Difference between revisions of "DDoS"

From vpsget wiki
Jump to: navigation, search
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''Diagnostic'''
+
'''Diagnostics'''
  
 +
Show connections through eth0:
 +
tcpdump -A -i eth0 -s 1500 port not 22
 +
 +
Show outgoing http connections from 192.168.1.1
 +
tcpdump -An dst port http and src host 192.168.1.1
 +
 +
watch -n1 lsof -i TCP:80,443 -n
 +
 +
Dump packets to "mycap.pcap" file for analyzing with Wireshark or similar software:
 +
tcpdump -s 0 port http -i eth0 -w mycap.pcap
  
 
To display how many http connections are open at the moment, enter:
 
To display how many http connections are open at the moment, enter:
Line 11: Line 21:
 
command and take a look how many SYN_RECV  and TIME_WAIT active connection active to your server.
 
command and take a look how many SYN_RECV  and TIME_WAIT active connection active to your server.
  
 +
View SYN:
 +
netstat -no | grep SYN
 +
 +
 +
View statuses
 +
netstat -tan | awk '{print $6}' | sort | uniq -c
 +
 +
Using ss in centos 7 :
 +
ss -s
 
---------------
 
---------------
  
Line 17: Line 36:
  
  
you can set the connection limits for IP with IPTablesю
+
you can set the connection limits for IP with IPTables.
 
Current setting will limit incoming connections for port 80 up to 3 per 1 ip
 
Current setting will limit incoming connections for port 80 up to 3 per 1 ip
 
  iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP
 
  iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP
 +
 +
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
 +
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 +
 +
Force Fragments packets check
 +
iptables -A INPUT -f -j DROP
 +
 +
drop incoming malformed XMAS packets:
 +
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 +
 +
Drop NULLED packets:
 +
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 +
 +
  
 
Add the limitations to /etc/sysctl.conf
 
Add the limitations to /etc/sysctl.conf
Line 32: Line 65:
  
 
---------------
 
---------------
 +
<br>
 +
'''>>'''Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS.
 +
'''>>'''If you are using apache httpd server you can install/enable '''mod_evasive''' and '''mod_secure''' -  these modules also can help to prevent DDoS on apache.
 +
<br>
 +
---------------
 +
<br>
 +
'''>>'''You can also protect your server with configuring the  '''nginx reverse proxy''' : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy
 +
<br>
 +
---------------
 +
<br>
 +
'''>>fail2ban''' could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban
 +
<br>
 +
<br>
  
 
+
_________________
 +
<br>
 
'''Testing'''
 
'''Testing'''
  
Line 40: Line 87:
 
For example, to test your domain for resistance to DDoS attacks you can use '''slowhttptest''' which is in Backbox installation. Example command:
 
For example, to test your domain for resistance to DDoS attacks you can use '''slowhttptest''' which is in Backbox installation. Example command:
 
  slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20
 
  slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20
 +
 +
Another example"
 +
 +
slowhttptest -X -w 500 -k 10 -u http://example.com/ -c 10000 -v  -g -o testing
 +
 
Now here are detailed options:
 
Now here are detailed options:
 
  -a start start value of ranges-specifier for range header test
 
  -a start start value of ranges-specifier for range header test
Line 57: Line 109:
 
  -v level verbosity level of log 0-4
 
  -v level verbosity level of log 0-4
 
  -x bytes max length of follow up data
 
  -x bytes max length of follow up data
 +
 +
You can also make tests with next nmap and hping2:
 +
  nmap -v -f FIREWALL-IP
 +
  nmap -v -sX FIREWALL-IP
 +
  nmap -v -sN FIREWALL-IP
 +
  hping2 -X FIREWALL-IP
  
 
[[Category:Linux]]
 
[[Category:Linux]]

Latest revision as of 14:23, 16 February 2017

Diagnostics

Show connections through eth0:

tcpdump -A -i eth0 -s 1500 port not 22

Show outgoing http connections from 192.168.1.1

tcpdump -An dst port http and src host 192.168.1.1
watch -n1 lsof -i TCP:80,443 -n

Dump packets to "mycap.pcap" file for analyzing with Wireshark or similar software:

tcpdump -s 0 port http -i eth0 -w mycap.pcap

To display how many http connections are open at the moment, enter:

netstat | grep http | wc -l

also

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

You can perform simple

netstat -no

command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server.

View SYN:

netstat -no | grep SYN


View statuses

netstat -tan | awk '{print $6}' | sort | uniq -c

Using ss in centos 7 :

ss -s


Protection


you can set the connection limits for IP with IPTables. Current setting will limit incoming connections for port 80 up to 3 per 1 ip

iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

iptables -A INPUT -f -j DROP

drop incoming malformed XMAS packets:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop NULLED packets:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


Add the limitations to /etc/sysctl.conf

net.ipv4.tcp_max_syn_backlog = 4096     
net.ipv4.tcp_synack_retries = 2                


You can also use CSF firewall. Just set next parameter:

CT_LIMIT = 5




>>Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS. >>If you are using apache httpd server you can install/enable mod_evasive and mod_secure - these modules also can help to prevent DDoS on apache.



>>You can also protect your server with configuring the nginx reverse proxy : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy



>>fail2ban could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban

_________________
Testing


To test your server for vulnerability, you can use Backbox Linux, it has a various testing tools preinstalled.
For example, to test your domain for resistance to DDoS attacks you can use slowhttptest which is in Backbox installation. Example command:

slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20

Another example"

slowhttptest -X -w 500 -k 10 -u http://example.com/ -c 10000 -v  -g -o testing

Now here are detailed options:

-a start start value of ranges-specifier for range header test
-b bytes limit of range-specifier for range header test
-c number of connections limited to 1024
-H, B, or R specify to slow down in headers section or in message body.
           -R enables range test
-g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html,
  where xxx is the time and date
-i seconds interval between follow up data in seconds, per connection
-l seconds test duration in seconds
-o file custom output file path and/or name, effective if -g is specified
-r connections per second connection rate
-s bytes value of Content-Length header, if -B specified
-t verb custom verb to use
-u URL target URL, the same format you type in browser, e.g https://host:port/
-v level verbosity level of log 0-4
-x bytes max length of follow up data

You can also make tests with next nmap and hping2:

 nmap -v -f FIREWALL-IP
 nmap -v -sX FIREWALL-IP
 nmap -v -sN FIREWALL-IP
 hping2 -X FIREWALL-IP