Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-05-2007, 03:37 AM
|
#16
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
I'm not sure. I believe that the packets should ideally get dropped even before they are processed by the kernel itself. Even if you dont drop the packets..the kernel will eventually drop it due to too many timeouts/re-transmissions..only it wont be quick enough to stop the DOS. SO ideally I'd say whatever filtering device you use - should drop it before the Kernel processes the packet.
I'm not certain though ; if someone who knows more about this can back up what I said I'd feel more comfortable.
Cheers
Arvind
|
|
|
03-05-2007, 03:49 AM
|
#17
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
You should begin by the easier solutions.
I would first try to tweak some kernel options, as said by Capt_Caveman
Also he mentionned modevasive, did you try it?
Do you also have burst limit on SYN packets in iptables?
Snort is supposed to be an intrusion detection system, not a firewall. It can be very resource intensive. Running it on the same machine as apache could make things worse IMO.
|
|
|
03-05-2007, 04:06 AM
|
#18
|
LQ Newbie
Registered: Mar 2007
Posts: 6
Rep:
|
Yes, we have mod_evasive
We also have SYNWatch on that interface.
Don't have syn burst limit (iptables), but we tried it days ago and was not working.
Will try the kernel mods.
Any other ideea will be great, and about snort ... yeah ... at our traffic rating
it will be a great resource consumer.
Regards,
|
|
|
03-05-2007, 05:08 AM
|
#19
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
That thread is closed and I think this is why?
Quote:
I see that you are interested in the DDOS tools. I propose you a test on this site. I ll make a port scan too,ddos start in 2 minutes !btw i m fro ro and don`t chek my ip,its a proxy.
|
feels like i am watching a movie.
<sorry for contributing nothing>
|
|
|
03-05-2007, 11:42 AM
|
#20
|
LQ Newbie
Registered: Mar 2007
Posts: 6
Rep:
|
PHP Code:
03/05-19:38:39.631165 86.107.182.74:2651 -> 194.126.185.100:80 TCP TTL:122 TOS:0x0 ID:19385 IpLen:20 DgmLen:48 DF ******S* Seq: 0x3F19031F Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-19:38:39.631200 86.107.182.74:2652 -> 194.126.185.100:80 TCP TTL:122 TOS:0x0 ID:19386 IpLen:20 DgmLen:48 DF ******S* Seq: 0xFF8113B6 Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-19:38:39.631235 89.33.100.137:14935 -> 194.126.185.100:80 TCP TTL:248 TOS:0x0 ID:65259 IpLen:20 DgmLen:40 *****R** Seq: 0x3AE5A77D Ack: 0x55 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-19:38:39.631248 85.204.121.236:4920 -> 194.126.185.100:80 TCP TTL:120 TOS:0x0 ID:34 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x9AB4BC11 Ack: 0xDE8E3589 Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/05-19:38:39.631259 85.204.121.236:4920 -> 194.126.185.100:80 TCP TTL:120 TOS:0x0 ID:36 IpLen:20 DgmLen:130 DF ***AP*** Seq: 0x9AB4BC11 Ack: 0xDE8E3589 Win: 0xFFFF TcpLen: 20 24 4D 79 4E 69 63 6B 20 5B 52 4F 5D 43 4C 5D 63 $MyNick [RO]CL]c 72 69 73 74 69 6E 61 7C 24 4C 6F 63 6B 20 45 58 ristina|$Lock EX 54 45 4E 44 45 44 50 52 4F 54 4F 43 4F 4C 41 42 TENDEDPROTOCOLAB 43 41 42 43 41 42 43 41 42 43 41 42 43 41 42 43 CABCABCABCABCABC 20 50 6B 3D 44 43 50 4C 55 53 50 4C 55 53 30 2E Pk=DCPLUSPLUS0. 36 37 34 41 42 43 41 42 43 7C 674ABCABC|
this is the output from snort .. please give us a rule to drop $MyNick .....
|
|
|
03-05-2007, 02:59 PM
|
#21
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
If you have Snort-Inline working then you can simply use the 'drop' action. Once you are comfortable that everything is working properly you can switch to sdrop if you like (probably using a threshold limit would be better).
Code:
drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg: "DCC dDoS detected"; content: "$MyNick";)
Though the string "Pk=DCPLUSPLUS" might be useful triggering as well. Also make sure to edit the config file properly so that $HTTP_SERVERS and $HTTP_PORTS variables are accurate.
If you are still working on getting Snort-Inline working you may find this helpful.
If you are concerned about the resources consumed by Snort, you can also use iptables string match. I believe it's still not part of the basic iptables installation, so you'd need to do the whole patch-o-matic and kernel recompile to use it.
|
|
|
03-05-2007, 03:45 PM
|
#22
|
LQ Newbie
Registered: Mar 2007
Posts: 6
Rep:
|
a little questions .. all that $EXTERNAL_NET and so over must be replaced with my ip / port etc?
ty for help ...
|
|
|
03-05-2007, 04:26 PM
|
#23
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by ipv6waiting
a little questions .. all that $EXTERNAL_NET and so over must be replaced with my ip / port etc?
ty for help ...
|
I usually define $HOME_NET with whatever IPs or IP ranges are on my network and then just set $EXTERNAL_NET as !$HOME_NET. $HTTP_SERVERS and $HTTP_PORTS are what they sound like. You can use actual IP addresses or ranges of IPs (in CIDR notation) in place of any of those variables if you like.
