DoS i DDoS napadi

Kratka definicija :
In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users.
Odličan link.

Kako ih detektovati
# netstat -ntu | awk ‘{print $5}’ |awk -F: ‘{print $(NF-1)}’| sort | uniq -c | sort -n|grep -v r
1 10.10.10.38
2 10.10.10.140
2 127.0.0.1
Komanda kojom se vidi broj ESTABLISHED konekcija ka serveru. Napominjem da ovo nije orjentisano striktno ka web serverima… Više ka mail serverima.

Kako ih sprečiti
Sumnjive IP adrese dodati u iptables
Koristiti fail2ban za sve relevantne procese na serveru
Setovati određene kernel parametre kroz /etc/sysctl.conf fajl, da bi se smanjila mogućnost (D)DoS i SYN napada.
Posle promene parametara ponovo učitati sysctl sa : #sysctl -p .
Koji se kernel parametri mogu setovati, i šta oni znače.
Ova dva prva su stavke za koje se manje-više po svim forumima svi slažu da treba ovako setovati, i to su dva parametra koje ću i ja testirati. Ostale ne diram, do daljeg ;-).
Enable IP spoofing protection, turn on Source Address Verification.
Checks our routing table against the source address of incoming packets to make sure that they’re coming from the interface our routing table says that address is on. Note that this needs to be easily disabled; if some form of advanced routing or policy routing intends traffic from a host to come in one interface and traffic to that host to leave out a different interface, then legitimate packets will be dropped.

net.ipv4.conf.all.rp_filter = 1
Enable TCP SYN Cookie Protection.
When the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain.

net.ipv4.tcp_syncookies = 1

Još neki mogući parametri koji se mogu setovati :
net.ipv4.conf.default.rp_filter = 1
kernel.pid_max = 65536
net.ipv4.ip_local_port_range = 9000 65000
Implements RFC 1337 fix F1 to counteract hazards H1, H2, and H3. This accounts for all hazards discussed in RFC 1337.
net.ipv4.tcp_rfc1337 = 1
Implements TCP Syncookies. When the connection queue is filled, we drop back to this; we lose TCP extensions as a trade-off for any connections made as Syncookies, but we would otherwise not be making said connections at all so this is a net gain.
net.ipv4.tcp_syncookies = 1
Ignores broadcast pings, reducing the damage of SMURF attacks.
net.ipv4.icmp_echo_ignore_broadcasts = 1
Some routers ignore RFC 1122 and send junk error responses that get logged. It may be possible to trigger this logging by spoofing; this would lead to filling up the hard disk with junk logs, causing a denial of service.
icmp_ignore_bogus_error_responses = 1
Default value is 100; we relax this to limit it to 5 per second.
net.ipv4.icmp_ratelimit = 20
Default value is 6168; we set a few ICMP masks to be rate limited:
net.ipv4.icmp_ratemask = 88089
0: ICMP Echo Reply
3: ICMP Destination Unreachable (default)
4: ICMP Source Quench (default)
11: ICMP Time Exceeded (default)
12: ICMP Parameter Problem (default)
14: ICMP Timestamp Reply
16: ICMP Information Reply

Posle promene /etc/sysctl.conf fajla, promena se čini aktivnom komandom : #sysctl -p

Gde se mogu naći objašnjenja za pojedinačne sysctl parametre : link.

This entry was posted in Linux and tagged , , . Bookmark the permalink.

Comments are closed.