LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-19-2002, 08:03 AM   #1
m_thangbk
LQ Newbie
 
Registered: Jul 2002
Location: Ha Noi, Viet Nam.
Distribution: MDK 8.0, MDK 8.1, RH 7.2, RH 7.3
Posts: 11

Rep: Reputation: 0
Unhappy How to prevent DoS attacks


My RH dedicated server has been DoS by some lame hackers. Is there a way to block such kind of attacks.
 
Old 07-19-2002, 08:54 AM   #2
rverlander
Member
 
Registered: May 2002
Distribution: A few
Posts: 488

Rep: Reputation: 30
Firewall (ipchains, etc)
 
Old 07-19-2002, 07:02 PM   #3
mtellin
LQ Newbie
 
Registered: Feb 2002
Location: Sioux Falls, SD
Distribution: RedHat 7.3
Posts: 3

Rep: Reputation: 0
You could also use this line:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
Old 07-19-2002, 08:42 PM   #4
shoot2kill
Member
 
Registered: Jan 2002
Location: California
Distribution: Red Hat
Posts: 402

Rep: Reputation: 30
Quote:
Originally posted by mtellin
You could also use this line:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
What would this do to help?
 
Old 07-19-2002, 08:53 PM   #5
mtellin
LQ Newbie
 
Registered: Feb 2002
Location: Sioux Falls, SD
Distribution: RedHat 7.3
Posts: 3

Rep: Reputation: 0
protects from SYN flooding attacks
 
Old 07-19-2002, 10:27 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977
Could you provide some more info on what protocols they used, time of attack, used source addresses, maybe some logs from Snort/tcpdump/whatever else and what you tried to stop it?
 
Old 07-20-2002, 12:29 AM   #7
m_thangbk
LQ Newbie
 
Registered: Jul 2002
Location: Ha Noi, Viet Nam.
Distribution: MDK 8.0, MDK 8.1, RH 7.2, RH 7.3
Posts: 11

Original Poster
Rep: Reputation: 0
My main job is web developper. I'm quite new to Linux and do not know much about it. But I suppose that my server is not vulnerable to SYN flood ( I've used a SYN flooder to test my server and it had not been affected). So may be the hackers used another method to attack. Although everything is over but I still want to know how to prevent DoS in the future.

Thanks.
 
Old 07-20-2002, 12:47 AM   #8
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
I guess, real hardware controled firewall would be the best solution when it is configured tightly. Masquerading your network is one more step to securing your box and entire network, packet filter wich is a basic software firewall is not enough to prevent anybody from sneaking around your box. There are too many options available, custom access control list (ACL), I suggest for now getting a book, first comes to my mind is "Hacking Exposed" which has also different derivatives like "Hacking Linux Exposed" http://www.amazon.com/exec/obidos/AS...707679-4628865 , another good source is "Linux Firewalls" http://www.amazon.com/exec/obidos/AS...707679-4628865
 
Old 07-20-2002, 11:32 AM   #9
progster
Member
 
Registered: Feb 2002
Distribution: ubuntu
Posts: 76

Rep: Reputation: 15
Quote:
Originally posted by m_thangbk
My main job is web developper. I'm quite new to Linux and do not know much about it. But I suppose that my server is not vulnerable to SYN flood ( I've used a SYN flooder to test my server and it had not been affected). So may be the hackers used another method to attack. Although everything is over but I still want to know how to prevent DoS in the future.

Thanks.
It could be ddos or drdos'ed, check out www.grc.com, I believe they have some really good docs on DoS and their variants.

[edit] this is the direct link to the doc: http://grc.com/dos/grcdos.htm [/edit]

~Progster

Last edited by progster; 07-20-2002 at 11:34 AM.
 
Old 07-20-2002, 11:40 AM   #10
shoot2kill
Member
 
Registered: Jan 2002
Location: California
Distribution: Red Hat
Posts: 402

Rep: Reputation: 30
Quote:
Originally posted by mtellin
protects from SYN flooding attacks
I just seen this, while compiling new kernel for one of my system, and it is disabled by default.

Thanks!
 
Old 07-22-2002, 10:34 PM   #11
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
If its a syn flood, which you should check by running tcp dump to make sure. you can enable syn cookies. Also, you can increase the number of syns the stack will take by entering following command
sysctl -w "net.ipv4.tcp_max_syn_backlog=XXX"

where xxx is a large number. Redhat default is 1024, i have gone as high as 4096. In some lab tests it significantly mitigated some of the syn flood effects.
 
