DoS attack, denial-of-service attack, is an explicit attempt to make a computer resource unavailable by either injecting a computer virus or flooding the network with useless traffic. There are two types of DoS attacks: computer attack and network attack. Common forms of denial os services attacks are:
Ping of death
Ping of death is caused by an attacker deliverately sending a ping packet, normally 64 bytes, that is larger than the 65,535 bytes. Many computer systems cannot handle an IP packet larger than the maximum IP packet size of 65,535, and often causes computer systems crash. It is illegal to send a ping packet of size greater than 65,535, but a packet of such size can be sent if it is fragmented. When a receiving computer reassembles the packet, a buffer overflow occurs, which often causes computer to crash. This exploit has affected a wide variety of systems including Unix, Linux, Mac, Windows and routers; but the fixes have been applied since 1997 making this exploit mostly historical.
Ping of flood
Ping of flood is caused by an attacker overwhelming the victim's network with ICMP Echo Request (ping) packets. This is a fairly easy attack to perform without extensive network knowledge as many ping utilities support this operation. A flood of ping traffic can consume singificant bandwidth on low to mid-speed networks bringing down a network to a crawl.
Smurf Attack
Smurf attach exploits the target by sending repeated ping request to broadcast address of the target network. The ping request packet often uses forged IP address (return address), which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If number of hosts replying to the ping request is large enough, the network will no longer be able to receive real traffic.
SYN Floods
When establishing a session between TCP client and server, a hand-shaking message exchange occurs betwen a server and client. A session setup packet contains a SYN field that identifies the sequence in the message exchange. An attacker may send a flood of connection request and do not respond to the replies, which leaves the request packets in the buffer so that legitimate connection request can't be accommodated.
Teardrop Attack
Teardrop attack exploits by sending IP fragment packets that are difficult to reassemble. A fragment packet identifies an offset that is used to assemble the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the sebsequent fragments and if the receiving system doesn't know how to handle such situation, it may cause the system to crash.
Mail Bomb
Unauthorized users send large number of email messages with large attachments to a particular mail server, filling up disk space resulting in denied email services to other users.
What is distributed DoS (DDoS) attack?
DDoS (Distributed Denial Of Service) is a tactic used to attack a victim from multiple compromised computers. Attacker installs a virus or trojan software on compromised systems, and use them to flood a victim's network in a way that the victim's server cannot handle it.
DDoS involves 3 parties: an offender, helpers and a victim. The offender is the one who plots the attack, and helpers are the machines that are compromised by the offender to launch attack against a victim (the target). The offender commands the helpers to attack the victim's host at the precisely same time. Due to this co-ordinated nature between the offender and helpers, the DDoS is also known as co-ordinated attack.
Resolutions
If you suspect a DoS or DDoS attack due to a significant network slowdown or denied service, you may execute a few diagnostic Linux commands to find a host under attack.
First, you'll have to identify a host under DoS or DDoS attack. To do this, you'll have to monitor network traffic and see where the traffic is coming from and where they are going. This can be done with ethereal or tethereal Linux command.
# tethereal 0.809751 10.1.1.5 -> 192.168.1.4 IP Fragmented IP protocol (proto=UDP 0x11, off=2960) 0.810357 10.1.1.5 -> 192.168.1.4 IP Fragmented IP protocol (proto=UDP 0x11, off=1480)...## If you do not have ethereal installed, you may use 'yum' to## install it on your system.# yum install tetherealOnce you have identified the host, logon to the server and find server load. You may use w, uptime command to find server load. You may also use top and ps commands to determin Linux process that consumes most resource. To learn more about top command output, please read an article about high volume traffic.
# uptime 15:19:51 up 127 days, 5:39, 2 users, load average: 10.78, 8.68,4.82# toptop - 15:20:02 up 127 days, 5:39, 2 users, load average: 10.78, 8.68, 4.82Tasks: 170 total, 6 running, 163 sleeping, 0 stopped, 1 zombieCpu
: 3.5% us, 1.7% sy, 0.1% ni, 94.3% id, 0.4% wa, 0.0% hi, 0.0% siMem: 2074924k total, 2046676k used, 28248k free, 58692k buffersSwap: 4192956k total, 144k used, 4192812k free, 1553828k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND14815 apache 25 0 52776 628 500 R 98.6 0.0 9:59.91 cw7.3DoS and DDoS attacks occur due to running vulnerable software on your server. The attackers use known application vulnerability and security holes to compromise the servers in different network either by installing viruses and trojan horses (intrusion) or initiate DDoS attacks. To prevent DoS and DDoS attacks, you may take following actions. 1. Install Intrusion Detection System (IDS) such as Advanced Intrusion Detection Environment (AIDE). For installation procedure, consult Linux Gazzette. Perform regular system audits by installing and running RKHUNTER and CHROOTKIT to make sure installed Linux binaries are healthy. You may also install open-source network audit tools like NESSSUS, NMAP, and SAINT and perform regular network audits for vulnerabilities.
