LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-05-2007, 03:37 AM   #16
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30

I'm not sure. I believe that the packets should ideally get dropped even before they are processed by the kernel itself. Even if you dont drop the packets..the kernel will eventually drop it due to too many timeouts/re-transmissions..only it wont be quick enough to stop the DOS. SO ideally I'd say whatever filtering device you use - should drop it before the Kernel processes the packet.

I'm not certain though ; if someone who knows more about this can back up what I said I'd feel more comfortable.

Cheers
Arvind
 
Old 03-05-2007, 03:49 AM   #17
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
You should begin by the easier solutions.
I would first try to tweak some kernel options, as said by Capt_Caveman
Also he mentionned modevasive, did you try it?

Do you also have burst limit on SYN packets in iptables?

Snort is supposed to be an intrusion detection system, not a firewall. It can be very resource intensive. Running it on the same machine as apache could make things worse IMO.
 
Old 03-05-2007, 04:06 AM   #18
ipv6waiting
LQ Newbie
 
Registered: Mar 2007
Posts: 6

Rep: Reputation: 0
Yes, we have mod_evasive
We also have SYNWatch on that interface.
Don't have syn burst limit (iptables), but we tried it days ago and was not working.
Will try the kernel mods.


Any other ideea will be great, and about snort ... yeah ... at our traffic rating
it will be a great resource consumer.


Regards,
 
Old 03-05-2007, 05:08 AM   #19
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
That thread is closed and I think this is why?
Quote:
I see that you are interested in the DDOS tools. I propose you a test on this site. I ll make a port scan too,ddos start in 2 minutes !btw i m fro ro and don`t chek my ip,its a proxy.
feels like i am watching a movie.
<sorry for contributing nothing>
 
Old 03-05-2007, 11:42 AM   #20
ipv6waiting
LQ Newbie
 
Registered: Mar 2007
Posts: 6

Rep: Reputation: 0
PHP Code:

03
/05-19:38:39.631165 86.107.182.74:2651 -> 194.126.185.100:80
TCP TTL
:122 TOS:0x0 ID:19385 IpLen:20 DgmLen:48 DF
******SSeq0x3F19031F  Ack0x0  Win0xFFFF  TcpLen28
TCP Options 
(4) => MSS1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/05-19:38:39.631200 86.107.182.74:2652 -> 194.126.185.100:80
TCP TTL
:122 TOS:0x0 ID:19386 IpLen:20 DgmLen:48 DF
******SSeq0xFF8113B6  Ack0x0  Win0xFFFF  TcpLen28
TCP Options 
(4) => MSS1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/05-19:38:39.631235 89.33.100.137:14935 -> 194.126.185.100:80
TCP TTL
:248 TOS:0x0 ID:65259 IpLen:20 DgmLen:40
*****R** Seq0x3AE5A77D  Ack0x55  Win0xFFFF  TcpLen20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/05-19:38:39.631248 85.204.121.236:4920 -> 194.126.185.100:80
TCP TTL
:120 TOS:0x0 ID:34 IpLen:20 DgmLen:40 DF
***A**** Seq0x9AB4BC11  Ack0xDE8E3589  Win0xFFFF  TcpLen20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

03/05-19:38:39.631259 85.204.121.236:4920 -> 194.126.185.100:80
TCP TTL
:120 TOS:0x0 ID:36 IpLen:20 DgmLen:130 DF
***AP*** Seq0x9AB4BC11  Ack0xDE8E3589  Win0xFFFF  TcpLen20
24 4D 79 4E 69 63 6B 20 5B 52 4F 5D 43 4C 5D 63  $MyNick 
[RO]CL]c
72 69 73 74 69 6E 61 7C 24 4C 6F 63 6B 20 45 58  ristina
|$Lock EX
54 45 4E 44 45 44 50 52 4F 54 4F 43 4F 4C 41 42  TENDEDPROTOCOLAB
43 41 42 43 41 42 43 41 42 43 41 42 43 41 42 43  CABCABCABCABCABC
20 50 6B 3D 44 43 50 4C 55 53 50 4C 55 53 30 2E   Pk
=DCPLUSPLUS0.
36 37 34 41 42 43 41 42 43 7C                    674ABCABC
this is the output from snort .. please give us a rule to drop $MyNick .....
 
