ASTRAPI Posted November 4, 2016 Posted November 4, 2016 Hello Let's see some basics about Ddos attack and what we can do about it... Distributed Denial of Service Attack (DDoS) Definition DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server. Unlike a Denial of Service (DoS) attack, in which a single Internet-connected device (one network connection) is used to flood targeted resource with packets, a DDoS attack is launched from numerous compromised devices, often distributed globally in what is referred to as a botnet. DDoS attacks can be broadly divided into three types: 1)Volume Based Attacks Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps). 2)Protocol Attacks Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second. 3)Application Layer Attacks Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second. Specific DDoS Attacks Types Some specific and particularly popular and dangerous types of DDoS attacks include: UDP Flood This DDoS attack leverages the User Datagram Protocol (UDP), a sessionless networking protocol. This type of attack floods random ports on a remote host with numerous UDP packets, causing the host to repeatedly check for the application listening at that port, and (when no application is found) reply with an ICMP Destination Unreachable packet. This process saps host resources, and can ultimately lead to inaccessibility. ICMP (Ping) Flood Similar in principle to the UDP flood attack, an ICMP flood overwhelms the target resource with ICMP Echo Request (ping) packets, generally sending packets as fast as possible without waiting for replies. This type of attack can consume both outgoing and incoming bandwidth, since the victim’s servers will often attempt to respond with ICMP Echo Reply packets, resulting a significant overall system slowdown. SYN Flood A SYN flood DDoS attack exploits a known weakness in the TCP connection sequence (the “three-way handshake”), wherein a SYN request to initiate a TCP connection with a host must be answered by a SYN-ACK response from that host, and then confirmed by an ACK response from the requester. In a SYN flood scenario, the requester sends multiple SYN requests, but either does not respond to the host’s SYN-ACK response, or sends the SYN requests from a spoofed IP address. Either way, the host system continues to wait for acknowledgement for each of the requests, binding resources until no new connections can be made, and ultimately resulting in denial of service. Ping of Death A ping of death ("POD") attack involves the attacker sending multiple malformed or malicious pings to a computer. The maximum packet length of an IP packet (including header) is 65,535 bytes. However, the Data Link Layer usually poses limits to the maximum frame size - for example 1500 bytes over an Ethernet network. In this case, a large IP packet is split across multiple IP packets (known as fragments), and the recipient host reassembles the IP fragments into the complete packet. In a Ping of Death scenario, following malicious manipulation of fragment content, the recipient ends up with an IP packet which is larger than 65,535 bytes when reassembled. This can overflow memory buffers allocated for the packet, causing denial of service for legitimate packets. Slowloris Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network. Slowloris does this by holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request. Slowloris constantly sends more HTTP headers, but never completes a request. The targeted server keeps each of these false connections open. This eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients. NTP Amplification In NTP Amplification attacks the perpetrator exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic. In an NTP amplification attack, the query-to-response ratio is anywhere between 1:20 and 1:200 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack. HTTP Flood In HTTP flood DDoS attack the attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application. HTTP floods do not use malformed packets, spoofing or reflection techniques, and require less bandwidth than other attacks to bring down the targeted site or server. The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to each single request. As more details emerge on last week's massive Dyn DNS DDoS, new analysis indicated as few as 100,000 Mirai IoT botnet nodes were enlisted in the incident and reported attack rates up to 1.2 Tbps. That's a huge one !!!! Most attacks are from 1Gbps up to 10Gbps and they are using the Wordpress xmlrpc vulnerability and a few other known methods.... So how we identify an attack and is there anything that we can do for it? There is no a yes or no answer here to be honest but we can try and for me many times it works So the easiest way for volumetric/layer7 attacks is to install dstat using for Centos: yum install dstat Then you can run it as: dstat and you will see something like this: That's a normal very low traffic close to none ..... When there is an attack you will see on the column recv a few MB's ! So what we can try to do to stop it? BE VERY CAREFUL WITH THE BELLOW INFO AS YOU MAY LOCK YOURSELF AND YOUR USERS OUT OF THE SERVER IF YOU DO ANY MISTAKE ! First you can try to install fail2ban: yum install fail2ban Then create a Definition and a Jail for it.....There is no default info for this but Googling about it you will get an idea what to add there and how to... Then restart fail2ban: systemctl restart fail2ban Then we can check our rule that is ok by running: fail2ban-client status You can verify the rules that were added by Fail2Ban in iptables using the following command: iptables -L Then you must use a .conf file to limit bots connections/requests and totaly block some known bad ones ! You should block also bad user agents . Then you can limit connections and requests to Nginx like (Cloudflare is comingwith that option too very soon): Connections 10 So if a user open 11 tabs in browser and refresh them all at the same time one will not opened ..... Requests 70 One connection can open many requests so let's limit that also.... You have an option for this also to use Burst up to x requests like 70 connections and burst up to 90 for example.... Other than that you can use some specialized AntiDDOS companies but that will not be cheap at all ! In general is very hard to deal with DDOS and can cost a lot of money so it is good to be prepared with anything that you can do from your side ! There are many more solutions and a lot more complex that i use also but that's a good start Enjoy !
RevengeFNF Posted November 4, 2016 Posted November 4, 2016 A very good way to catch a layer 7 attack, is to install ngxtop. More than 90% of the layer 7 attacks are from wordpress servers using the pingback function. Its very easy to stop those attacks. With nginx we just drop the connection if it receives a request with the user agent of Wordpress. With fail2ban we just block the IP. Unfortunately, this last year i have dealt with many layer 7 attacks, but that solution saved my life.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.