Denial of Service (DDoS) Attack

Currently, DDoS attacks are constantly being mentioned in the media, but what are these attacks and how can we defend ourselves?

Goals

DDoS attacks aim to make a system's resources unavailable to its users for a period of time or permanently.

In a distributed denial-of-service attack, a master computer (called a “Master”) can have up to thousands of computers (“Zombies”) under its command. In this case, the denial of service attack tasks are distributed to an “army” of enslaved machines, and these attacks can currently be distributed through websites that only need to be accessed to generate specific attacks on a given server.

The attack consists of making the Zombies (infected machines under the Master's command) get ready to access a given resource on a given server at the same time on the same date.

Depending on the resource attacked, the server may restart or even hang.

Known viruses created for the distribution of denial of service attack routines include “Codered”, “Slammer”, “MyDoom”, which enslave the infected. Known DDoS attack tools include “Fabi” (1998), “Blitznet”, “Trin00” (Jun/1999), “TFN” (Aug/1999), “Stacheldraht” (Sep/1999), “Shaft”, “TFN2K ” (Dec/1999), “Trank”.

How to detect?

DDoS tools are very stealthy when it comes to detection. Among the various properties that make its detection difficult, the presence of encryption can be cited as the most significant. On the other hand, it is possible to modify the source code so that the ports, passwords and default values are changed.

However, it is not impossible to detect them. Thus, this section aims to present some mechanisms that help in the detection of a possible compromise of your machine (or network) that indicates it is being used in DDoS attacks. These mechanisms range from the most conventional to the most modern.

How to prevent yourself?

So far there is no “magic solution” to avoid DDoS attacks, what is possible is to apply certain strategies to mitigate the attack, this is the objective of this section.

Among the recommended strategies, the following can be considered:

  • Increase host security
    The main characteristic of this attack is the formation of a network of compromised machines acting as masters and agents, it is strongly recommended to increase the security level of your machines, this makes it difficult to form the attack network.
  • Install patches
    Systems used by intruders to execute DDoS attacks are commonly compromised via known vulnerabilities. Thus, it is recommended to keep your systems up to date by applying the patches when necessary.
  • Apply “anti-spoofing” filters
    During DDoS attacks, intruders try to hide their real IP addresses using the spoofing, which basically consists of forging the source address, which makes it difficult to identify the source of the attack. Thus, it is necessary that:

    1. ISPs implement anti-spoofing filters at the entrance of the routers, so that it ensures that their customers' networks do not put spoofed packets on the Internet.
    2. Networks connected to the Internet generally implement anti-spoofing filters at the output of edge routers, thus ensuring that they themselves do not send spoofed packets on the Internet.
  • Limit bandwidth by traffic type
    Some routers allow you to limit the bandwidth consumed by type of traffic on the network. On Cisco routers, for example, this is possible using CAR (Committed Access Rate). In the specific case of a DDoS attack that launches a flood ICMP or TCP SYN packets, for example, you can configure the system to limit the bandwidth that can be consumed by these types of packets.
  • Prevent your network from being used as an “amplifier”
    Since some of the DDoS tools can launch attacks smurf (or fraggle), which use the mechanism of sending packets to addresses of broadcasting, it is recommended that directives that prevent the receipt of packets addressed to such addresses be implemented on all router interfaces. This will prevent your network from being used as an “amplifier”. More information about the attack smurf (and the relative fraggle) can be found at: http://users.quadrunner.com/chuegen/smurf
  • Establish a contingency plan
    Starting from the premise that there is no system connected to the Internet that is totally secure, it is urgent that the effects of the eventual unavailability of any of the systems are considered and that an appropriate contingency plan is in place, if necessary.
  • Prior planning of response procedures
    Prior planning and coordination are critical to ensure an adequate response when the attack is taking place: time is crucial! This planning must necessarily include joint reaction procedures with your service provider. backbone.

firewall

Fire wall is a device on a computer network that aims to apply a security policy to a certain point on the network. The firewall can be packet filters, proxy of applications, etc. Firewalls are usually associated with TCP/IP networks.

This security device exists in the form of software and hardware, the combination of both is commonly called a “appliance”. Installation complexity depends on the size of the network, the security policy, the number of rules that control the inflow and outflow of information, and the desired degree of security.

Most used systems for protection

If your server is on a machine that uses the LINUX operating system, you can use the following applications to try to prevent or minimize the effects of an attack.

