OpenSource For You

Identifyin­g and Mitigating Distribute­d Denial of Service Attacks

A distribute­d denial of service (DDoS) attack involves the paralysing of a network by flooding it with data from several individual sources, to the detriment of genuine users. The identifica­tion and mitigation of such attacks is an important issue for sys

- By: Dr Gaurav Kumar The author is the MD of Magma Research and Consultanc­y Pvt Ltd. He is associated with various academic and research institutes, where he delivers expert lectures and conducts technical workshops on the latest technologi­es and tools. He

With the advent and adoption of technology-loaded devices, a number of challenges are regularly resolved by cyber security profession­als. These include breach of privacy, data sniffing and theft, integrity, access control, fake traffic, channel damage, and many others. Cyber security experts are continuous­ly working to enforce and integrate a higher level of security in the devices as well as the network infrastruc­ture so that users can access and use the technology without any vulnerabil­ity issues.

In a technology based environmen­t, the hacking community regularly launches numerous attacks. A number of algorithms and mechanisms have been devised to cope with such virtual attacks. Research is still under way in the domain of securing applicatio­ns, devices, networks and computing infrastruc­ture.

Broadly, there are two types of attacks in any network based environmen­t.

Passive attacks: In any network environmen­t, when there is an attempt at sniffing the data channels to copy secret informatio­n, it is considered to be a passive attack. In such cases, the modificati­on of files, directorie­s or credential­s is not done. Passive attacks are primarily used to monitor the remote system or server, to spy on private informatio­n.

Active attacks: In the case of active attacks, the effect and damage of the assault is instant and, often, the victim machine would not have been prepared for such attacks.

These include injection of malicious traffic to damage the remote system, updating or deleting remote files, modifying authentica­tion files and much more.

Distribute­d denial of service (DDoS) attack

A distribute­d denial of service (DDoS) attack is a powerful assault, in the taxonomy of active attacks, which is used to restrict access to services from authentica­ted users. In DDoS attacks, genuine users are not allowed to use a system or service because of excessive traffic.

In very simple terms, fake or malicious traffic is generated in large volumes on a server in order to overload it, thus resulting in the network getting choked or jammed. DDoS attacks are often known as jamming attacks because fake traffic or data packets overload the server delivering a particular service. Due to this attack, other users are not allowed to access the service because of massive congestion in the network.

As an example, let’s suppose there is a limit of 200 concurrent users who can access a website. In a DDoS attack, 200 sources of website access can be generated. After those 200 connection­s are captured by fake traffic, the genuine users will not be able to access that particular website because of traffic overload or channel congestion­s.

Types of DDoS attacks

Applicatio­n layer based DDoS: Such an attack is used to target and damage the applicatio­n layer of the network. The effect of this attack is measured in terms of requests per second (RPS). A large number of RPS are generated, which becomes a load for the network.

Protocol based DDoS: In this type of attack, the resources and related modules of the server are the victims. Bandwidth is not captured in protocol based DDoS. Volume based DDoS: Bandwidth is the key target here: it is saturated and flooded with massive traffic in volume based DDoS attacks. If such an attack is successful, the server crashes and major flaws occur.

HULK based DDoS

Whenever there is a DDoS attack on a website, it is known

as a HULK (HTTP unbearable load king) attack. In a HULK attack, the unbearable load is created at the HTTP service. A number of virtual connection­s are created and then fired at the website. If a HULK attack is used, the particular website gets a large number of connection­s from fake traffic and then the website hangs. That’s why HULK is classified as a DDoS attack. HULK attacks are generally carried out using Python, PHP, Java or Perl scripts, which are easily available on assorted Web based repositori­es of source code.

As there are massive DDoS attacks on different websites and servers, it is mandatory for network administra­tors to adopt and implement mechanisms to cope with and mitigate such attacks.

Let’s now discuss two free and open source tools that help to detect and repel such DDoS attacks.

DDoS Deflate

DDoS Deflate, an open source tool, is a powerful shell script to cope with DDoS attacks on servers. DDoS Deflate is dominant enough to push back and block DDoS attacks. At the base level, it makes use of the netstat command to identify and investigat­e the IP addresses that are creating connection­s with the server.

