Basics of DDOS Attack | Security

A distributed denial-of-service (DDoS) attack is one in which a bunch of compromised systems attack the target machine/server, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Types of DDoS Attacks

There are three types of DDoS attacks:

  • A volumetric attack, completed by overflowing the available bandwidth;
  • A traffic attack, done by abusing the available system resources;
  • An application attack, executed by exhausting the available system resources.

Sometimes attackers will combine the different types of attack into one campaign.

One of the most observed attack types is a volumetric attack, especially one that is amplification-based. In an amplification attack, packets with a spoofed source address are sent to a vulnerable service. This service will then reply with a much larger reply toward the spoofed address (the victim).

Tools:- https://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/#gref

One tool that i have used:- GoldenEye     

https://github.com/jseidl/GoldenEye                

# wget https://github.com/jseidl/GoldenEye

Step4: Once Downloaded Unzip it as a folder

# unzip GoldenEye-master.zip

Step5: Launch the attack

cd GoldenEye-master
# proxychains ./goldeneye.py http://testdomain.com

Preventions:

Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness or some basic linux commands to be executed to find the if the server is under DDOS attack.

netstat -n | grep :80 |wc -l

The above command will show the active connections that are open to your server.


Method 1:

Limiting the number of connection:

In this example we will be Limiting the number of SSH Connections to our SSH host. The same technique can/is also be done for other protocols such as HTTP , FTP etc. By using this simple utility that is shipped with all Linux Systems we can control the number of Client systems connecting to our Server . So the secret of Network Admins is out for the common now !!!
We can also call this a Firewall (in a way) configured using the IPTABLES utility.

The first this we need to do here is to Load a module called Connlimit

Load Module : xt_connlimit

modprobe xt_connlimit

Check if the module was loaded or not :

lsmod | grep connlimit
root@ubuntu:~# lsmod | grep connlimit
xt_connlimit 16384 1
nf_conntrack 98304 2 xt_connlimit,nf_conntrack_ipv4
x_tables 24576 5 ip_tables,xt_tcpudp,xt_connlimit,iptable_filter,ipt_REJECT
root@ubuntu:~

Incase you are configuring a Firewall/Webserver and want this module to load at the Startup :
Add

 #modprobe xt_connlimit in the file /etc/init.d/rc.d/ri.local

Command to set the Max number to connections to 20 :

for http:

iptables -I INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT

for ssh:

iptables -I INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 20 -j REJECT

-I                : Insert a rule in the Chain
-p               : The Protocol
–syn         : This means the rule is only applicable to the packets that are initiating the connection. The rule will not apply to any Data packet that is involved in data transfer .
–dport    : 22 for ssh , 80 or 8080 for HTTP or as you require
To View IPTABLES : iptables -L -n | less
To Save IPTABLES : service iptables save


Method2:

Service Protection for Apache

ModSecurity is an open-source Web application firewall. It allows real-time application security monitoring and access control. The different sets of protection rules allow you to inspect the HTTP traffic and reliably block unwanted traffic. It allows you to fix session management issues and block SQL injection attempts. Most importantly, it’s an open architecture, so you can enable only the features that you consider necessary.

One of the biggest strengths of ModSecurity is virtual patching. You are protected against application vulnerabilities for which you are not yet able to patch.

With ModSecurity, you can protect and harden your website against unwanted malicious traffic and reduce the size of the possible attack vector.

About mod_evasive

Another item that you can add to your protection arsenal is mod_evasive. It is a module for Apache that provides evasive action in the event of an HTTP DoS or DDoS attack or brute-force attack.

The module tracks HTTP connections and verifies how many requests for a page are done within a given time frame. If the number of concurrent requests exceeds a specified threshold then the request is blocked. This blocking is done on an application level. The requester gets a forbidden answer to the request.

The configuration and setup (on Ubuntu) is fairly easy. The module is available as a package:

sudo apt-get install libapache2-mod-evasive

You then have to create the log directory. (Note: Make sure the directory is owned by the Web user; in most cases, this is www-data.)

sudo mkdir /var/log/mod_evasive

Then enable the module for the Apache Web server.

sudo a2enmod evasive

The default configuration file /etc/apache2/mods-available/evasive.conf will get you very far. You might want to add your management and proxy networks to the DOSWhitelist setting so that you do not block your own network. Also make sure you change DOSEmailNotify to a working email address, otherwise you won’t get notifications from mod_evasive.

If you’re not sure about the correct configuration options, test your setup with a Perl script that’s part of the installed package. The script performs a number of concurrent HTTP queries, which should trigger the module.

perl /usr/share/doc/libapache2-mod-evasive/examples/test.p

 

 

 

 

 

 

 

Advertisements

How to track the command executed by any user(also as a sudo) on the linux server

As security concern you can track your user command that are been executed over the bash terminal.even you can  track the command which are executed as root/sudo.

Continue reading “How to track the command executed by any user(also as a sudo) on the linux server”

Process Management in Linux | System Administrator

Process management is an integral part of any modern-day operating system (OS). The OS must allocate resources to processes, enable processes to share and exchange information, protect the resources of each process from other processes and enable synchronization among processes. To meet these requirements, the OS must maintain a data structure for each process, which describes the state and resource ownership of that process, and which enables the OS to exert control over each process.

Continue reading “Process Management in Linux | System Administrator”

Simple script to connect multipleFortiClient SSL VPN client

Introduction:-

The FortiGate unit supports both SSL and IPSec VPN technologies. Each combines encryption and VPN gateway functions to create private communication channels over the Internet, which helps to defray physical network costs. Both enable you to define and deploy network access and firewall policies using a single management tool. In addition, both support a simple client/user authentication process (including optional X.509 security certificates). You have the freedom to use both technologies; however, one may be better suited to the requirements of your situation.

In general, IPSec VPNs are a good choice for site-to-site connections where appliance-based firewalls are used to provide network protection, and company sanctioned client computers are issued to users. SSL VPNs are a good choice for roaming users who depend on a wide variety of thin-client computers to access enterprise applications and/or company resources from a remote location.

Continue reading “Simple script to connect multipleFortiClient SSL VPN client”