Thursday, October 3, 2013

Nowadays a common problem for many companies is Distributed Denial of Service Attack (DDoS), so in this post is explained: what is a DDoS and a possible solution for it?

Distributed Denial of Service (DDoS):
In computing, this attack is an attempt to make a machine (usually a web server) or a network resource unavaliable to its intended users, the reasons for this attack may vary, but it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet, a visual explanation is shown in Figure 1.

Figure 1: Stachledraht DDos Attack Diagram

There are some solutions to mitigate this attacks (IDS, IPS, etc.), but today I want to share a new simple tool that can be implemented in your own network:

"(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server's firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)"

Here are some Features:
  • It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
  • Simple configuration file: /usr/local/ddos/ddos.conf
  • IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
  • The script can run at a chosen frequency via the configuration file (default: 1 minute)
  • You can receive email alerts when IP addresses are blocked.

How to install:
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
How to uninstall:
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
Configuration:
After installing the script you need to open the file "ddos.conf" located in "/usr/local/ddos".

Edit the paths according to your system:
PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list”
CRON=”/etc/cron.d/ddos.cron”
APF=”/etc/apf/apf”
IPT=”/sbin/iptables”

Customize the options and its values as you want:
FREQ=1
# Frequency in minutes in which the script will be executed
NO_OF_CONNECTIONS=150
# Number of connections received to block an IP address of an alleged attacker
APF_BAN=1
# 1 means that DDoS Deflate will use APF to block, 0 use directly Iptables
BAN_PERIOD=600
# Time (in seconds) to block an attacker.
EMAIL_TO=”root”
# Address to send an email when someone is banned
KILL=1
# With a 0 value, the attackers won't be banned, 1 is selected by default

Official Site: deflate.meadialayer.com

0 comentarios:

Post a Comment