{"id":4683,"date":"2015-04-27T17:20:51","date_gmt":"2015-04-27T09:20:51","guid":{"rendered":"http:\/\/rmohan.com\/?p=4683"},"modified":"2015-04-27T17:20:51","modified_gmt":"2015-04-27T09:20:51","slug":"dos-and-ddos-attacks","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=4683","title":{"rendered":"DoS and DDoS attacks"},"content":{"rendered":"

Short definition :
\nIn computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.<\/em>
\nOdli?an link<\/a>.<\/p>\n

How to detect them<\/strong>
\n# netstat -ntu | awk \u2018{print $5}\u2019 |awk -F: \u2018{print $(NF-1)}\u2019| sort | uniq -c | sort -n|grep -v r
\n1 10.10.10.38
\n2 10.10.10.140
\n2 127.0.0.1
\nUsing this command you can see a number of ESTABLISHED connections to your server, per IP address. Please note that this is not (strictly) oriented towards web servers, more towards mail servers.<\/p>\n

How to stop them<\/strong>
\nSuspicious address put in iptables and DROP them
\nUse fail2ban for all relevan services on server
\nSet certain kernel parameters using \/etc\/sysctl.conf file, to lessen the possibility of (D)DoS and SYN attacks.
\nAfter changes to sysctl.conf, changed parameters read to system by : #sysctl -p .<\/p>\n

Which kernel parameters can be set, and what they mean<\/strong>
\nThe first two parameters are the ones that (more or less) all the forum messages agree are to be set. TThose I will use, the rest, no touching \";-)\" (for now).
\n Enable IP spoofing protection, turn on Source Address Verification.
\nChecks our routing table against the source address of incoming packets to make sure that they\u2019re coming from the interface our routing table says that address is on. Note that this needs to be easily disabled; if some form of advanced routing or policy routing intends traffic from a host to come in one interface and traffic to that host to leave out a different interface, then legitimate packets will be dropped. <\/em>
\nnet.ipv4.conf.all.rp_filter = 1<\/strong>
\n Enable TCP SYN Cookie Protection.
\nWhen the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain. <\/em>
\nnet.ipv4.tcp_syncookies = 1<\/strong><\/p>\n

Some other parameters :
\nnet.ipv4.conf.default.rp_filter = 1<\/strong>
\nkernel.pid_max = 65536<\/strong>
\nnet.ipv4.ip_local_port_range = 9000 65000<\/strong>
\nImplements RFC 1337 fix F1 to counteract hazards H1, H2, and H3. This accounts for all hazards discussed in RFC 1337.<\/em>
\nnet.ipv4.tcp_rfc1337 = 1 <\/strong>
\nImplements TCP Syncookies. When the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain.<\/em>
\nnet.ipv4.tcp_syncookies = 1 <\/strong>
\nIgnores broadcast pings, reducing the damage of SMURF attacks.<\/em>
\nnet.ipv4.icmp_echo_ignore_broadcasts = 1 <\/strong>
\nSome routers ignore RFC 1122 and send junk error responses that get logged. It may be possible to trigger this logging by spoofing; this would lead to filling up the hard disk with junk logs, causing a denial of service.<\/em>
\nicmp_ignore_bogus_error_responses = 1<\/strong>
\nDefault value is 100; we relax this to limit it to 5 per second.<\/em>
\nnet.ipv4.icmp_ratelimit = 20<\/strong>
\nDefault value is 6168; we set a few ICMP masks to be rate limited:<\/em>
\nnet.ipv4.icmp_ratemask = 88089 <\/strong>
\n0: ICMP Echo Reply
\n3: ICMP Destination Unreachable (default)
\n4: ICMP Source Quench (default)
\n11: ICMP Time Exceeded (default)
\n12: ICMP Parameter Problem (default)
\n14: ICMP Timestamp Reply
\n16: ICMP Information Reply<\/p>\n

After changing \/etc\/sysctl.conf make changes active by : #sysctl -p<\/p>\n","protected":false},"excerpt":{"rendered":"

Short definition : In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Odli?an link.<\/p>\n

How to detect them # netstat -ntu | awk \u2018{print $5}\u2019 |awk -F: \u2018{print $(NF-1)}\u2019| sort | uniq -c | sort -n|grep […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,17],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4683"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4683"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4683\/revisions"}],"predecessor-version":[{"id":4684,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4683\/revisions\/4684"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}