DoS and DDoS attacks

Short definition :
In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.
Odličan link.

How to detect them
# netstat -ntu | awk ‘{print $5}’ |awk -F: ‘{print $(NF-1)}’| sort | uniq -c | sort -n|grep -v r
1 10.10.10.38
2 10.10.10.140
2 127.0.0.1
Using this command you can see a number of ESTABLISHED connections to your server, per IP address. Please note that this is not (strictly) oriented towards web servers, more towards mail servers.

How to stop them
Suspicious address put in iptables and DROP them
Use fail2ban for all relevan services on server
Set certain kernel parameters using /etc/sysctl.conf file, to lessen the possibility of (D)DoS and SYN attacks.
After changes to sysctl.conf, changed parameters read to system by : #sysctl -p .

Which kernel parameters can be set, and what they mean
The first two parameters are the ones that (more or less) all the forum messages agree are to be set. TThose I will use, the rest, no touching 😉 (for now).
Enable IP spoofing protection, turn on Source Address Verification.
Checks our routing table against the source address of incoming packets to make sure that they’re coming from the interface our routing table says that address is on. Note that this needs to be easily disabled; if some form of advanced routing or policy routing intends traffic from a host to come in one interface and traffic to that host to leave out a different interface, then legitimate packets will be dropped.

net.ipv4.conf.all.rp_filter = 1
Enable TCP SYN Cookie Protection.
When the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain.

net.ipv4.tcp_syncookies = 1

Some other parameters :
net.ipv4.conf.default.rp_filter = 1
kernel.pid_max = 65536
net.ipv4.ip_local_port_range = 9000 65000
Implements RFC 1337 fix F1 to counteract hazards H1, H2, and H3. This accounts for all hazards discussed in RFC 1337.
net.ipv4.tcp_rfc1337 = 1
Implements TCP Syncookies. When the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain.
net.ipv4.tcp_syncookies = 1
Ignores broadcast pings, reducing the damage of SMURF attacks.
net.ipv4.icmp_echo_ignore_broadcasts = 1
Some routers ignore RFC 1122 and send junk error responses that get logged. It may be possible to trigger this logging by spoofing; this would lead to filling up the hard disk with junk logs, causing a denial of service.
icmp_ignore_bogus_error_responses = 1
Default value is 100; we relax this to limit it to 5 per second.
net.ipv4.icmp_ratelimit = 20
Default value is 6168; we set a few ICMP masks to be rate limited:
net.ipv4.icmp_ratemask = 88089
0: ICMP Echo Reply
3: ICMP Destination Unreachable (default)
4: ICMP Source Quench (default)
11: ICMP Time Exceeded (default)
12: ICMP Parameter Problem (default)
14: ICMP Timestamp Reply
16: ICMP Information Reply

After changing /etc/sysctl.conf make changes active by : #sysctl -p

Explanations for some kernel parameters : link.

This entry was posted in Linux and tagged , , . Bookmark the permalink.

Comments are closed.