LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-17-2008, 05:33 AM   #1
Drutten
LQ Newbie
 
Registered: Sep 2006
Posts: 9

Rep: Reputation: 0
Help Me stop Botnet ddos attacks


Why are we apache users still victims of DDOS attacks and having root server rental support telling us "It is you responsibility to secure your server". When did you hear about the first dos attack? Back in the 90's? And it is still not solved? This piss me off beyond belief.

And now, after trying to fix this on my Suse 10.1 distro I am stuck at
never ending dependency problems.

My suse version: Linux version 2.6.16.21-0.25-smp (geeko@buildhost) (gcc version 4.1.0 (SUSE Linux))

I run a small gaming community and I just don't have time on my own to fix this. I know for a fact that one particular person used a botnet to attack my forum just to prove "he could".

On July 30 '08 all of my webbys was unreachable because of syn flood attacks

Quote:
Logs from /var/log/messages

Jul 30 15:39:37 u042 kernel: possible SYN flooding on port 80. Sending cookies.
Jul 30 15:40:37 u042 kernel: possible SYN flooding on port 80. Sending cookies.
Jul 30 15:41:38 u042 kernel: possible SYN flooding on port 80. Sending cookies.
Jul 30 15:56:09 u042 kernel: possible SYN flooding on port 80. Sending cookies.
Jul 30 15:58:18 u042 kernel: possible SYN flooding on port 80. Sending cookies.
Jul 30 15:59:43 u042 kernel: possible SYN flooding on port 80. Sending cookies.
Jul 30 16:00:43 u042 kernel: possible SYN flooding on port 80. Sending cookies.
And the actual targetted url:

Quote:
Logs from /var/log/apache2/confixx/stdlog_access

forum.euroskillz.eu :: 121.219.64.44 - - [30/Jul/2008:20:30:00 +0200] "GET / HTTP/1.1" 200 1946 "-" "Java/1.6.0_05"
forum.euroskillz.eu :: 121.219.64.44 - - [30/Jul/2008:20:30:00 +0200] "GET / HTTP/1.1" 200 1946 "-" "Java/1.6.0_05"
forum.euroskillz.eu :: 70.178.62.191 - - [30/Jul/2008:20:30:00 +0200] "GET / HTTP/1.1" 200 1946 "-" "Java/1.6.0_07"
forum.euroskillz.eu :: 121.219.64.44 - - [30/Jul/2008:20:30:00 +0200] "GET / HTTP/1.1" 200 1946 "-" "Java/1.6.0_05"
forum.euroskillz.eu :: 70.49.195.145 - - [30/Jul/2008:20:29:28 +0200] "GET / HTTP/1.1" 200 65989 "-" "Java/1.6.0_07"
forum.euroskillz.eu :: 87.208.182.92 - - [30/Jul/2008:20:30:01 +0200] "GET / HTTP/1.1" 200 1946 "-" "Java/1.6.0_06"
I contacted support who adviced me to:

Quote:
You may activate reverse-path-checking, what will cause the ip-adresses connected to you being checked.

# echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

You may also want to use a filter limiting the number of connections per second one client can open.

# iptables -N synflood
# iptables -A synflood -m limit --limit 10/second --limit-burst 24 -j RETURN
# iptables -A synflood -j REJECT
# iptables -A INPUT -p tcp --syn -j synflood
This seemed to stop the syn flooding at least but the ddos attack on the forum kept going. I temp solved it by not using port 80. Shortly before this I moved the webbys to port 80 and was quite happy about that .

Next step was to find evasive actions against ddos and found mod_evasive. Sounded good and i downloaded mod_evasive_1.10.1.tar.gz.

Next issue. apache2-devel is missing in my distro. Looked in Yast and it was nowhere to find so I installed apache2-devel-2.2.2-1

And now when i try and compile the module I get

Quote:
apxs2 -cia mod_evasive20.c
apxs:Error: /usr/bin/apr-1-config not found!.
Right! It is in apr-devel, also missing.
And this needs
Quote:
apr 1.3.2-2.fc10
which needs rtld(GNU_HASH).

And according to Lenard in this forum

Conclusion

DEAD END

To me this feels like a dead end if I'm not switching to another distro which have whats needed to run mod_evasive. And after reading peoples reviews of mod_evasive there is no garantee it will work.

I have quite a lot of data, and I'm so to speak cornered. I can chose to make a fresh install of another distro, but no clue where to put all the stuff meanwhile as it will whipe the server clean.

If you have any advice for me I would appreciate it a lot. I don't know, I'm a newbie and may have missed something. But to me it seems extremelly weird that ddos is still possible on Apache servers still. And the counter measures would be like switching your entire car just because you need a little engine part for safe driving .

Thx for listening to my confession, now it feels much better .

Last edited by Drutten; 08-17-2008 at 05:36 AM.
 
Old 08-17-2008, 06:37 AM   #2
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,684

Rep: Reputation: 54
http://serversupportforum.de/forum/f...r-apache2.html
it's german - but is talks about that you have to run different commands depending on what version of apache you are using
look at point 6.)
I have no idea and never even used apache - but this sounds like a possible way to a solution. (Apache2-Prefork vs. Apache2)

have you set this in /etc/sysctl.conf ?
Code:
#net.ipv4.tcp_syncookies = 1

Last edited by jomen; 08-17-2008 at 06:40 AM.
 