CSF – It is an application that tries to detect attacks and blocks the most common ways, to install it on your server via SSH use the following commands below, or access the application's website.

http://configserver.com/cp/csf.html

rm -fv csf.tgz wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh

ModSecurity – It is an open source web application firewall, it works on the web server, or standalone as a network security device, and can be used on LINUX and Windows servers. To install this firewall you need to have APACHE installed on your machine, below are the commands via SSH for installation, and you can also access the official website for more information.

http://www.modsecurity.org/projects/modsecurity/apache/

sudo apt-get –f install apache2
/etc/init.d/apache2 status
/etc/init.d/apache2 start

If the commands above cannot install ModSecurity, access your WHM/Cpanel and recompile PHP, activating the mod security option, through the option EasyApache (Apache Update).

 

CloudFlare

CloudFlare is a website that uses the knowledge of several developers to create security systems for websites in an effective and integrated way, being able to detect malicious attacks, such as SQL injection and denial of service (DOS) attacks. CloudFlare provides security protection against all these types of threats and much more to keep your website safe, having security servers all over the world.

CloudFlare Servers Worldwide

CloudFlare Servers
Amsterdam, NL
Ashburn, US
Atlanta, US
Chicago, US
Dallas, US
Frankfurt, DE
Hong Kong, HK
London, GB
Los Angeles, US
Miami, US
Newark, US
Paris, FR
Prague, CZ
San Jose, US
Seattle, US
Seoul, KR
Singapore, SG
Stockholm, SE
Sydney, AU
Tokyo, JP
Toronto, CA
Vienna, AT
Warsaw, PL

Optimizing MySql

Mysql optimization can also help keep your server online and improve its performance against DDoS attacks, below are some options for this optimization.

MySql Database Optimization Script – Commands via SSH

wget http://day32.com/MySQL/tuning-primer.sh

chmod +x ./tuning-primer.sh

./tuning-primer.sh

Optimizing data query through configuration file my.cnf, locating in (/etc/mysql/ or /etc/ ).

Edit this file and enter the following data.

[mysqld]
set-variable = max_connections=400
log-slow-queries
safe-show-database
local-infile=0
skip-networking
symbolic-links=0
max_connections = 400
key_buffer = 256M
myisam_sort_buffer_size = 64M
join_buffer_size = 2M
read_buffer_size = 2M
sort_buffer_size = 2M
read_rnd_buffer_size = 2M
thread_concurrency = 16
table_cache = 1024
thread_cache_size = 50
wait_timeout = 7200
connect_timeout = 10
tmp_table_size = 32M
max_allowed_packet = 160M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 32M
query_cache_type = 1

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
max_allowed_packet = 16M

[myisamchk]
key_buffer = 64M

 

Protecting yourself through the file .htaccess

To protect yourself from some DDoS attacks, it is also possible to insert commands in .Htaccess, below is a configuration that can protect you.

Edit your site's .Htaccess file and enter the following data.

RewriteEngine on
#Medidas para bloquear ataques de injeção de SQL
RewriteCond %{QUERY_STRING} .*(/\*|union|select|insert|cast|set|declare|drop|update|md5|script|benchmark) [NC]
RewriteRule .* - [R=406,L]
# Bloquear uso de caracteres ilegais ou inseguro na solicitação HTTP
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
# Bloquear uso de caracteres ilegais ou inseguro na Variável Referer da solicitação HTTP
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
#Bloquear uso de caracteres ilegais ou inseguro em qualquer cookie associado com a solicitação HTTP
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Bloquear uso de caracteres ilegais em URI ou uso de URI malformado
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
# Bloquear uso de Agentes de conexão vazias pelo usuário
# OBS - desativar esta regra se o site é integrado com meios de pagamento, como o PayPal
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
# Bloquear uso de caracteres ilegais ou inseguro na variável User Agent
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Bloquear referência a localhost/loopback/127.0.0.1 na consulta
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
# Bloquear uso de caracteres ilegais ou inseguro na variável de seqüência de consulta
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]

SpeedWebdesigner team

References

http://pt.wikipedia.org/wiki/Ataque_de_nega%C3%A7%C3%A3o_de_servi%C3%A7o | http://www.rnp.br/newsgen/0003/ddos.html#ng-como
http://pt.wikipedia.org/wiki/Firewall
http://josefernandes.pt/artigos/optimizar-mysql-linux
http://security.stackexchange.com/questions/6756/how-to-patch-against-refrefs-dos-attack
https://pt-br.cloudflare.com