by hash3liZer . 10 July 2018
In the past years, the attack of DDOS (Denial of Service) has greatly increased on web servers. Where does the concern of security lies, so does about breaking these security measures. However, it has been recorded that the DDOS is one of the most deployed attack vectors these years. In fact, many of the websites were successfully defaced and it's all about giving the servers a huge unexpected traffic.
One thing, everyone should know about DDOS is that no website is secure against a decent DDOS. The wider the attacking vector, greater the chances of defacing the website will exist. In this tutorial, we are going to cover up this attack vector and will try to mitigate it by adding some extra rules in the firewall. Have a look on the history of DOS:
DOS & DDOS
There's a little difference in between DOS and DDOS. DOS is simple Denial of Service. In this attack, only a single source actually tries to deface the target by sending unwanted packets to the target. While in DDOS, multiple attackers, send the packets to the target server. That's why it is called Distributed Denial of Service. Because the same attack is being divided among multiple users.
DOS becomes difficult as it becomes wide. This simplest of the DOS is with using ping:
$ ping [target ip] -l 65500
Now, Lets populate the DOS using GoldenEye, a well-written script for testing sites against HTTP Dosing. Clone the repository from GitHub:
$ git clone https://github.com/jseidl/GoldenEye.git $ cd ./GoldenEye
Run the script with the help argument:
$ python goldeneye.py --help
Now, a simple DOS with GoldenEye:
$ python goldeneye.py [target IP] -w 15 --nosslcheck
And running this from multiple computers would turn it into DDOS.
Firewalls performs the most prominent function against these kind of attacks by limiting the number of requests or dropping forged packets from the sender. This is how most of the CDN providers mitigate DOS. However, some other factors could also be helpful in DOS like greater bandwidth tough it can not mitigate the attack but somehow make it worthless for a short period until the victim figure out something.
We could either use a CDN provider like CloudFlare to add this extra security for us OR we can use iptables to add some new rules to the server firewall. For now, we are going to use iptables to mitigate the attack.
IPtables is a user-space command utility to configure packet filtering rules in the kernel. By, default it's installed on almost on every Linux System. Before we start, you would need a huge explanation on iptables. I'll not explain any about iptables itself but just write the commands to filterize packets.
Iptables have tables and chains to apply rules and filtration over the packets as needed. These tables and chains are helpful to define when to apply a certain rule and at what position to a certain packet. Unless all of the given conditions are matched, packets do not get filtered. And at this place, most of the rules defined by you, suck.
DDOS have it's kinds too. It could be SYN flood, could be an invalid request or it could be about numberless UDP packets. Hence, we got various kind of attacks here. Surely, to mitigate each of these, we have to apply different rules, each to mitigate a single kind of request.
To better understand, the commands we are going to write, first, have a look at the iptables chains:
And now Depending on the nature of packets you want to filter. You can apply these rules:
Blocking Forged TCP packets:
The below rules will block TCP packets with unrecognized flags, i.e. the flags which are not used with TCP packets:
$ iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP $ iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
Block Invalid Packets:
The below rule will block non-SYN packets and which are not sent for an established connection:
$ iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Well, in case, the attack is from the local network, i.e. from within the network, you could block those requests too. The below rule will block spoofed packets sent from some IP within the network:
$ iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP $ iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP $ iptables -t mangle -A PREROUTING -s 18.104.22.168/3 -j DROP $ iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP $ iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP $ iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP $ iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP $ iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP $ iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
Dropping ICMP packets:
Since, ICMP packets are used to ping a host, there's no need of accepting ICMP packets. The below rule will drop ICMP packets, if received:
$ iptables -t mangle -A PREROUTING -p icmp -j DROP
After all of the above rules, we still have TCP packets to accept and manipulate. However, we can limit the number of TCP packets from a source by checking for active connections at a time. We are going to limit this number by 100. This means that if the source has 100 live connections to the server, the server will drop the next requests.
$ iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT $ iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
So, we've seen how to deface a website using DDOS (Distributed Denail of Service) and how you could prevent this attack on your site by adding some additional rules in the firewall. Note that, not all of the time, you would be required to apply all of the rules explained above. Sometimes, it's better to first understand what a single rule does and then apply according to the appropriate requirements.