2. Implement Sysctl. Prevent ping attacks (ping of death, ping of flood, and smurf attacks) by disabling ping responses on the network machines. Enable IP Spoofing protection, and TCP SYN Cookie Protection. On Linux variant machines, follow sysctl configuration procedure.
3. Install advanced firewall and DDoS utilities. To secure your server and protect from DoS attacks, you may want to install APF, BFD, DDoS and Rootkit. To install those utilities, please follow DDoS Prevention: APF, BFD, DDoS and RootKit setup procedure.
APF: Advanced Policy Firewall
BFD: Brute Force Detection
DDoS: DDoS Deflate
Rootkit: Spy and Junkware detection and removal tool
4. Install Apache mod_evasive and mod_security modules to protect against HTTP DDoS attacks. For installation procedures, consult mod_evasive and mod_security how-tos.
For more technical information, please visit CERT or Wikipedia.
DoS Protection via APF, BFD, DDOS and RootKit
Being a web host, your servers are constantly being attacked by hackers by denial-of-service (DoS) and other brute force attacks. There is no foolproof method to stop 100% of all attacks, but there are ways to protect your servers by applying firewall rules, and detecting and banning attacking IPs.
This article makes use of the APF, BFD, DDoS Deflate and RootKit to detect and protect your server from denial-of-service type attacks. To apply those utilities, please follow the instructions below:
To begin installation, login to your server as a root user.
% ssh -l root [hostname]root
[hostname]'s password: [password]Last login: [Date] from [hostname]APF -- Advanced Policy-based Firewall
Get the latest source from the rfxnetworks, and install the software.
# cd /usr/src# mkdir utils# cd utils# wget http://rfxnetworks.com/downloads/apf-current.tar.gz# tar xfz apf-current.tar.gz# cd apf-*# ./install.shRead the README.apf and README.antidos for configuration options. Edit the /etc/apf/conf.apf and modify the following lines to your need.
DEVEL_MODE="0"IG_TCP_CPORTS="21,22,25,53,80,110,14 3,443,3306"IG_UDP_CPORTS="53,111"USE_AD="1"By default, APF is setup to run in development mode which flushes firewall rules every 5 minutes. Running in development mode defeats the purpose of running APF, as it will automatically flush every 5 minutes. Configure the Ingress (inbound) TCP and UDP ports that need to be opened. Finally, enable AntiDos by setting USE_AD="1".
Edit the /etc/apf/ad/conf.antidos as you fit necessary, and start the APF firewall.
# apf --startBFD -- Brute Force Detection
BFD is a shell script which parses security logs and detects authentication failures. It is a brute force implementation without much complexity, and it works in conjunction with a APF (Advanced Policy-based Firewall).
## Get the latest source and untar.# cd /usr/src/utils# wget http://rfxnetworks.com/downloads/bfd-current.tar.gz# tar xfz bfd-current.tar.gz# cd bfd-*# ./install.shRead the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd.
Find ALERT="0" and replace it with ALERT="1"
Find EMAIL_USR="root" and replace it with EMAIL_USR="username
yourdomain.com" Edit /usr/local/bfd/ignore.hosts file, and add your own trusted IPs. BFD uses APF and hence it orverrides allow_hosts.rules, so it is important that you add trusted IP addresses to prevent yourself from being locked out.
## Start the program.# /usr/local/sbin/bfd -s
DDoS Deflate
## Get the latest source # cd /usr/src/utils# mkdir ddos# cd ddos# wget http://www.inetbase.com/scripts/ddos/install.sh# sh install.shEdit the configuration file, /usr/local/ddos/ddos.conf, and start the ddos.
# /usr/local/ddos/ddos.sh -c
RootKit -- Spyware and Junkware detection and removal tool
Go to Rootkit Hunter homepage, and download the latest release. ## Get the latest source and untar# cd /usr/src/utils# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz# tar xfz rkhunter-*.gz# cd rkhunter# ./installer.sh## run rkhunter# rkhunter -c
Setup automatic protection on System Reboot
## Edit /etc/rc.d/rc.local ## (or similar file depending on Linux version)## Add the following lines at the bottom of the file/usr/local/sbin/apf --start/usr/local/ddos/ddos.sh -cNote: The SYN Floods and ICMP DDoS may also be prevented by utilizing the Linux traffic control utility (tc). To view setup instructions, please see relevant sections of Linux Advanced Routing & Traffic Control HOWTO.
Notes from the users:
Some of the users experienced following errors while starting APF. bash# apf --start
Unable to load iptables module (ip_tables), aborting.According to Burst and Ryan of r-fx.org, changing the SET_MONOKERN variable in /etc/apf/conf.apf to "1" will correct the problem.
X•BLø0ЕX™
TOTW/F/M Award(s): 2
............ tnkx for sharing 
...... newayz...BLooD bro nice n useful info...thanx... 
! 
Linear Mode
