Difference between revisions of "DDoS"
(17 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | ''' | + | '''Diagnostics''' |
+ | Show connections through eth0: | ||
+ | tcpdump -A -i eth0 -s 1500 port not 22 | ||
+ | |||
+ | Show outgoing http connections from 192.168.1.1 | ||
+ | tcpdump -An dst port http and src host 192.168.1.1 | ||
+ | |||
+ | watch -n1 lsof -i TCP:80,443 -n | ||
+ | |||
+ | Dump packets to "mycap.pcap" file for analyzing with Wireshark or similar software: | ||
+ | tcpdump -s 0 port http -i eth0 -w mycap.pcap | ||
To display how many http connections are open at the moment, enter: | To display how many http connections are open at the moment, enter: | ||
Line 11: | Line 21: | ||
command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server. | command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server. | ||
+ | View SYN: | ||
+ | netstat -no | grep SYN | ||
+ | |||
+ | |||
+ | View statuses | ||
+ | netstat -tan | awk '{print $6}' | sort | uniq -c | ||
+ | |||
+ | Using ss in centos 7 : | ||
+ | ss -s | ||
--------------- | --------------- | ||
Line 17: | Line 36: | ||
− | you can set the connection limits for IP with | + | you can set the connection limits for IP with IPTables. |
Current setting will limit incoming connections for port 80 up to 3 per 1 ip | Current setting will limit incoming connections for port 80 up to 3 per 1 ip | ||
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP | iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP | ||
+ | |||
+ | Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them: | ||
+ | iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
+ | |||
+ | Force Fragments packets check | ||
+ | iptables -A INPUT -f -j DROP | ||
+ | |||
+ | drop incoming malformed XMAS packets: | ||
+ | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
+ | |||
+ | Drop NULLED packets: | ||
+ | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
+ | |||
+ | |||
Add the limitations to /etc/sysctl.conf | Add the limitations to /etc/sysctl.conf | ||
Line 32: | Line 65: | ||
--------------- | --------------- | ||
+ | <br> | ||
+ | '''>>'''Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS. | ||
+ | '''>>'''If you are using apache httpd server you can install/enable '''mod_evasive''' and '''mod_secure''' - these modules also can help to prevent DDoS on apache. | ||
+ | <br> | ||
+ | --------------- | ||
+ | <br> | ||
+ | '''>>'''You can also protect your server with configuring the '''nginx reverse proxy''' : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy | ||
+ | <br> | ||
+ | --------------- | ||
+ | <br> | ||
+ | '''>>fail2ban''' could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban | ||
+ | <br> | ||
+ | <br> | ||
− | + | _________________ | |
+ | <br> | ||
'''Testing''' | '''Testing''' | ||
Line 40: | Line 87: | ||
For example, to test your domain for resistance to DDoS attacks you can use '''slowhttptest''' which is in Backbox installation. Example command: | For example, to test your domain for resistance to DDoS attacks you can use '''slowhttptest''' which is in Backbox installation. Example command: | ||
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20 | slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20 | ||
+ | |||
+ | Another example" | ||
+ | |||
+ | slowhttptest -X -w 500 -k 10 -u http://example.com/ -c 10000 -v -g -o testing | ||
+ | |||
Now here are detailed options: | Now here are detailed options: | ||
-a start start value of ranges-specifier for range header test | -a start start value of ranges-specifier for range header test | ||
Line 57: | Line 109: | ||
-v level verbosity level of log 0-4 | -v level verbosity level of log 0-4 | ||
-x bytes max length of follow up data | -x bytes max length of follow up data | ||
+ | |||
+ | You can also make tests with next nmap and hping2: | ||
+ | nmap -v -f FIREWALL-IP | ||
+ | nmap -v -sX FIREWALL-IP | ||
+ | nmap -v -sN FIREWALL-IP | ||
+ | hping2 -X FIREWALL-IP | ||
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 14:23, 16 February 2017
Diagnostics
Show connections through eth0:
tcpdump -A -i eth0 -s 1500 port not 22
Show outgoing http connections from 192.168.1.1
tcpdump -An dst port http and src host 192.168.1.1
watch -n1 lsof -i TCP:80,443 -n
Dump packets to "mycap.pcap" file for analyzing with Wireshark or similar software:
tcpdump -s 0 port http -i eth0 -w mycap.pcap
To display how many http connections are open at the moment, enter:
netstat | grep http | wc -l
also
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
You can perform simple
netstat -no
command and take a look how many SYN_RECV and TIME_WAIT active connection active to your server.
View SYN:
netstat -no | grep SYN
View statuses
netstat -tan | awk '{print $6}' | sort | uniq -c
Using ss in centos 7 :
ss -s
Protection
you can set the connection limits for IP with IPTables.
Current setting will limit incoming connections for port 80 up to 3 per 1 ip
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 3 -j DROP
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
iptables -A INPUT -f -j DROP
drop incoming malformed XMAS packets:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop NULLED packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Add the limitations to /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_synack_retries = 2
You can also use CSF firewall.
Just set next parameter:
CT_LIMIT = 5
>>Also it;s a good idea to close all unused UDP port and allow only UDP to google DNS.
>>If you are using apache httpd server you can install/enable mod_evasive and mod_secure - these modules also can help to prevent DDoS on apache.
>>You can also protect your server with configuring the nginx reverse proxy : http://wiki.vpsget.com/index.php/Nginx_Reverse_Proxy
>>fail2ban could be also used to block DDoSers IP addresses http://wiki.vpsget.com/index.php/Fail2ban
_________________
Testing
To test your server for vulnerability, you can use Backbox Linux, it has a various testing tools preinstalled.
For example, to test your domain for resistance to DDoS attacks you can use slowhttptest which is in Backbox installation. Example command:
slowhttptest -c 1000 -B -g -o output-file-name -i 100 -r 300 -s 10240 -u http://www.example.com/url/page.html -x 20
Another example"
slowhttptest -X -w 500 -k 10 -u http://example.com/ -c 10000 -v -g -o testing
Now here are detailed options:
-a start start value of ranges-specifier for range header test -b bytes limit of range-specifier for range header test -c number of connections limited to 1024 -H, B, or R specify to slow down in headers section or in message body. -R enables range test -g generate statistics in CSV and HTML formats, pattern is slow_xxx.csv/html, where xxx is the time and date -i seconds interval between follow up data in seconds, per connection -l seconds test duration in seconds -o file custom output file path and/or name, effective if -g is specified -r connections per second connection rate -s bytes value of Content-Length header, if -B specified -t verb custom verb to use -u URL target URL, the same format you type in browser, e.g https://host:port/ -v level verbosity level of log 0-4 -x bytes max length of follow up data
You can also make tests with next nmap and hping2:
nmap -v -f FIREWALL-IP nmap -v -sX FIREWALL-IP nmap -v -sN FIREWALL-IP hping2 -X FIREWALL-IP