Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Although I've never been a victim of one myself, I often wonder how one deals with a ddos attack. This article in particular suggests it might be worth knowing more about it.
Would blocking IP ranges help? Where does the bottleneck occur? Is it DNS or is it Apache or is it somewhere else?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
A denial of service attack is basically asking a system for something so many times at once that it runs out of that thing and nobody can use the system. This can be anything from ping replies to DHCP requests to information from a database.
For a DOS attack from one source, yes, you can often just block IP addresses and for simple DDOS attacks IP ranges. However, in a true DDOS the attacking IPs having nothing in common, there is no way to prevent the attack and only having more resources than the attackers can request can beat the attack -- that happened here, for example: http://www.theregister.co.uk/2013/03...ateral_damage/
Part of the problem with an attack of this nature is that attempting to filter and block the connections starts to consume a vast amount of resources. Typically intervention upstream, like at the ISP level is required in these types of situations.
Here are a couple of interesting articles regarding a recent and fairly high profile ddos situation involving Spamhaus, link one, link two.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Should also mention that, since DDOS traffic is made to look identical to normal traffic for whichever service is being attacked, there is no way to tell what is a DDOS attack and what is a genuine request -- so you have to block everything thus denying service anyhow.
A denial of service attack is basically asking a system for something so many times at once that it runs out of that thing and nobody can use the system. This can be anything from ping replies to DHCP requests to information from a database.
This suggests that a good attack strategy is to generate the most resource-intensive requests possible. Conversely, a good defense would be to identify and drop as quickly as possible any spurious requests.
Quote:
Originally Posted by 273
For a DOS attack from one source, yes, you can often just block IP addresses and for simple DDOS attacks IP ranges. However, in a true DDOS the attacking IPs having nothing in common, there is no way to prevent the attack and only having more resources than the attackers can request can beat the attack -- that happened here, for example: http://www.theregister.co.uk/2013/03...ateral_damage/
This is a grim thought. I had heard of the spamhaus attacks. I'll be reading that article.
Part of the problem with an attack of this nature is that attempting to filter and block the connections starts to consume a vast amount of resources. Typically intervention upstream, like at the ISP level is required in these types of situations.
I can definitely appreciate the need to get one's ISP involved. Still, I'm wondering if there might be clustered architectures that are better able to be reconfigured to deal with such an attack. I'm imagining that a single dedicated server is more vulnerable than a virtually allocated cluster, but this is not based on any vast amount of knowledge. Is there some kind of resilient architecture one can generally adopt that is more defensible?
Quote:
Originally Posted by Noway2
Here are a couple of interesting articles regarding a recent and fairly high profile ddos situation involving Spamhaus, link one, link two.
Should also mention that, since DDOS traffic is made to look identical to normal traffic for whichever service is being attacked, there is no way to tell what is a DDOS attack and what is a genuine request -- so you have to block everything thus denying service anyhow.
OK that's depressing. I'm imagining that DDOS is kind of an art form and that some are better than others at generating more random-looking requests that resist filtering. I'm further imagining that someone has already written a nearly perfect, state-of-the-art DDOS tool and it's probably been open sourced somewhere.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
There are plenty of DOS and DDOS tools out there already.
There isn't really anything clever about it though. You just infect a load of zombie machines, or buy some off a website somewhere, then tell them all to (for example) do a DNS lookup on the target or request a web page. How will the target know whether it's a legitimate request or an attack?
How will the target know whether it's a legitimate request or an attack?
This is precisely the sort of thing I'd like to know more about. I can imagine a sloppy attack might request the same web page over and over and over again and never once download any javascript or images, for example. Or a single IP requesting DNS lookup over and over again -- that sounds really suspect as the remote machine would be totally ignoring any of the TTL values.
I can definitely appreciate the need to get one's ISP involved. Still, I'm wondering if there might be clustered architectures that are better able to be reconfigured to deal with such an attack.
I think the answer is a maybe and it would depend upon what is the weakest link. The DDOS attack hits you in two ways: processing resources and network bandwidth. If your limiting factor is processing capability, a cluster with load sharing, or even a front end proxy would buy you a great deal. If you limited by the network capacity, the only thing you could do is filter up stream.
I think the more distributed the attack, the more difficult to counter it is.
I'm wondering if there could be a way, at server level, to limit, during a time period, successive identical requests from one IP address without hampering legitimate inbound traffic.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by manu-tm
I think the more distributed the attack, the more difficult to counter it is.
I'm wondering if there could be a way, at server level, to limit, during a time period, successive identical requests from one IP address without hampering legitimate inbound traffic.
There is, far as I know, on most servers. That's why a lot of machines need to be used. I can't pretend to understand this fully but it's an explanation of how hosts are recruited to DDOS: http://www.theregister.co.uk/2013/03..._the_internet/
I think the answer is a maybe and it would depend upon what is the weakest link. The DDOS attack hits you in two ways: processing resources and network bandwidth. If your limiting factor is processing capability, a cluster with load sharing, or even a front end proxy would buy you a great deal. If you limited by the network capacity, the only thing you could do is filter up stream.
Having been enormously frustrated by running BIND in the past, I now typically rely on DNS services like Amazon Route 53. Hopefully Amazon would know how to deal with such an attack?
Might it be possible to exhaust the available ports on a web server? If I'm not mistaken, you may connect to a web server on port 80, but the server will then delegate the work of file transfer to some other port -- and port numbers, being described with a 16-bit int, are only about 65,000 in number. Seems to me that any botnet with a size that is some multiple of 2^16 would be able to shut down even an extraordinarily powerful system simply by occupying all 2^16 ports. Please correct me if I understand this incorrectly.
I think the more distributed the attack, the more difficult to counter it is.
Without a doubt.
Quote:
Originally Posted by manu-tm
I'm wondering if there could be a way, at server level, to limit, during a time period, successive identical requests from one IP address without hampering legitimate inbound traffic.
I think iptables would be useful in this regard. Like this example. I'm no master of iptables commands, but I've been extremely pleased with the protections offered by fail2ban.
Last edited by sneakyimp; 04-05-2013 at 02:46 PM.
Reason: fix quote tag
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.