DDOS, or Distributed Denial of Service is an advanced version of DOS(Denial
of Service) attack. Like DOS, DDOS also tries to deny important services
running on a server by broadcasting packets to the destination server
in a way that the Destination server cannot handle it. The speciality
of the DDOS is that, it relays attacks not from a single network/host
like DOS. The DDOS attack will be launched from different dynamic
networks which has already been compromised.
Normally, DDOS consists of 3 parts . The Master, the slave and at
last the victim. The master is the attack launcher, i.e the person/machine
behind all this. The slave is the network that is being compromised
by the Master and Victim is the target site/server. Master informs
the compromised machines, so called slaves to launch attack on the
victim's site/machine. Hence its also called co-ordinated attack.
Here is how I see it. Master is the Master Brain, Slave is said to
be the launch pad for the attack and Victim is the target.
DDOS is done in 2 phases. In the first phase they try to compromise
weak machines in different networks around the world. This phase is
called Intrusion Phase. Its in the next phase, that they install DDOS
tools and start attacking the victims machines/site. This Phase is
called Distributed DoS attack phase.
What Allowed them to do it? Simple.
Vulnerable softwares/Applications running on a machine or network.
Open network setup.
Network/ machine setup without taking security into account.
No monitoring or Data Analysis are being conducted.
No regular Audit / Software upgrades being conducted.
To find the load just use the command w or uptime -
#w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
To find if there is large number of HTTP process running use the command
" ps -aux|grep HTTP|wc -l "
# ps -aux|grep HTTP|wc -l
In a heavy server , the number of connections will go above 100. But
during DDOS attack, the number will go even higher and thats when
we need to find out from which all networks are these attacks coming.
In DDOS the host machine doesn't have much importance. Its the network
which is of importance here because, an attacker will use any machine
on the compromised network or even will use all the machines in the
network. Hence network address is of importance while fighting with
Check each block of ips. Lets assume you have more than 30 connection
from a single ip. Under normal cases there is no need for that many
number of connection requests from a single IP. Try to identify such
ips/networks from the list you get
If more than 5 host/ip connects from the same network then its a clear
sign of DDOS .
Block that ips/networks using iptables /Apf
iptables -A INPUT -s <Source IP> -j DROP
If you have APF, then just add the IPs which you want to block in
the file /etc/apf/deny_hosts.rules
Continue this process untill the attack on the machine gets reduced.
There is no complete or perfect solution to DDOS . The logic is simple,
NO software or measures could handle attacks from multiple servers
say from 50 - 100 servers all at a time. All that can be done is to
take preventive measures .
Prevention is better than cure. Its very much true in the case of
DDOS . In my Introduction, I had mentioned that DDOS happens because
of vulnerable softwares/applications running on a machines in a particular
network. Attackers use those security holes to compromise the servers
in different network and install the DDOS tools (eg trinoo -DDOS tool).
In this configuration, a rule called "Rule" is set
to check permissions (p), inode (i), user (u), group (g), number of
links (n), size (s), and md5 checksum (md5). This rules are applied
to all files in /bin, /sbin, /var, and /usr/local/apache/conf because
they should rarely if ever change. Files in /etc are checked for changes
in only permissions, inode, user, and group because their size may
change, but other things shouldn't. Files and directories in /var/spool
and /var/log are not checked because those are folders where maximum
updation takes place.
(h) After configuring AIDE should be initiated with all these rules.
Machines new or old should only be allowed to run on your network,
if your Security Admin or DSE (Dedicated Security Expert) member approves
it with status ``OK-to go live'' after auditing the box. All Host
in the network should be checked on a regular basis by your DSE team
to make sure that all hosts are up-to-date and can fight any attacks.
Use Open Source Tools like NESSUS (www.nessus.org), NMAP(www.insecure.org/nmap),
(link dead, sorry)
(link dead, sorry)
) for auditing a network to find its vulnerabilities.
Collect your networks and hosts data . Analysis them and study them
to see from where and what kind of attacks are coming into the network.
This step will help us to understand what kind of attacks we are facing
and will help us to strengthen the preventive measures. Let me tell
you this move is worth the money you spend,for sure.
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Add the below code in /etc/rc.local and restart network
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Since DDOS normally targets HTTP. Its always good to have a filtering
system for apache . So that the request gets analyzed before web server
handles it. Please find the installation step of mod_security in
DSO mode below
This is the most important part. People, including users should be
Security conscious. Only then will they understand the importance
of Security measures . Server owner's and users should be made aware
of the issues which can rise due to bad security measures.
Blessen Cherian works in Bobcares. He is passionate about Server Security and looks forward to gain expertise in this area.