Preventing Layer 7 DDoS Attack


WikiLeaks, th3j35t3r, LOIC are words that have been well known in the last period by the infosec community. These words get me directly thinking about the Application‐level DDoS attacks on websites such as Twitter, VISA, and MasterCard. Usually the attack involves large number for HTTP/HTTPS requests to specific sections of the website that could potentially be resource intensive for the server to process.

LOIC (Low Orbit Ion Cannon) is an Open Source tool that has been used by anonymous group against governmental websites and mail servers, the main purpose of these attacks is to launch a distributed denial of service against a website and make them offline.

There are already other similar tools that may perform this attack to stop any website and make it unreachable for legitimate users. By looking at the technique used to perform this attack the tool send about 10 Long HTTP/HTTPS requests per second till it reach bandwidth or connection limits of hosts or networking equipment to make it offline . Now the question is how we can stop this attack? What are the preventive measures against the Layer7 DDoS?

First of all we start limiting the traffic using hashlimit on iptables this module can be used to allow just a certain number of packets per minute:

[php]iptables -A INPUT -p tcp –dport 80 -m hashlimit –hashlimit-upto 50/min \

–hashlimit-burst X –hashlimit-mode srcip –hashlimit-name http -j ACCEPT

iptables -A INPUT -p tcp –dport 80 -j DROP[/php]

X is the number of connection so you can expect that the DDoS tool will send approximately 600 Long requests per minute so you need to make it less and as a result the firewall will Drop the connection ( do not also forget to change the port 80 according to the service that are provided from your facilities).

Now if you are using Apache you can add Module mod_reqtimeout this directive can set various timeouts for receiving the request headers and the request body from the client. If the client fails to send headers or body within the configured time, a 408 REQUEST TIME OUT error is sent.

A final important note is to stop the Hive which is used as the command-and-control server to send instructions regarding different target, so if you stop the Hive each person will be launching the attack separately and can stop the DDoS.

make sure you subscribe to my RSS feed!