Old 08-17-2008, 01:19 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally Posted by jomen View Post
http://serversupportforum.de/forum/f...r-apache2.html
it's german - but is talks about that you have to run different commands depending on what version of apache you are using
look at point 6.)
I have no idea and never even used apache - but this sounds like a possible way to a solution. (Apache2-Prefork vs. Apache2)

have you set this in /etc/sysctl.conf ?
Code:
#net.ipv4.tcp_syncookies = 1
It did that automatically. Look at the top of his post.

There's very little that you can do to stop a DDoS any way. By the time the traffic hits you, it doesn't matter much if your server(s) can handle it, it will have already filled up your bandwidth making other requests time-out.

The only way to real block DDoS attacks is with up-stream filtering, but again that's rather tricky since the attack packets look just like normal HTTP requests (if done correctly).
 
Old 08-18-2008, 12:55 AM   #4
Drutten
LQ Newbie
 
Registered: Sep 2006
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chort View Post
There's very little that you can do to stop a DDoS any way. By the time the traffic hits you, it doesn't matter much if your server(s) can handle it, it will have already filled up your bandwidth making other requests time-out.
It would be convenient with a couple of ip's and some dynamic dns magic that switch between ip's when some ddos attacks occur. But in my case it wasnt the ip that was targetted but a domain.

Quote:
Originally Posted by chort View Post
The only way to real block DDoS attacks is with up-stream filtering, but again that's rather tricky since the attack packets look just like normal HTTP requests (if done correctly).
You mean OS fingerprinting? I asked about that and the provider's reply was:

Quote:
if you want a bandwidth like back in the 70's we could do general OS fingerprinting on incoming connections.
 
Old 08-18-2008, 01:08 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Drutten View Post
It would be convenient with a couple of ip's and some dynamic dns magic that switch between ip's when some ddos attacks occur. But in my case it wasnt the ip that was targetted but a domain.
That might help, but if your site is being deliberately targeted I would imagine the attacker would be on to you real quick.

Quote:
You mean OS fingerprinting? I asked about that and the provider's reply was:

if you want a bandwidth like back in the 70's we could do general OS fingerprinting on incoming connections
OS fingerprinting could definitely be part of the detection scheme, but usually it will take much more than that to separate real traffic from DDoS traffic - especially if you want to do so with a decent level of accuracy. As chort said, doing this sort of thing right is tricky. It takes certain skills and resources which your provider seems to lack. BTW, if you read about some of the really big companies' countermeasures during DDoS attacks you'll see that many of them instead opt for purchasing vast amounts of temporary bandwidth at multiple geographic locations until the attack subsides (or until they are able to take permanent measures upstream, which can take longer to come-up with than they can afford to wait, depending on the attack).

Last edited by win32sux; 08-18-2008 at 01:25 AM.
 
Old 08-18-2008, 01:33 AM   #6
Drutten
LQ Newbie
 
Registered: Sep 2006
Posts: 9

Original Poster
Rep: Reputation: 0
Would dotdefender be of any use?
Anyone have any experience of it on Apache and ddos attacks?

And another thing. As I understand it's quite easy for script kiddies to get hold of and host a common irc botnet.
I find it odd that the big irc networks can't monitor irc controlled botnets. Aren't most of them using same signals to the zombies to invoke an attack and stop an attack?

But honestly, I had no clue how big this problem actually is, not just for me.
From networkworld

Quote:
Given that the company reports there being an average of 10 million botnet 'zombies' active on any one day in the second quarter of 2008, the only way to of stem the spam tide is to filter it out in a reactive way using costly technologies at the ISP or gateway level.
Still a dead end I guess. Nothing a private run server can do about it except switching ip's and domains and riding it out and hope it ends. Thx for your replies and helping me get some more insight into it .
 
Old 08-18-2008, 11:56 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Drutten View Post
Would dotdefender be of any use?
Anyone have any experience of it on Apache and ddos attacks?
A quick look at their website gave me the impression it has nothing to do with anti-DDoS.

Quote:
Still a dead end I guess. Nothing a private run server can do about it except switching ip's and domains and riding it out and hope it ends. Thx for your replies and helping me get some more insight into it .
If switching IPs/domains was such a sure-thing then you wouldn't see big companies spending hundreds of thousands of dollars during a DDoS. That said, it really depends on your attacker and you'd need to try it to know whether it'll work for you or not. If it's a small-time botnet and the determination to keep your service denied is low, then yeah that might work. As for the comment you quoted about needing to take care of things at the ISP, don't forget that that applies specifically to bandwidth DDoS attacks. If the reason your service is being denied is because your servers are being overloaded with bogus requests, yet your connection isn't totally saturated, then you can indeed take measures on your side. AFAICT you never did state precisely how your service was being denied.

Last edited by win32sux; 08-18-2008 at 12:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Microsoft Botnet-hunting Tool Helps Bust Hackers LXer Syndicated Linux News 0 04-30-2008 08:50 AM
DDOS attacks Challengers alamlinux Linux - Security 2 03-23-2008 01:12 PM
LXer: Linux boxes make ideal botnet controllers LXer Syndicated Linux News 0 02-15-2008 05:50 AM
Concerning DDoS attacks joji_in_changwon Linux - Security 13 11-27-2007 11:12 AM
Stop attacks from an IP clpl1980 Linux - Security 1 12-23-2006 11:17 AM


All times are GMT -5. The time now is 02:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration