A distributed denial-of-service (DDoS) attack is one in which a bunch of compromised systems attack the target machine/server, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
Types of DDoS Attacks
There are three types of DDoS attacks:
- A volumetric attack, completed by overflowing the available bandwidth;
- A traffic attack, done by abusing the available system resources;
- An application attack, executed by exhausting the available system resources.
Sometimes attackers will combine the different types of attack into one campaign.
One of the most observed attack types is a volumetric attack, especially one that is amplification-based. In an amplification attack, packets with a spoofed source address are sent to a vulnerable service. This service will then reply with a much larger reply toward the spoofed address (the victim).
One tool that i have used:- GoldenEye
# wget https://github.com/jseidl/GoldenEye
Step4: Once Downloaded Unzip it as a folder
# unzip GoldenEye-master.zip
Step5: Launch the attack
# proxychains ./goldeneye.py http://testdomain.com
Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness or some basic linux commands to be executed to find the if the server is under DDOS attack.
netstat -n | grep :80 |wc -l
The above command will show the active connections that are open to your server.
Limiting the number of connection:
In this example we will be Limiting the number of SSH Connections to our SSH host. The same technique can/is also be done for other protocols such as HTTP , FTP etc. By using this simple utility that is shipped with all Linux Systems we can control the number of Client systems connecting to our Server . So the secret of Network Admins is out for the common now !!!
We can also call this a Firewall (in a way) configured using the IPTABLES utility.
The first this we need to do here is to Load a module called Connlimit
Load Module : xt_connlimit
Check if the module was loaded or not :
lsmod | grep connlimit
root@ubuntu:~# lsmod | grep connlimit
xt_connlimit 16384 1
nf_conntrack 98304 2 xt_connlimit,nf_conntrack_ipv4
x_tables 24576 5 ip_tables,xt_tcpudp,xt_connlimit,iptable_filter,ipt_REJECT
Incase you are configuring a Firewall/Webserver and want this module to load at the Startup :
#modprobe xt_connlimit in the file /etc/init.d/rc.d/ri.local
Command to set the Max number to connections to 20 :
iptables -I INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT
iptables -I INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 20 -j REJECT
-I : Insert a rule in the Chain
-p : The Protocol
–syn : This means the rule is only applicable to the packets that are initiating the connection. The rule will not apply to any Data packet that is involved in data transfer .
–dport : 22 for ssh , 80 or 8080 for HTTP or as you require
To View IPTABLES : iptables -L -n | less
To Save IPTABLES : service iptables save
Service Protection for Apache
ModSecurity is an open-source Web application firewall. It allows real-time application security monitoring and access control. The different sets of protection rules allow you to inspect the HTTP traffic and reliably block unwanted traffic. It allows you to fix session management issues and block SQL injection attempts. Most importantly, it’s an open architecture, so you can enable only the features that you consider necessary.
One of the biggest strengths of ModSecurity is virtual patching. You are protected against application vulnerabilities for which you are not yet able to patch.
With ModSecurity, you can protect and harden your website against unwanted malicious traffic and reduce the size of the possible attack vector.
Another item that you can add to your protection arsenal is mod_evasive. It is a module for Apache that provides evasive action in the event of an HTTP DoS or DDoS attack or brute-force attack.
The module tracks HTTP connections and verifies how many requests for a page are done within a given time frame. If the number of concurrent requests exceeds a specified threshold then the request is blocked. This blocking is done on an application level. The requester gets a forbidden answer to the request.
The configuration and setup (on Ubuntu) is fairly easy. The module is available as a package:
sudo apt-get install libapache2-mod-evasive
You then have to create the log directory. (Note: Make sure the directory is owned by the Web user; in most cases, this is www-data.)
sudo mkdir /var/log/mod_evasive
Then enable the module for the Apache Web server.
sudo a2enmod evasive
The default configuration file /etc/apache2/mods-available/evasive.conf will get you very far. You might want to add your management and proxy networks to the DOSWhitelist setting so that you do not block your own network. Also make sure you change DOSEmailNotify to a working email address, otherwise you won’t get notifications from mod_evasive.
If you’re not sure about the correct configuration options, test your setup with a Perl script that’s part of the installed package. The script performs a number of concurrent HTTP queries, which should trigger the module.