Basics of DDOS Attack | Security

A distributed denial-of-service (DDoS) attack is one in which a bunch of compromised systems attack the target machine/server, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Types of DDoS Attacks

There are three types of DDoS attacks:

  • A volumetric attack, completed by overflowing the available bandwidth;
  • A traffic attack, done by abusing the available system resources;
  • An application attack, executed by exhausting the available system resources.

Sometimes attackers will combine the different types of attack into one campaign.

One of the most observed attack types is a volumetric attack, especially one that is amplification-based. In an amplification attack, packets with a spoofed source address are sent to a vulnerable service. This service will then reply with a much larger reply toward the spoofed address (the victim).

Tools:- https://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/#gref

One tool that i have used:- GoldenEye     

https://github.com/jseidl/GoldenEye                

# wget https://github.com/jseidl/GoldenEye

Step4: Once Downloaded Unzip it as a folder

# unzip GoldenEye-master.zip

Step5: Launch the attack

cd GoldenEye-master
# proxychains ./goldeneye.py http://testdomain.com

Preventions:

Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness or some basic linux commands to be executed to find the if the server is under DDOS attack.

netstat -n | grep :80 |wc -l

The above command will show the active connections that are open to your server.


Method 1:

Limiting the number of connection:

In this example we will be Limiting the number of SSH Connections to our SSH host. The same technique can/is also be done for other protocols such as HTTP , FTP etc. By using this simple utility that is shipped with all Linux Systems we can control the number of Client systems connecting to our Server . So the secret of Network Admins is out for the common now !!!
We can also call this a Firewall (in a way) configured using the IPTABLES utility.

The first this we need to do here is to Load a module called Connlimit

Load Module : xt_connlimit

modprobe xt_connlimit

Check if the module was loaded or not :

lsmod | grep connlimit
root@ubuntu:~# lsmod | grep connlimit
xt_connlimit 16384 1
nf_conntrack 98304 2 xt_connlimit,nf_conntrack_ipv4
x_tables 24576 5 ip_tables,xt_tcpudp,xt_connlimit,iptable_filter,ipt_REJECT
root@ubuntu:~

Incase you are configuring a Firewall/Webserver and want this module to load at the Startup :
Add

 #modprobe xt_connlimit in the file /etc/init.d/rc.d/ri.local

Command to set the Max number to connections to 20 :

for http:

iptables -I INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT

for ssh:

iptables -I INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 20 -j REJECT

-I                : Insert a rule in the Chain
-p               : The Protocol
–syn         : This means the rule is only applicable to the packets that are initiating the connection. The rule will not apply to any Data packet that is involved in data transfer .
–dport    : 22 for ssh , 80 or 8080 for HTTP or as you require
To View IPTABLES : iptables -L -n | less
To Save IPTABLES : service iptables save


Method2:

Service Protection for Apache

ModSecurity is an open-source Web application firewall. It allows real-time application security monitoring and access control. The different sets of protection rules allow you to inspect the HTTP traffic and reliably block unwanted traffic. It allows you to fix session management issues and block SQL injection attempts. Most importantly, it’s an open architecture, so you can enable only the features that you consider necessary.

One of the biggest strengths of ModSecurity is virtual patching. You are protected against application vulnerabilities for which you are not yet able to patch.

With ModSecurity, you can protect and harden your website against unwanted malicious traffic and reduce the size of the possible attack vector.

About mod_evasive

Another item that you can add to your protection arsenal is mod_evasive. It is a module for Apache that provides evasive action in the event of an HTTP DoS or DDoS attack or brute-force attack.

The module tracks HTTP connections and verifies how many requests for a page are done within a given time frame. If the number of concurrent requests exceeds a specified threshold then the request is blocked. This blocking is done on an application level. The requester gets a forbidden answer to the request.

The configuration and setup (on Ubuntu) is fairly easy. The module is available as a package:

sudo apt-get install libapache2-mod-evasive

You then have to create the log directory. (Note: Make sure the directory is owned by the Web user; in most cases, this is www-data.)

sudo mkdir /var/log/mod_evasive

Then enable the module for the Apache Web server.

sudo a2enmod evasive

The default configuration file /etc/apache2/mods-available/evasive.conf will get you very far. You might want to add your management and proxy networks to the DOSWhitelist setting so that you do not block your own network. Also make sure you change DOSEmailNotify to a working email address, otherwise you won’t get notifications from mod_evasive.

If you’re not sure about the correct configuration options, test your setup with a Perl script that’s part of the installed package. The script performs a number of concurrent HTTP queries, which should trigger the module.

perl /usr/share/doc/libapache2-mod-evasive/examples/test.p

 

 

 

 

 

 

 

Advertisements

Tuning the TCP stack | System Administrator

Transmission Control Protocol and Internet Protocol (TCP/IP) is a standard set of protocols used by every network-enabled device. TCP/IP defines the standards to communicate over a network. TCP/IP is a set of protocols and is divided in two parts: TCP and IP. IP defines the rules for IP addressing and routing packets over network and provides an identity IP address to each host on the network. TCP deals with the interconnection between two hosts and enables them to exchange data over network. TCP is a connection-oriented protocol and controls the ordering of packets, retransmission, error detection, and other reliability tasks.

