On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.
First we should monitor the open Syn connections:
# Netstat-na | grep “: 80 \” | grep SYN_RCVD
At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:
# Ps aux | grep httpd | wc-l
# Netstat-na | grep “: 80 \” | wc-l
Next you need to check the IP-addresses list:
# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less
To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:
# tcpdump -n -i < interface > -c 100
the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).
Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.
On the FreeBSD we can take some steps to avoid DDoS:
1 – Reduce the packet request time (protection against SYN-flood):
# Sysctl net.inet.tcp.msl = 7500
If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.
Move your server in a blackhole when a TCP packet is received on a closed port. When set to ‘1’, SYN packets arriving on a closed port will be dropped without a RST packet being sent back
# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1
Limits ICMP replies to 50 per second (protection against ICMP-flood):
# Sysctl net.inet.icmp.icmplim = 50
Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):
# Sysctl kern.ipc.somaxconn = 32768
Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):
1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.
These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack.
make sure you subscribe to my RSS feed!