У вас есть0товары в вашей корзине

База знаний

  Категории

DDoS Protection
5
Diagnostic
2
Общие
2
ISPmanager хостинг
6
Linux Administration
39
Manual
1
Microtik CHR
1
Plesk хостинг
2
VestaCP
3
Virtualizor
1
Законодательная база
1
сPanel web hosting
1
Электронная почта (e-mail)
3

  Категории

  Облако меток

ddos sysctl sysctl.conf планировщик ISPmanager Socket error [111]: Connection refused BitrixVM REMOTE_ADDR в Nginx + Apache telegram bot Python ftp cpanel

  Поддержка

Обращения в службу поддержки
Новости
База знаний
Загрузка
Состояние сети
Открыть билет

Detecting and Mitigating DDOS Attacks

Печать
  • 0
Detecting and Mitigating DDOS Attacks

#List all Finish (FIN) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 1 != 0'


#List all SYN and SYN-ACK packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 2 != 0' 


#List all Reset (RST) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 4 != 0'


#List all Push (PSH) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 8 != 0'


#List all acknowledge (ACK) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 16 != 0'


#List all null packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 0xff = 0'
OR
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] = 0'

#List all packets for your destination port 80 (assuming you are on destination host)
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[2:2] = 80'



#List count of TCP connections by IP address

machine1 : netstat -npt | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      554  X.175.191.23
      5      Y.49.92.30
      3      Z.225.121.76
      2     A.219.69.149
      2     B.152.24.254





#List count of TCP connections by IP address on specific service port

machine1 : netstat -npt | grep <port>  | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      554  X.175.191.23
      5      Y.49.92.30
      3      Z.225.121.76
      2     A.219.69.149
      2     B.152.24.254



#List count of Established TCP connections by IP address  on specific service port and are in ESTABLISHED state

machine1 : netstat -npt | grep <port> | grep ESTABLISHED | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      413  X.175.191.23
      2      Y.49.92.30
      2      Z.225.121.76
      2     A.219.69.149
      2     B.152.24.254

#List count of connections by state
machine1 : netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
   1749 ESTABLISHED
    118 TIME_WAIT
      6 LAST_ACK
      5 SYN_RECV
      4 FIN_WAIT2
      1 Foreign
      1 FIN_WAIT1
      1 CLOSE_WAIT


SYN flood attacks & mitigations

1)Detect if you are having SYN flood: 
SYN_RECV state it means your server has received the initial SYN packet, it has sent it's own SYN+ACK packet and is waiting on the ACK from the external machine to complete the TCP handshake.

machine1 : netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
   1749 SYN_RECV
    18 ESTABLISHED
      6 LAST_ACK


Command clearly shows you have lot many connections in SYN_RECV state and possible SYN flood attack.

2)Detect if its from single IP(DOS attack) or multiple IPs(DDOS attack):


Single IP attack:
machine1 : netstat -npt  | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      413  X.175.191.23
      2      Y.49.92.30
      2      Z.225.121.76
      2     A.219.69.149
      2     B.152.24.254


Now you know the culprit IP, you could just block the IP. There are various ways you could block the IP.
Common and quick ways are:
a)Drop packets using ip command: 
machine1: ip route add blackhole X.175.191.23/32

b)Drop packets using iptables command:
iptables -A INPUT -s X.175.191.23 -j DROP

Is ip or iptables command better to use? Hard to say since both works at layer 3/4 of OSI model. You need to check how large is your routing table or iptables. The one to traverse fast should be used.

Multiple IP attack (common subnet):
machine1 : netstat -npt  | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      345  X.175.191.13
      243  X.175.190.27
      34  X.175.181.33
      78  X.175.41.24
      2  Y.42.91.30
      2   Z.125.121.76


Common and quick ways are:
a)Drop subnet using ip command: 
machine1: ip route add blackhole X.175.0.0/16

b)Drop subnet using iptables command:
iptables -A INPUT -s X.175.0.0/16 -j DROP




Its pretty common to have SYN flood attacks from multiple IPs by spoofing source IP address in packets. This way its becomes hard to distinguish sometimes which are real IPs and which are fake.
Multiple IP attack (different subnet):
machine1 : netstat -npt  | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
      3  X.175.191.23
      2  Y.42.91.30
      2   Z.125.121.76
      2   A.219.69.149
      2   B.152.24.254
     2   C.142.44.254
     2   D.52.54.214
     1   E.15.27.250



SYN cookies dramatically reduces your CPU and memory usage durin SYN flood attack and helps to keep machine a bit happy.When SYN Cookie is enabled on JUNOS software with enhanced services and becomes the TCP-negotiating proxy for the destination server, it replies to each incoming SYN segment with a SYN/ACK containing an encrypted cookie as its Initial Sequence Number (ISN). The cookie is an MD5 hash of the original source address and port number, destination address and port number, and ISN from the original SYN packet. After sending the cookie, JUNOS software with enhanced services drops the original SYN packet and deletes the calculated cookie from memory. If there is no response to the packet containing the cookie, the attack is noted as an active SYN attack and is effectively stopped.If the initiating host responds with a TCP packet containing the cookie +1 in the TCP ACK field, JUNOS software with enhanced services extracts the cookie, subtracts 1 from the value, and recomputes the cookie to validate that it is a legitimate ACK. If it is legitimate, JUNOS software with enhanced services starts the TCP proxy process by setting up a session and sending a SYN to the server containing the source information from the original SYN. When JUNOS software with enhanced services receives a SYN/ACK from the server, it sends ACKs to the server and to the initiation host. At this point the connection is established and the host and server are able to communicate directly.

Syn Cookies
#Check if SYN cookie is enabled or not:

machine1 : sysctl -a | grep tcp_syncookies
net.ipv4.tcp_syncookies = 0

#Enable it:
machine1 : sysctl -w net.ipv4.tcp_syncookies=1



IPTABLES
#Custom SYN-ATTACK chain
:SYN-ATTACK - [0:0]

#Rule
-A INPUT -i <your interface> -m -p tcp --syn -j SYN-ATTACK
-A SYN-ATTACK -m limit --limit 100/second --limit-burst 100 -j RETURN
-A SYN-ATTACK -m limit --limit 10/h --limit-burst 10 -j LOG --log-prefix "SYN-ATTACK Attack:"
-A SYN-ATTACK -j DROP

Помог ли вам данный ответ?

Связанные статьи

DDoS and sysctl.conf When DDoS attacks, it is absolutely necessary to optimize your server as best as possible. Our... IPtables DDoS Protection for VPS ### 1: Drop invalid packets ### /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate... Основные методы амплификации Основные виды амплификаций: 1) DNS - Пакеты прилетают с source port 53 (UDP) Для блокировки... UDP flood iptables protection # Outbound UDP Flood protection in a user defined chain. iptables -N udp-flood iptables -A...
« Назад