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
DOSSystemCommand
----------------
If this value is set, the system command specified will be executed
whenever an IP address becomes blacklisted. This is designed to enable
system calls to ip filter or other tools. A locking mechanism using /tmp
prevents continuous system calls. Use %s to denote the IP address of the
blacklisted IP.
WHITELISTING IP ADDRESSES
As of version 1.8, IP addresses of trusted clients can be whitelisted to
insure they are never denied. The purpose of whitelisting is to protect
software, scripts, local searchbots, or other automated tools from being
denied for requesting large amounts of data from the server. Whitelisting
should *not* be used to add customer lists or anything of the sort, as this
will open the server to abuse. This module is very difficult to trigger
without performing some type of malicious attack, and for that reason it is
more appropriate to allow the module to decide on its own whether or not
an individual customer should be blocked.
To whitelist an address (or range) add an entry to the Apache configuration in the following fashion:
DOSWhitelist 127.0.0.1
DOSWhitelist 127.0.0.*
Wildcards can be used on up to the last 3 octets if necessary. Multiple DOSWhitelist commands may be used in the configuration.
TWEAKING APACHE
The keep-alive settings for your children should be reasonable enough to keep each child up long enough to resist a DOS attack (or at least part of one). For every child that exits, another 5-10 copies of the page may get through before putting the attacker back into '403 Land'. With this said,
you should have a very high MaxRequestsPerChild, but not unlimited as this will prevent cleanup.
You'll want to have a MaxRequestsPerChild set to a non-zero value, as DosEvasive cleans up its internal hashes only on exit. The default MaxRequestsPerChild is usually 10000. This should suffice in only allowing a few requests per 10000 per child through in the event of an attack (although if you use DOSSystemCommand to firewall the IP address, a hole will no
longer be open in between child cycles).
================================================
You can download it from
http://www.nuclearelephant (http://www.nuclearelephant/).com/projects/dosevasive/mod_dosevasive.1.8.tar.gz
vB uses TCP inbound port 80 and/or port 443 if you use secure https for your forums. As long as you have those ports enabled vB will work fine.
Do you happen to know if the add ons Links & Downloads manager and flashchat use other ports?
ThePlanet have something, which I asked about last night
You have most definitely come to the right place! The Planet has impeccable DDOS
mitigation/intrusion detection. I implore you to read up on our new CiscoR Guard XT
5650 DDoS Mitigation Appliance from Cisco SystemsR.
This is an extremely valuable tool, and it is bundled with each and every
dedicated server at The Planet.
As I had a DDOS yesterday 27th.. which latested 3 hours :(
The problem with DDoS is you really need your upstream to take care of it. If you dont have a cooperative upstream, your screwed. It doesnt matter how many firewalls your running, if the speed of the attack exceeds the speed of your etherenet drop (if you have 100 megabit ethernet drop from your upstream, say EV1 and the attack is more than 100 megabits, it doesnt matter how many firewalls you put infront of your server, your ethernet link is maxed out).
Their policy on handling this is the same as any other provider: horrible.
working is there some tests I can do ..
These are my port settings should I add some more?
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087$
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
How do I turn on anti dos where about in conf is it :cool:
Could shut down the server if it is having DDOS attacks? what do you do
to do that, and start it backup
DDOS attack what do you do
mili
ev1 probably much better with good security updates on the server.
I ve been reading the ev1 forum daily and ddos or apache port 80 attacks are still common headaches
i was thinking about a hardware firewall such as
Juniper Netscreen 5-GT
what do you all say
Best advice :)
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087$
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
Can someone please answer this?
Do these settings interfere with vbulletin in any way?
#If you have any other info about this subject , Please add it free.# |