Old 03-05-2007, 02:59 PM   #21
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you have Snort-Inline working then you can simply use the 'drop' action. Once you are comfortable that everything is working properly you can switch to sdrop if you like (probably using a threshold limit would be better).

Code:
drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
     (msg: "DCC dDoS detected"; content: "$MyNick";)
Though the string "Pk=DCPLUSPLUS" might be useful triggering as well. Also make sure to edit the config file properly so that $HTTP_SERVERS and $HTTP_PORTS variables are accurate.

If you are still working on getting Snort-Inline working you may find this helpful.

If you are concerned about the resources consumed by Snort, you can also use iptables string match. I believe it's still not part of the basic iptables installation, so you'd need to do the whole patch-o-matic and kernel recompile to use it.
 
Old 03-05-2007, 03:45 PM   #22
ipv6waiting
LQ Newbie
 
Registered: Mar 2007
Posts: 6

Rep: Reputation: 0
a little questions .. all that $EXTERNAL_NET and so over must be replaced with my ip / port etc?

ty for help ...
 
Old 03-05-2007, 04:26 PM   #23
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by ipv6waiting
a little questions .. all that $EXTERNAL_NET and so over must be replaced with my ip / port etc?

ty for help ...
I usually define $HOME_NET with whatever IPs or IP ranges are on my network and then just set $EXTERNAL_NET as !$HOME_NET. $HTTP_SERVERS and $HTTP_PORTS are what they sound like. You can use actual IP addresses or ranges of IPs (in CIDR notation) in place of any of those variables if you like.

The Snort docs are excellent resources:
http://www.snort.org/docs/faq/1Q05/node34.html
 
Old 03-05-2007, 05:44 PM   #24
ipv6waiting
LQ Newbie
 
Registered: Mar 2007
Posts: 6

Rep: Reputation: 0
now ... what should i say to iptables:

iptables -A INPUT -p tcp --dport 80 -j QUEUE

or

iptables -A OUTPUT -p tcp --dport 80 -j QUEUE

?

and the final rule for me is:

PHP Code:
var EXTERNAL_NET any
var HTTP_SERVERS x.x.x.x
var HTTP_PORTS 80
drop tcp $EXTERNAL_NET any 
-> $HTTP_SERVERS $HTTP_PORTS (msg:"DCC dDoS detected"content:"$MyNick"sid:100000135;) 
snort loggs a lot of data in log folder but the site is still unreachable ... any updates pls/.

Last edited by ipv6waiting; 03-05-2007 at 06:12 PM.
 
Old 03-05-2007, 06:23 PM   #25
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
You'll want to send packets coming into the box from the internet to the QUEUE, so this will either be INPUT or FORWARD. If Apache is running on that machine then you'll send packets in INPUT to the QUEUE, if the webserver is on another machine inside the network and DNATed then you'll want to use FORWARD. You use OUTPUT for analyzing packets going outbound from the system/network to the internet (which you don't need and adds overhead).
 
Old 03-05-2007, 06:33 PM   #26
ipv6waiting
LQ Newbie
 
Registered: Mar 2007
Posts: 6

Rep: Reputation: 0
i've done all the above but still the site can't be reached .. and in console i still see Possible SYN Flood on port 80 messages.

any other ideea or a better rule.
 
Old 03-06-2007, 02:15 AM   #27
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Original Poster
Rep: Reputation: 15
Yup, me and ipv6waiting are gettin' crazy over here xD

/var/log/snort is like this:
PHP Code:
[**] [1:100000135:0DCC dDoS detected [**]
[
Priority0]
03/06-10:13:12.792459 86.55.93.158:2044 -> X:80
TCP TTL
:121 TOS:0x0 ID:41527 IpLen:20 DgmLen:140 DF
***AP*** Seq0x54C21422  Ack0x7170AAE  Win0x8000  TcpLen20

