Wednesday, September 8, 2010

DDOS ATTACK

Symptoms
*Unusual slow network performance
*Unavailability of a particular web site
*Inability to access any web site
*increase the number of spam emails

There are some paid services are there for doing this DDOS attack for the compting companies server to put down. What they are doing , accessing the website from different geo-location/IPs . That is the no of connections made by them should be greater your web server able to handle.

Following command will give you a sorted list of IP addresses that are being connected to the server at port 80:-
netstat -n | awk '{ print $5 }' | cut -d ":" -f 1 | grep "[1-9]" | sort | uniq -c | sort -n
netstat -plan |grep :80 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

You can use the following command to block the IP address:-
iptables -A INPUT -s IP --dport 80 -p tcp -j DROP


There are some scripts will automatically help you against DoS attacks on your server

1. DDoS Deflate

They are using the command " netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n " on their script.

Configuration file is located on /usr/local/ddos/ddos.conf

IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)

To install, simply follow these directions:-

cd /usr/local/src/
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Installing DOS-Deflate 0.6

Downloading source files.........done
Creating cron to run script every minute.....(Default setting).....done
Installation has completed.
Config file is at /usr/local/ddos/ddos.conf
Please send in your comments and/or suggestions to zaf@vsnl.com
quit from the page

After installing we can do the configuration on /usr/local/ddos/ddos.conf with your favourite editor

NO_OF_CONNECTIONS=150 (it is the default value)
BAN_PERIOD=600(it is the default value) it means Number of seconds the banned ip should remain in blacklist.

==================
Hardening sysctl.conf

/etc/sysctl.conf using your favorite text editor and add the following

# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

After that Add the below code in /etc/rc.local and restart network

for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

===================
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)