The following command is used to identify and list the connection­s created by all the IP addresses:

<workingdir­ectory>$ netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n

The features of DDoS Deflate include:

• Auto blocking of IP addresses

• Blacklisti­ng and whitelisti­ng of traffic and their sources

• Easy notificati­on and management for network administra­tors

• Auto detection of rules associated with Iptables and advanced policy firewalls

• Ease in configurat­ion

• Auto e-mail alerts

• Uses tcpkill to push back the unwanted and fake connection­s

Fire the following commands in a terminal to install DDoS Deflate:

<workingdir­ectory>$ cd /usr/local/src/ <workingdir­ectory>$ wget ddos/

<workingdir­ectory>$ chmod 0700 <workingdir­ectory>$ ./

The configurat­ion file of DDoS Deflate can be edited as follows:

<workingdir­ectory>$ vi /usr/local/ddos/ddos.conf or <workingdir­ectory>$ gedit /usr/local/ddos/ddos.conf Use the following command to start DDoS Deflate: <workingdir­ectory>$ /usr/local/ddos/ –c The following code will uninstall DDOS Deflate:

<workingdir­ectory>$ wget ddos/uninstall.ddos

<workingdir­ectory>$ chmod 0700 uninstall.ddos <workingdir­ectory>$ ./uninstall.ddos

To view the ‘Help’ screen and all other options in DDoS Deflate, type:

<workingdir­ectory>$ ddos –help To view whiteliste­d IP addresses, type: <workingdir­ectory> $ ddos -I | –ignore-list

Use the following command to view banned or blackliste­d IP addresses:

<workingdir­ectory> $ ddos -b | –bans-list

To initialise the daemon process for monitoring connection­s, type:

<workingdir­ectory> $ ddos -d | –start: Type the following command to stop the daemon process: <workingdir­ectory>$ ddos -s | –stop

To view the current status of the daemon and PID running, give the following command:

<workingdir­ectory>$ ddos -t | –status

You can view the active connection­s with the server by typing the following command:

<workingdir­ectory>$ ddos -v | –view

The following command bans or blacklists all IP addresses with more than ‘n’ connection­s:

<workingdir­ectory>$ ddos -k | –kill:


Fail2Ban is another free and open source tool to identify and ban the sources of malicious DDoS traffic. It scans the log files and identifies suspicious patterns and connection­s so that blacklisti­ng can be done. Fail2Ban reduces the non-legitimate and incorrect authentica­tion attempts with the use of powerful modules for filtering the various services.

The features of Fail2Ban include:

• Deep parsing and analysis of log files

• Awareness of the time zone associated with the source traffic IP

• Integratio­n of client-server architectu­re

• Assorted services including sshd, vsftpd and Apache can be processed

• Easy configurat­ion for the administra­tor

• Compatibil­ity with all the firewalls

• Whitelisti­ng and banning of IP addresses

• Blocking of brute force assaults

• Blocking of IP addresses based on time slots

• Excellent for SSH based environmen­ts

• Time-based IP blocking

• Support for Python programmin­g

To install and work with Fail2Ban, type the following command:

<workingdir­ectory>$ sudo apt-get install fail2ban

Fail2Ban service maintains a configurat­ion file in the directory /etc/fail2ban. In this directory, the default configurat­ion file is jail.conf.

After installati­on, the default configurat­ion file is copied to the working configurat­ion file.

<workingdir­ectory>$ sudo cp /etc/fail2ban/jail.conf /etc/ fail2ban/jail.local

The configurat­ion settings at the end of the config file are as follows:

[http-get-dos] # Rule to be Set enabled = true # Status port = http,https # 80,443 (Ports) filter = httpgetdos # Filter Names logpath = /var/log/www/vhost.d/ # Path of Log maxretry = 5 # Retries Max. Limit findtime = 10 # 5 retries in 10 seconds from 1 IP Ban or

Blacklist bantime = 86400 # In Seconds (One Day) action = iptables[name=HTTP, port=http, protocol=tcp] iptables[name=HTTPS, port=https, protocol=tcp] sendmail-whois-withline[name=httpd-get-dos, dest=<E-mail ID>, logpath=/var/log/httpd/site-access_log] # sets iptables variables.

To view all the jail files that have been enabled, type:

<workingdir­ectory>$ sudo fail2ban-client status

 ??  ?? Figure 2: Active attacks in the network environmen­t
Figure 2: Active attacks in the network environmen­t
 ??  ??
 ??  ??
 ??  ?? Figure 4: Configurat­ion file of DDoS Deflate
Figure 4: Configurat­ion file of DDoS Deflate
 ??  ?? Figure 3: DDoS Deflate working environmen­t
Figure 3: DDoS Deflate working environmen­t

Newspapers in English

Newspapers from India