[**] [1:100000135:0DCC dDoS detected [**]
[
Priority0]
03/06-10:13:12.792564 86.55.93.158:2045 -> X:80
TCP TTL
:121 TOS:0x0 ID:41528 IpLen:20 DgmLen:140 DF
***AP*** Seq0xC541DEDC  Ack0x730EBFD  Win0x8000  TcpLen20

[**] [1:100000135:0DCC dDoS detected [**]
[
Priority0]
03/06-10:13:12.792617 86.55.93.158:2046 -> X:80
TCP TTL
:121 TOS:0x0 ID:41529 IpLen:20 DgmLen:140 DF
***AP*** Seq0xBE7FF72  Ack0x717453D  Win0x8000  TcpLen20

[**] [1:100000135:0DCC dDoS detected [**]
[
Priority0]
03/06-10:13:12.792664 86.55.93.158:2047 -> X:80
TCP TTL
:121 TOS:0x0 ID:41530 IpLen:20 DgmLen:140 DF
***AP*** Seq0xB69DB56D  Ack0x756C0BA  Win0x8000  TcpLen20

[**] [1:100000135:0DCC dDoS detected [**]
[
Priority0]
03/06-10:13:12.792732 86.55.93.158:2048 -> X:80
TCP TTL
:121 TOS:0x0 ID:41531 IpLen:20 DgmLen:140 DF
***AP*** Seq0xA1AD28E3  Ack0x70349C5  Win0x8000  TcpLen20 
But, no good !

Last edited by c00kie; 03-06-2007 at 07:07 AM.
 
Old 03-06-2007, 04:27 AM   #28
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
You may want to change the 'drop' action to 'reject' to eliminate retries. Also, take a look in /var/log/snort and see how many unique IPs are you seeing? How many alerts per IP? What I'm getting at is that if these are coming from a limited number of IP addresses, you can block them out-right with IPtables.

If you've legitimately tried all of the above recommendations (TCP/Netfilter/Apache tuning) then you're really at the limits of what you can do by yourself to mitigate it. The next option would to be to throw several load-balancing proxy servers in front of the webserver and let them split the connection load and then only the valid HTTP requests would be proxied to the internal webserver.

I think you're also at the point where you should contact your ISP and see if they can help you mitigate the attack on their end. These are real connection attempts, not spoofed packets, so they should be able to null route much of it. So I would definitely contact them and let them know what's going on. Make sure to explain in detail the type of traffic that you are seeing (DC++ connection attempts on port 80) and why (malicious redirection of DC++ clients using the ForceMove command). Send relevant logs as well.
 
Old 03-07-2007, 08:35 AM   #29
c00kie
Member
 
Registered: Mar 2007
Location: CORE
Distribution: FC6, FreeBSD, XP?
Posts: 34

Original Poster
Rep: Reputation: 15
All this time.. we still h ave'nt fixed this issue, if you look here :

Snort received 118092 packets
Analyzed: 13297(11.260%)
Dropped: 104585(88.562%)

Outstanding: 210(0.178%)
===============================================================================
Breakdown by protocol:
TCP: 13244 (99.601%)
UDP: 42 (0.316%)
ICMP: 6 (0.045%)
ARP: 5 (0.038%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 13297
PASSED: 0
===============================================================================
Snort exiting

I think that... we have a bunch of packets, don't we? lol. Oh.. that happened in only 5 SECONDS.
 
Old 03-07-2007, 08:44 AM   #30
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
You might want to disable all your rules except the DC++ one. That will drastically reduce the number of alerts Snort is triggering and setting off.

Yeah its normal ..the number of packets you're receiving .

Cheers
Arvind
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Verlihub addouns Padawan.AVT Linux - Server 0 12-12-2006 01:27 PM
VerliHub on Slackware? :-/ NightSoul Linux - Software 4 07-27-2006 05:46 PM
Trying to install verlihub z9_87 Linux - Software 0 10-19-2005 05:20 PM
Apache getenv bug? wu1821 Linux - General 1 06-29-2005 10:00 AM
Slackware 9.1 and Apache bug? xipxap Slackware 3 10-14-2003 11:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration