A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.
Like DOS , DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised.
Normally, DDOS consists of 3 parts . One is the Master ,Other the slave and atlast the victim. The master is the attack launcher i.e the person/machine behind all this. The slave is the network which is being compromised by the Master and Victim is the target site/server . Master informs the compromised machines, so called slaves to launch attack on the victim’s site/machine. Hence its also called co-ordinated attack.
One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
DDoS Process :-
DDOS is done in 2 phases. In first phase attackers try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase that they install DDOS tools and starts attacking the victims machines/site. This Phase is called Distributed DoS attacks phase.
Comman Reasons/Loop holes :-
1) Vulnerable softwares/Applications running on a machine or network.
2) Open network setup.
3) Network/ machine setup without taking security into account.
4) No monitoring or DataAnalysis are being conducted.
5) No regular Audit / Software upgrades being conducted.
———————————————————————————————————
netstat -alpn | grep :80 | awk ‘print $4’ | cut -d: -f1 |sort |uniq -c
netstat -alpn | grep :80 | awk ‘print $5’ | cut -d: -f1 |sort |uniq -c
———————————————————————————————————
RedHat: netstat -ntu | awk ‘print $5’ | cut -d: -f1 | sort | uniq -c | sort -n
BSD: netstat -na |awk ‘print $5’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n
You can also check for connections by running the following command.
netstat -plan | grep :80 | awk ‘print $4 ’ | sort -n | uniq -c | sort
These are few step to be taken when you feel the server is under attack:
——————————————————————————-
Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk ’print $5?|cut -d”:” -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables “apf -d < IP>” )
——————————————————————————-
How to prevent from DDoS :-
Implement security features in your server like:
1) Install apache modules like mod_dosevasive and mod_security in your server.
2) DDOS protection using CSF through “SYNFLOOD”.
3) The best,free & open sources solution to protect from DDOs :- http://deflate.medialayer.com/
4) Configure APF and IPTABLES to reduce the DDOS.
Basic server securing steps :
===============================
5) Configure sysctl parameters in your server to drop attacks.
You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========
No comments:
Post a Comment