Iden­ti­fy­ing and Mit­i­gat­ing Dis­trib­uted De­nial of Ser­vice At­tacks

A dis­trib­uted de­nial of ser­vice (DDoS) at­tack in­volves the paralysing of a net­work by flood­ing it with data from sev­eral in­di­vid­ual sources, to the detri­ment of gen­uine users. The iden­ti­fi­ca­tion and mit­i­ga­tion of such at­tacks is an im­por­tant is­sue for sys

OpenSource For You - - Contents - By: Dr Gau­rav Ku­mar The au­thor is the MD of Magma Re­search and Con­sul­tancy Pvt Ltd. He is as­so­ci­ated with var­i­ous aca­demic and re­search in­sti­tutes, where he de­liv­ers ex­pert lec­tures and con­ducts tech­ni­cal work­shops on the lat­est tech­nolo­gies and tools. He

With the ad­vent and adop­tion of tech­nol­ogy-loaded de­vices, a num­ber of chal­lenges are reg­u­larly re­solved by cy­ber se­cu­rity pro­fes­sion­als. These in­clude breach of pri­vacy, data sniff­ing and theft, in­tegrity, ac­cess con­trol, fake traf­fic, chan­nel dam­age, and many oth­ers. Cy­ber se­cu­rity ex­perts are con­tin­u­ously work­ing to en­force and in­te­grate a higher level of se­cu­rity in the de­vices as well as the net­work in­fra­struc­ture so that users can ac­cess and use the tech­nol­ogy with­out any vul­ner­a­bil­ity is­sues.

In a tech­nol­ogy based en­vi­ron­ment, the hack­ing com­mu­nity reg­u­larly launches nu­mer­ous at­tacks. A num­ber of al­go­rithms and mech­a­nisms have been de­vised to cope with such vir­tual at­tacks. Re­search is still un­der way in the do­main of se­cur­ing ap­pli­ca­tions, de­vices, net­works and com­put­ing in­fra­struc­ture.

Broadly, there are two types of at­tacks in any net­work based en­vi­ron­ment.

Pas­sive at­tacks: In any net­work en­vi­ron­ment, when there is an at­tempt at sniff­ing the data chan­nels to copy se­cret in­for­ma­tion, it is con­sid­ered to be a pas­sive at­tack. In such cases, the mod­i­fi­ca­tion of files, di­rec­to­ries or cre­den­tials is not done. Pas­sive at­tacks are pri­mar­ily used to mon­i­tor the re­mote sys­tem or server, to spy on pri­vate in­for­ma­tion.

Ac­tive at­tacks: In the case of ac­tive at­tacks, the ef­fect and dam­age of the as­sault is in­stant and, of­ten, the vic­tim ma­chine would not have been pre­pared for such at­tacks.

These in­clude in­jec­tion of ma­li­cious traf­fic to dam­age the re­mote sys­tem, up­dat­ing or delet­ing re­mote files, mod­i­fy­ing au­then­ti­ca­tion files and much more.

Dis­trib­uted de­nial of ser­vice (DDoS) at­tack

A dis­trib­uted de­nial of ser­vice (DDoS) at­tack is a pow­er­ful as­sault, in the tax­on­omy of ac­tive at­tacks, which is used to re­strict ac­cess to ser­vices from au­then­ti­cated users. In DDoS at­tacks, gen­uine users are not al­lowed to use a sys­tem or ser­vice be­cause of ex­ces­sive traf­fic.

In very sim­ple terms, fake or ma­li­cious traf­fic is gen­er­ated in large vol­umes on a server in order to over­load it, thus re­sult­ing in the net­work get­ting choked or jammed. DDoS at­tacks are of­ten known as jam­ming at­tacks be­cause fake traf­fic or data pack­ets over­load the server de­liv­er­ing a par­tic­u­lar ser­vice. Due to this at­tack, other users are not al­lowed to ac­cess the ser­vice be­cause of mas­sive con­ges­tion in the net­work.

As an ex­am­ple, let’s sup­pose there is a limit of 200 con­cur­rent users who can ac­cess a web­site. In a DDoS at­tack, 200 sources of web­site ac­cess can be gen­er­ated. Af­ter those 200 con­nec­tions are cap­tured by fake traf­fic, the gen­uine users will not be able to ac­cess that par­tic­u­lar web­site be­cause of traf­fic over­load or chan­nel con­ges­tions.

Types of DDoS at­tacks

Ap­pli­ca­tion layer based DDoS: Such an at­tack is used to tar­get and dam­age the ap­pli­ca­tion layer of the net­work. The ef­fect of this at­tack is mea­sured in terms of re­quests per sec­ond (RPS). A large num­ber of RPS are gen­er­ated, which be­comes a load for the net­work.

Pro­to­col based DDoS: In this type of at­tack, the re­sources and re­lated mod­ules of the server are the vic­tims. Band­width is not cap­tured in pro­to­col based DDoS. Vol­ume based DDoS: Band­width is the key tar­get here: it is sat­u­rated and flooded with mas­sive traf­fic in vol­ume based DDoS at­tacks. If such an at­tack is suc­cess­ful, the server crashes and ma­jor flaws oc­cur.

HULK based DDoS

When­ever there is a DDoS at­tack on a web­site, it is known

as a HULK (HTTP un­bear­able load king) at­tack. In a HULK at­tack, the un­bear­able load is cre­ated at the HTTP ser­vice. A num­ber of vir­tual con­nec­tions are cre­ated and then fired at the web­site. If a HULK at­tack is used, the par­tic­u­lar web­site gets a large num­ber of con­nec­tions from fake traf­fic and then the web­site hangs. That’s why HULK is clas­si­fied as a DDoS at­tack. HULK at­tacks are gen­er­ally car­ried out us­ing Python, PHP, Java or Perl scripts, which are eas­ily avail­able on as­sorted Web based repos­i­to­ries of source code.

As there are mas­sive DDoS at­tacks on dif­fer­ent web­sites and servers, it is manda­tory for net­work ad­min­is­tra­tors to adopt and im­ple­ment mech­a­nisms to cope with and mit­i­gate such at­tacks.

Let’s now dis­cuss two free and open source tools that help to de­tect and re­pel such DDoS at­tacks.

DDoS De­flate

DDoS De­flate, an open source tool, is a pow­er­ful shell script to cope with DDoS at­tacks on servers. DDoS De­flate is dom­i­nant enough to push back and block DDoS at­tacks. At the base level, it makes use of the net­stat com­mand to iden­tify and in­ves­ti­gate the IP ad­dresses that are cre­at­ing con­nec­tions with the server.

The fol­low­ing com­mand is used to iden­tify and list the con­nec­tions cre­ated by all the IP ad­dresses:

<work­ingdi­rec­tory>$ net­stat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n

The fea­tures of DDoS De­flate in­clude:

• Auto block­ing of IP ad­dresses

• Black­list­ing and whitelist­ing of traf­fic and their sources

• Easy no­ti­fi­ca­tion and man­age­ment for net­work ad­min­is­tra­tors

• Auto de­tec­tion of rules as­so­ci­ated with Ipt­a­bles and ad­vanced pol­icy fire­walls

• Ease in con­fig­u­ra­tion

• Auto e-mail alerts

• Uses tcp­kill to push back the un­wanted and fake con­nec­tions

Fire the fol­low­ing com­mands in a ter­mi­nal to in­stall DDoS De­flate:

<work­ingdi­rec­tory>$ cd /usr/lo­cal/src/ <work­ingdi­rec­tory>$ wget­et­ ddos/in­

<work­ingdi­rec­tory>$ chmod 0700 in­ <work­ingdi­rec­tory>$ ./in­

The con­fig­u­ra­tion file of DDoS De­flate can be edited as fol­lows:

<work­ingdi­rec­tory>$ vi /usr/lo­cal/ddos/ddos.conf or <work­ingdi­rec­tory>$ gedit /usr/lo­cal/ddos/ddos.conf Use the fol­low­ing com­mand to start DDoS De­flate: <work­ingdi­rec­tory>$ /usr/lo­cal/ddos/ –c The fol­low­ing code will unin­stall DDOS De­flate:

<work­ingdi­rec­tory>$ wget­et­ ddos/unin­stall.ddos

<work­ingdi­rec­tory>$ chmod 0700 unin­stall.ddos <work­ingdi­rec­tory>$ ./unin­stall.ddos