TCP stack is designed to be very general in nature so that it can be used by anyone for any network conditions. Servers use the same TCP/IP stack as used by their clients. For this reason, the default values are configured for general uses and not optimized for high-load server environments. New Linux kernel provides a tool called sysctl that can be used to modify kernel parameters at runtime without recompiling the entire kernel. We can use sysctl to modify and TCP/IP parameters to match our needs.

In this recipe, we will look at various kernel parameters that control the network. It is not required to modify all parameters listed here. You can choose ones that are required and suitable for your system and network environment.

It is advisable to test these modifications on local systems before doing any changes on live environment. A lot of these parameters directly deal with network connections and related CPU and memory uses. This can result in connection drops and/or sudden increases in resource use. Make sure that you have read the documentation for the parameter before you change anything.

Also, it is a good idea to set benchmarks before and after making any changes to sysctl parameters. This will give you a base to compare improvements, if any. Again, benchmarks may not reveal all the effects of parameter changes. Make sure that you have read the respective documentation.

Continue reading “Tuning the TCP stack | System Administrator”

System Administrator | HA Proxy setup and configuration

When an application becomes popular, it sends an increased number of requests to the
application server. A single application server may not be able to handle the entire load
alone. We can always scale up the underlying hardware, that is, add more memory and
more powerful CUPs to increase the server capacity; but these improvements do not
always scale linearly. To solve this problem, multiple replicas of the application server
are created and the load is distributed among these replicas. Load balancing can be
implemented at OSI Layer 4, that is, at TCP or UDP protocol levels, or at Layer 7, that
is, application level with HTTP, SMTP, and DNS protocols.

In this recipe, we will install a popular load balancing or load distributing service,
HAProxy. HAProxy receives all the requests from clients and directs them to the actual
application server for processing. Application server directly returns the final results to
the client. We will be setting HAProxy to load balance TCP connections.

haproxy

Continue reading “System Administrator | HA Proxy setup and configuration”

Linux System Administrator | Squid Proxy Server- Installation & Configuration

The term proxy is generally combined with two different terms: one is forward proxy and the other is reverse proxy.

When we say proxy, it generally refers to forward proxy. A forward proxy acts as a
gateway between a client’s browser and the Internet, requesting the content on behalf of
the client. This protects intranet clients by exposing the proxy as the only requester. A
proxy can also be used as a filtering agent, imposing organizational policies. As all
Internet requests go through the proxy server, the proxy can cache the response and
return cached content when a similar request is found, thus saving bandwidth and time.

A reverse proxy is the exact opposite of a forward proxy. It protects internal servers
from the outside world. A reverse proxy accepts requests from external clients and
routes them to servers behind the proxy. External clients can see a single entity serving
requests, but internally, it can be multiple servers working behind the proxy and sharing
the load.

Continue reading “Linux System Administrator | Squid Proxy Server- Installation & Configuration”

Find larger file that are consuming disk space in Linux | Sys Admin

While handling over the linux server we many time come across disk issue, below are few method which we can use.

login as root user:


Method1:
To find file which are greater than 1 GB.

find / -xdev -type f -size +1G -exec ls -lrth {} \;

you can change the file limit as you need.
Continue reading “Find larger file that are consuming disk space in Linux | Sys Admin”

To copy a large number of files, or have large files over Linux system (scp/rsync/nc/tar over ssh) | scp alternatives

To copy/send large number of files or to copy/send large files in Linux below are sample method that we can send over other linux server.

Here we have create dummy file of 5 GB.

fallocate -l 5G testfile.img

Method1:

scp testfile rupin@192.168.43.114:/tmp

Method2:

rsync -avzh --progress --stats testfile rupin@192.168.43.114:/var/tmp

Method3:

tar -c testfile | gzip -2 | ssh server2 "cat > ~/file.tar.gz"

Continue reading “To copy a large number of files, or have large files over Linux system (scp/rsync/nc/tar over ssh) | scp alternatives”

DNS in Linux for System Administrator | Part 2

In today’s article we will show you how to install, configure and administer BIND 9 as a private DNS server.If you are interested in understanding the basic working of a DNS query and how a server responds to that query, or in other words, if you want to understand how a computer uses a DNS server to resolve domain names to IP addresses, then i will recommend reading previous blog.

Based on working method types of DNS are there, few are mentioned below

  1. Primary / Master DNS
  2. Slave DNS
  3. Forwarding DNS
  4. Caching DNS
  5. Authoritative-Only DNS

Continue reading “DNS in Linux for System Administrator | Part 2”