Old 07-24-2002, 01:49 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977
Some excellent posts in this thread, did some digging to come up with some starting points, so it's presented rather sparse as not to cramp your Google searching stylee :-]

= Type of DoS attacks:
- TCP floods (SYN, ACK, RST) *Google ?q="3-way handshake SYN flood"
- ICMP echo request (Smurf, Fraggle)
- UDP floods (chargen)
- DDoS attacks are "distributed", DoS attacks launched from compromised hosts.

= DoS defense:
- ISP filtering
- Host filtering (Netfilter)
Filtering means you/ISP should check that IP source addresses do not contain reserved or broadcast addresses, on inbound (ingress) that the source address shouldn't be the same as the destination addresss and reverse on outbound (egress) routes.
- Rate limiting
- Kernel SYN cookies
- TCP Wrappers
- Tweak network serving application/master (xinetd) parameters, like for instance Xinetd using "sensors" and explicitly denying in Apache's conf: allow,deny. Maybe also check out max childs etc.
- Test your setup!

= Handle DoS attacks:
- Start tcpdump capture if possible: save evidence of attack.
Pro: evidence available, con: none
- Rate-limit sources: try and curb traffic.
Pro: may alleviate load, con: may slow response for legitimate traffic if applied w/o scrutiny
- Track down offending source addresses.
Pro: aid in contacting remote ISP's, con: may be impossible due to spoofed source addresses
- Aggresively filter sources: drastic way to try and curb excess traffic.
Pro: may alleviate load, con: may also cut out legitimate traffic
- Close down networking daemons: no-way-out effort.
Pro: reduces load, con: obviously doesn't serve availability
- Notify remote ISP to apply egress filtering.
Pro: may alleviate load, con: depends on ISP service-mindedness so YMMV.
- Notify ISP to apply ingress filtering.
Pro: alleviates load, con: depends on ISP service-mindedness so YMMV.
The ISP may also decide in their wisdom to just kill the pipe for just now.

More docs:
SANS - Help Defeat Denial of Service Attacks: Step-by-Step: http://www.sans.org/dosstep/index.htm
CERT - Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html
NWC - Fireproofing Against DoS Attacks (forms of): http://www.nwc.com/1225/1225f38.html
SANS - ICMP Attacks Illustrated: http://rr.sans.org/threats/ICMP_attacks.php
Xinetd Sensors: http://www.gate.net/~ddata/xinetd-sensors.html
Xinetd FAQ: http://synack.net/xinetd/faq.html

============================
DDOS Attacks:
SANS - Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/ddos_roadmap.htm
SANS - Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://rr.sans.org/threats/spoofed.php
SANS - Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation: http://rr.sans.org/threats/understan...nding_ddos.php
Juniper.net - Minimizing the Effects of DoS Attacks: http://arachne3.juniper.net/techcent...te/350001.html
CISCO - Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks: http://www.cisco.com/warp/public/707/newsflash.html

*If any docs don't come tru due to registration, bad internet weather, no blood sacrifices been made to SCSI chains etc etc, just prefix with "http://216.239.51.100/search?q=cache:" to get 'em from the Google cache :-]
 
Old 07-24-2002, 01:55 PM   #13
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
You should also configure your router(s) for eggres filtering. If you do so, spoofing will we a lot harder. In this way your machines wont be that interesting for hackers to launch DDOS attacks from.
 
Old 07-19-2005, 08:19 AM   #14
ubuntu2
LQ Newbie
 
Registered: Jul 2005
Posts: 26

Rep: Reputation: 15
Talking

irony... oh irony...if u click on this link (today ; tue jul 19 2005)-->
http://docs.linux.com/article.pl?sid.../1719214&tid=5

u see this -->
"Stopping DDOS Attacks
Wednesday March 26, 2003 (05:13 PM GMT)
Considering how difficult they are to trace back to the original offender, if anyone is willing to do so, what might be an alternative means of ending DDOS attacks?
Click here!
Read more at linuxjournal.com �


and then u click on -->

"Click here!
Read more at linuxjournal.com
"

u see this -->
"Linux Journal Is Currently Unavailable Due to a DDoS Attack
Sorry for any inconvenience."


 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Preventing DOS Attacks? clubar Linux - Security 2 09-22-2004 10:54 PM
DoS Attacks Protection chenkoforever Linux - Security 2 07-04-2004 05:11 PM
htpd attacks plisken Linux - Security 3 04-18-2004 05:12 PM
IP attacks sundarrnathan Linux - Security 1 06-04-2003 06:33 AM
DoS Attacks prac2 Linux - Networking 1 10-12-2001 07:16 AM


All times are GMT -5. The time now is 11:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration