Posts Tagged DDOS
Quick Tips to Fight DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security, cybersecurity on November 21, 2009
On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.
First we should monitor the open Syn connections:
# Netstat-na | grep “: 80 \” | grep SYN_RCVD
At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:
# Ps aux | grep httpd | wc-l
# Netstat-na | grep “: 80 \” | wc-l
Next you need to check the IP-addresses list:
# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less
To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:
# tcpdump -n -i < interface > -c 100
the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).
Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.
On the FreeBSD we can take some steps to avoid DDoS:
1 – Reduce the packet request time (protection against SYN-flood):
# Sysctl net.inet.tcp.msl = 7500
If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.
Move your server in a blackhole when a TCP packet is received on a closed port. When set to ‘1′, SYN packets arriving on a closed port will be dropped without a RST packet being sent back
# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1
Limits ICMP replies to 50 per second (protection against ICMP-flood):
# Sysctl net.inet.icmp.icmplim = 50
Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):
# Sysctl kern.ipc.somaxconn = 32768
Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):
1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.
These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack.
make sure you subscribe to my RSS feed!
Universal Tips to Avoid DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security on November 15, 2009
There are some points that can helps to carefully prepare our systems to avoid Distributed Denial of Service:
1- Prepare a simple and fast way to reboot remotely servers exposed to external network (webservers ,mailservers ,application servers..) this can be using SSH, we can also create a second network interface to access the server while the main channel is down.
2- Keeping all software packages up to date, to protect our systems from DoS attacks that exploit bugs in the available services.
3- Restrict access to all admin services to only authorized users, for example using IP restriction for acceding devices like firewalls, routers and network devices so an attacker will not be able to lunch a DoS attack or brute force.
4- Monitor the traffic by installing network analyzing tools (Netflow) on the routers to help identify the attack in an early phase and react to prevent it as soon as detected.
5- Adding to /etc/sysctl.conf the following lines:
# Vi /etc/sysctl.conf
# Protection against spoofing
net.ipv4.conf.default.rp_filter = 1
# Check TCP-connection every minute.
net.ipv4.tcp_keepalive_time = 60
# Repeat the test in ten seconds
net.ipv4.tcp_keepalive_intvl = 10
# Attempts number before closing the connection
net.ipv4.tcp_keepalive_probes = 5
Here it is very important to note that the listed method aims only to reduce the risk of DDoS attack, and can protect against small botnets and you can consider 90% that your server is protected against these attacks. There is more sophisticated ways like load balancing method which is extremely expensive, so if a server fails all new clients will be redirected to a clustered server and provides a very high availability.
make sure you subscribe to my RSS feed!
DDoS Attack Target Swedish Police Network
Posted by Mourad Ben Lakhoua in Cybercrime, Web Security on November 2, 2009
According to thelocal news Swedish police website was subject for a DDoS attack last week. The result of this attack was a complete disrupt of the official website.
On the High traffic the server can treat about 800 requests per second but during the attack they detected about 400 thousand requests per second which is 5 times more than the normal high traffic.
The number of DDoS-attack has significantly increased to become one of the biggest threats on Internet, by looking at the history the beginning of DDoS attacks were mainly directed to disrupting IRC servers, but on 1997 there were a vulnerability on Microsoft windows TCP/IP that allowed hackers to send a lot of packets using several tools and dosing remote systems, another popular incident were on 2000 by turning down web service for many popular websites like YAHOO ,CNN, eBay and others, October 2002 Root DNS servers experienced a DDoS attack to make 7 of the 13 main servers out of service. And now we are seeing a lot of distributed denial of service (DDoS) attacks against social networking website like Twitter and Facebook…
Stopping DDoS attack depends on the whole internet community by protecting your machine from malware that could be used to run these attacks, the most popular Botnet’s are:
Conficker 10 million + Machine.
Kraken – 495 Thousand Machine.
Srizbi – 315 Thousands Machine.
Bobax – 185 Thousands Machine.
Rustock – 150 Thousands Machine.
Storm – 85 Tousands Machine.
make sure you subscribe to my RSS feed!
DDoS Attack Hits Amazon Cloud!
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Cybercrime & Hacking on October 6, 2009
Bitbucket a web Service designed to host programming projects has faced an outages last weekend, the failure period was more than 19 hours which is relatively long. According to Amazon the incident was due to a DDoS attack on their computing infrastructure.
This Attack can only brings a doubt in the IT services that are provided by Amazon (Amazon Elastic Compute Cloud EC2), we had previously posted on a several cases of DDoS attacks, Jesper posted on the company blog some details about the incident which is not usual.
The story started when they noticed on the server a high load, even by turning off anything that took up CPU. They submitted an “urgent” ticket to the Amazon support system and in 5 minute the support responded by phone to help on the issue.
Later the support identified the problem it was a massive flood of UDP packets targeting the Bitbucket website and consuming the whole bandwidth to the box. This is what we call a distributed denial of service.
The source of attack was not identified but the developer assumed that the attack targeted one of their projects.
make sure you subscribe to my RSS feed!
What’s wrong with Twitter?
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News, Social Networking, Web Security on August 9, 2009
On the 6th of August Twitter went down for a pretty long period. After a while a brief message was added on the Twitter status says they’re fighting off a DDOS attack right now. Well the most interesting that the distributed denial-of-service attack also affected Facebook, LiveJournal and Google’s Blogger.
The idea of distributed denial-of-service (DDoS) attack on the sites is that computers have been compromised by a viruses or other malware and instructed by the Hacker to visit the specific Web sites all at the same time and repeatedly. The barrage of connection requests overwhelms the target sites, making it so that legitimate Web traffic can’t get through.
So this attack requires tens of thousands of machines in which all forms a botnet and in a few seconds can turn any website dawn, as the case of (Finjan report “Your PC might be traded online– without you knowing about it!”).
To secure yourself from being a part of a botnet network is to install an antivirus with the latest signature and in some time check the netstat command on windows to see if there is any unusual connection with your pc.
make sure you subscribe to my RSS feed!
BBC team exposes cyber crime risk
Posted by Mourad Ben Lakhoua in News on March 15, 2009
Software used to control thousands of home computers has been acquired online by the BBC as part of an investigation into global cyber crime.
The technology programme Click has demonstrated just how at risk PCs are of being taken over by hackers.
Almost 22,000 computers made up Click’s network of hijacked machines, which has now been disabled.
The BBC has now warned users that their PCs are infected, and advised them on how to make their systems more secure.
you can find more Here
New style of DNS amplification can yield powerful DDoS attacks
Posted by Mourad Ben Lakhoua in News on February 5, 2009
A new class of distributed denial-of-service (DDoS) attacks, which can overwhelm even mainstream targets, is imminent, a security researcher warned this week.
DNS amplification was first widely publicized about three years ago when computer security experts Gadi Evron and Randal Vaughn published a research paper that examined a scenario in which criminals abuse recursive DNS name servers by using spoofed user datagram protocol (UDP) packets.
The technique soon will be used against more mainstream commercial sites thanks to a new variant in which criminals do not have to rely on recursive queries, Jackson said.
“This new tactic uses a very short query, asking simply the name servers for the ‘.’ domain [a single dot],” he wrote Monday in an analysis of DNS amplification. “This domain is the root server domain, so the answer is large [or long]. A list of all the root domain name servers is sent back in response.”
“We are 100 percent certain that this tactic will be used in the next major DDoS attack,” Jackson said.
DDoS attacks traditionally work when attackers leverage compromised host computers — namely, botnets — to send an extreme amount of traffic to their targets.
But if criminals lack access to a large botnet or face a significant target, they turn to DNS amplification, Jackson said. This technique allows attackers to send a little bit of data to a name server, which, in turn, sends a lot of data to the attacker’s target.
David Ulevitch, founder and CTO of OpenDNS, a DNS resolution service, said few ISPs have fixed their servers since DNS amplification first appeared on the scene, and it is unlikely they are aware of this new variant.
“The bad guys have figured out the population of people they can use as unwitting accomplices is much larger than they previously thought because all DNS servers could potentially be [used to attack] a victim,” Ulevitch told SCMagazineUS.com on Wednesday.
By spoofing the source and inserting the IP address of the target, an attacker is able to direct the amplified traffic to an intended target — the “long” responses will be sent there, Jackson said.
“With or without recursion, the significance of this [new DNS amplification variation] is that even if your name server is configured using the best practices up until [now], it was still vulnerable to this technique,” he said.
Jackson, in his analysis of this new technique, offers solutions for DNS server operators to limit or block the threat.
The article is available here
SUBSCRIBE