The Snort docs are excellent resources:
http://www.snort.org/docs/faq/1Q05/node34.html
|
|
|
03-05-2007, 05:44 PM
|
#24
|
LQ Newbie
Registered: Mar 2007
Posts: 6
Rep:
|
now ... what should i say to iptables:
iptables -A INPUT -p tcp --dport 80 -j QUEUE
or
iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
?
and the final rule for me is:
PHP Code:
var EXTERNAL_NET any var HTTP_SERVERS x.x.x.x var HTTP_PORTS 80 drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DCC dDoS detected"; content:"$MyNick"; sid:100000135;)
snort loggs a lot of data in log folder but the site is still unreachable ... any updates pls/.
Last edited by ipv6waiting; 03-05-2007 at 06:12 PM.
|
|
|
03-05-2007, 06:23 PM
|
#25
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
You'll want to send packets coming into the box from the internet to the QUEUE, so this will either be INPUT or FORWARD. If Apache is running on that machine then you'll send packets in INPUT to the QUEUE, if the webserver is on another machine inside the network and DNATed then you'll want to use FORWARD. You use OUTPUT for analyzing packets going outbound from the system/network to the internet (which you don't need and adds overhead).
|
|
|
03-05-2007, 06:33 PM
|
#26
|
LQ Newbie
Registered: Mar 2007
Posts: 6
Rep:
|
i've done all the above but still the site can't be reached .. and in console i still see Possible SYN Flood on port 80 messages.
any other ideea or a better rule.
|
|
|
03-06-2007, 02:15 AM
|
#27
|
Member
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34
Original Poster
Rep:
|
Yup, me and ipv6waiting are gettin' crazy over here xD
/var/log/snort is like this:
PHP Code:
[**] [1:100000135:0] DCC dDoS detected [**] [Priority: 0] 03/06-10:13:12.792459 86.55.93.158:2044 -> X:80 TCP TTL:121 TOS:0x0 ID:41527 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0x54C21422 Ack: 0x7170AAE Win: 0x8000 TcpLen: 20
[**] [1:100000135:0] DCC dDoS detected [**] [Priority: 0] 03/06-10:13:12.792564 86.55.93.158:2045 -> X:80 TCP TTL:121 TOS:0x0 ID:41528 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0xC541DEDC Ack: 0x730EBFD Win: 0x8000 TcpLen: 20
[**] [1:100000135:0] DCC dDoS detected [**] [Priority: 0] 03/06-10:13:12.792617 86.55.93.158:2046 -> X:80 TCP TTL:121 TOS:0x0 ID:41529 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0xBE7FF72 Ack: 0x717453D Win: 0x8000 TcpLen: 20
[**] [1:100000135:0] DCC dDoS detected [**] [Priority: 0] 03/06-10:13:12.792664 86.55.93.158:2047 -> X:80 TCP TTL:121 TOS:0x0 ID:41530 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0xB69DB56D Ack: 0x756C0BA Win: 0x8000 TcpLen: 20
[**] [1:100000135:0] DCC dDoS detected [**] [Priority: 0] 03/06-10:13:12.792732 86.55.93.158:2048 -> X:80 TCP TTL:121 TOS:0x0 ID:41531 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0xA1AD28E3 Ack: 0x70349C5 Win: 0x8000 TcpLen: 20
But, no good !
Last edited by c00kie; 03-06-2007 at 07:07 AM.
|
|
|
03-06-2007, 04:27 AM
|
#28
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
You may want to change the 'drop' action to 'reject' to eliminate retries. Also, take a look in /var/log/snort and see how many unique IPs are you seeing? How many alerts per IP? What I'm getting at is that if these are coming from a limited number of IP addresses, you can block them out-right with IPtables.
If you've legitimately tried all of the above recommendations (TCP/Netfilter/Apache tuning) then you're really at the limits of what you can do by yourself to mitigate it. The next option would to be to throw several load-balancing proxy servers in front of the webserver and let them split the connection load and then only the valid HTTP requests would be proxied to the internal webserver.
I think you're also at the point where you should contact your ISP and see if they can help you mitigate the attack on their end. These are real connection attempts, not spoofed packets, so they should be able to null route much of it. So I would definitely contact them and let them know what's going on. Make sure to explain in detail the type of traffic that you are seeing (DC++ connection attempts on port 80) and why (malicious redirection of DC++ clients using the ForceMove command). Send relevant logs as well.
|
|
|
03-07-2007, 08:35 AM
|
#29
|
Member
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34
Original Poster
Rep:
|
All this time.. we still h ave'nt fixed this issue, if you look here :
Snort received 118092 packets
Analyzed: 13297(11.260%)
Dropped: 104585(88.562%)
Outstanding: 210(0.178%)
===============================================================================
Breakdown by protocol:
TCP: 13244 (99.601%)
UDP: 42 (0.316%)
ICMP: 6 (0.045%)
ARP: 5 (0.038%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 13297
PASSED: 0
===============================================================================
Snort exiting
I think that... we have a bunch of packets, don't we? lol. Oh.. that happened in only 5 SECONDS.
|
|
|
03-07-2007, 08:44 AM
|
#30
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
You might want to disable all your rules except the DC++ one. That will drastically reduce the number of alerts Snort is triggering and setting off.
Yeah its normal ..the number of packets you're receiving .
Cheers
Arvind
|
|
|
All times are GMT -5. The time now is 11:59 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|