DDoS Protection and Mitigation

This Article is Sponsored by Block DOS (http://www.blockdos.net)

One of the most frightening things that can happen to a server is to be hit with a Distributed Denial of Service (DDoS) attack.  For the company, organization, or individual responsible for the website or multiple sites being victimized, it can generate a feeling of helplessness.  Although there may not be much you can do to avoid becoming the target of such an attack, there are steps you can take to prevent the likelihood that your server will be brought to its knees.

What is DDoS?

DDoS is a specific type of Denial of Service (DoS) attack, often aimed at large websites and networks.  A regular DoS attack involves one computer or server attacking another, flooding it with more requests than it can handle, and effectively crippling it.

A DDoS attack is called “distributed” because it involves multiple attacking machines, sometimes hundreds or even thousands.  Multiple remote systems will flood the bandwidth or resources of the target, making it difficult to pinpoint any one machine as the source attacker.  In most cases, the owners of the attacking machines are not even aware that they are being used to attack a server.  The attack software is distributed using malware, such as trojans or botnets.  Unlike a normal DoS attack, a DDoS does not have to use spoofed ip addresses, since the attacking machines are real, legitimate hosts.

Motives for Attack

Many types of intrusions and malware attacks are random and not usually directed specifically at the victim.  They are crimes of circumstance.  With DDoS attacks, the intent is very specific, and the victim is carefully targeted.  For this reason, the victim servers are usually owned by high profile corporations and organizations, and the attackers often have political, economical, or social agendas.  Most importantly, these attacks do not have an end game.  There is no technical goal they seek to achieve.  Instead, most DDoS attacks are designed simply to send a message to the target.

A recently publicized DDoS case involved an attack on the United States Copyright office  (link: http://www.pcmag.com/article2/0,2817,2372148,00.asp) , an attack which took down copyright.gov.  The attackers, known simply as  “Anonymous”, have also attacked the RIAA website and other sites with interest in fighting against copyright infringement.  The attacks corresponded with the shutdown of Lime Wire, a popular file-sharing service.

There have also been recent publicized DDOS attacks that were direct extortion attempts.

Who Is Affected?

Anyone with an Internet-connected server could become the target of a DDoS.  Because just about anyone can have an agenda against a website of any kind, you cannot assume that your server will be immune to attacks.  Any Internet-connected machine, including servers and home computers can also be used as “agents” to deliver the attacks.  Finally, industry  and public infrastructure may be affected, since it is usually large sites, governments, and corporations that come under attack.

How an Attack Happens

A DDoS attack attempts to deny access to a server by broadcasting packets to the target in such large quantities or unconventional methods that the target cannot handle the influx and ceases to function.  There are four parties in the attack:

1. Client – The initiator of the attack.  This may be a third-party machine hijacked by the attacker.
2. Handler – A compromised host machine that is responsible for controlling several other machines.
3. Agent – A compromised machine that actually carries out the attack.
4. Target – The machine that is subjected to the attack.

In order to carry out an attack, a client needs several hundred thousand agents.  The attack method follows four phases:

Phase 1 – The client scans remote servers for vulnerabilities and seeks out likely handlers
Phase 2 – The client compromises the security of the servers to gain access
Phase 3 – The client installs an intrusion tool on each host, which becomes a handler
Phase 4 – The handlers find more hosts, scans them and compromises them, turning them into agents

Once enough agents have been compromised, the software will initiate a synchronized attack at a specified time.  The entire process can be automated, making it possible for an attack to be carried out in less than an hour.

Protection and Mitigation

The best way to prevent DDoS attacks is for system administrators and computer owners to take security measures to prevent their systems from being used as handlers or agents.  A DDoS depends on other machines to do its work.  Without them, an attack of this kind is not possible.  Unfortunately, there is nothing you can do to make sure other servers are secure, but you can take these steps to secure your own:

・ Keep the operating system and applications updated
・ Make sure router and system firewalls are in place
・ Perform regular audits for: trojans, open email relays, software vulnerabilities, exploitation of /tmp and /dev directories, kernel vulnerabilities, exposted ports, rootkit detection, etc.
・ Use network auditing tools, such as NESSUS (link: http://www.nessus.org), a vulnerability scanner.

To prevent your server from being easily exploited by DDoS attacks, you can take the following security measures:

1. Check your router documentation for IP verification tools that check to make sure an IP address points back to the same interface from which packets arrived. If it does not, the router will drop the packets.

2. Apply ingress and egress filtering at the router level.

2. Configure router rate limiting for ICMP and SYN packets.

3. On the actual server, installed firewall software that performs ingress and egress filtering at the gateway.  A good example is APF (Advanced Policy Firewall) (link: http://www.rfxn.com/projects/advanced-policy-firewall/), which comes with an Anti-DoS mode feature.

4. Install an intrusion Detection System (IDS) to notify you when someone is trying to attack.

5. Install mod_evasive (link: http://www.zdziarski.com/blog/?page_id=442) in Apache HTTP Server.  This is an evasive maneuvers module for Apache that creates an “internal dynamic hash table of IP addresses and URIs” and denies a single IP address from “requesting the same page more than a few times per second, making more  than 50 concurrent requests on the same child per second, and making any requests while temporarily blacklisted.”  The module can be integrated to work with firewalls and routers for maximum protection.

6. Enable sysctl features for OS-level protection:
・ Edit /etc/sysctl.conf
・ Add the lines:
◦ # Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
・    Add this code to /etc/rc.local.  Then restart the network.

for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Long-Term Protection

Protecting the interests of your clients and customers is very important.  If you have large enterprise servers, it may be worth it to hire a network security consultant to make sure your server is as secure as possible.

Unfortunately, when someone decides to attack your server, there may be little you can do to stop them.  In such cases, the best you can do is to try to limit the damage they are able to do, gather evidence against them, and report them to law enforcement agencies.  With careful prevention techniques in place, you can discourage attackers from targeting you when they see that attacks do not cause significant damage.

This Article is Sponsored by Block DOS (http://www.blockdos.net)