To view the ‘Help’ screen and all other op­tions in DDoS De­flate, type:

<work­ingdi­rec­tory>$ ddos –help To view whitelisted IP ad­dresses, type: <work­ingdi­rec­tory> $ ddos -I | –ig­nore-list

Use the fol­low­ing com­mand to view banned or black­listed IP ad­dresses:

<work­ingdi­rec­tory> $ ddos -b | –bans-list

To ini­tialise the dae­mon process for mon­i­tor­ing con­nec­tions, type:

<work­ingdi­rec­tory> $ ddos -d | –start: Type the fol­low­ing com­mand to stop the dae­mon process: <work­ingdi­rec­tory>$ ddos -s | –stop

To view the cur­rent sta­tus of the dae­mon and PID run­ning, give the fol­low­ing com­mand:

<work­ingdi­rec­tory>$ ddos -t | –sta­tus

You can view the ac­tive con­nec­tions with the server by typ­ing the fol­low­ing com­mand:

<work­ingdi­rec­tory>$ ddos -v | –view

The fol­low­ing com­mand bans or black­lists all IP ad­dresses with more than ‘n’ con­nec­tions:

<work­ingdi­rec­tory>$ ddos -k | –kill:


Fail2Ban is an­other free and open source tool to iden­tify and ban the sources of ma­li­cious DDoS traf­fic. It scans the log files and iden­ti­fies sus­pi­cious pat­terns and con­nec­tions so that black­list­ing can be done. Fail2Ban re­duces the non-le­git­i­mate and in­cor­rect au­then­ti­ca­tion at­tempts with the use of pow­er­ful mod­ules for fil­ter­ing the var­i­ous ser­vices.

The fea­tures of Fail2Ban in­clude:

• Deep pars­ing and anal­y­sis of log files

• Aware­ness of the time zone as­so­ci­ated with the source traf­fic IP

• In­te­gra­tion of client-server ar­chi­tec­ture

• As­sorted ser­vices in­clud­ing sshd, vs­ftpd and Apache can be pro­cessed

• Easy con­fig­u­ra­tion for the ad­min­is­tra­tor

• Com­pat­i­bil­ity with all the fire­walls

• Whitelist­ing and ban­ning of IP ad­dresses

• Block­ing of brute force as­saults

• Block­ing of IP ad­dresses based on time slots

• Ex­cel­lent for SSH based en­vi­ron­ments

• Time-based IP block­ing

• Sup­port for Python pro­gram­ming

To in­stall and work with Fail2Ban, type the fol­low­ing com­mand:

<work­ingdi­rec­tory>$ sudo apt-get in­stall fail2ban

Fail2Ban ser­vice main­tains a con­fig­u­ra­tion file in the direc­tory /etc/fail2ban. In this direc­tory, the de­fault con­fig­u­ra­tion file is jail.conf.

Af­ter in­stal­la­tion, the de­fault con­fig­u­ra­tion file is copied to the work­ing con­fig­u­ra­tion file.

<work­ingdi­rec­tory>$ sudo cp /etc/fail2ban/jail.conf /etc/ fail2ban/jail.lo­cal

The con­fig­u­ra­tion set­tings at the end of the con­fig file are as fol­lows:

[http-get-dos] # Rule to be Set en­abled = true # Sta­tus port = http,https # 80,443 (Ports) fil­ter = http­get­dos # Fil­ter Names log­path = /var/log/www/vhost.d/­cess_log # Path of Log maxretry = 5 # Retries Max. Limit find­time = 10 # 5 retries in 10 sec­onds from 1 IP Ban or

Black­list ban­time = 86400 # In Sec­onds (One Day) ac­tion = ipt­a­bles[name=HTTP, port=http, pro­to­col=tcp] ipt­a­bles[name=HTTPS, port=https, pro­to­col=tcp] send­mail-whois-with­line[name=httpd-get-dos, dest=<E-mail ID>, log­path=/var/log/httpd/site-ac­cess_log] # sets ipt­a­bles vari­ables.

To view all the jail files that have been en­abled, type:

<work­ingdi­rec­tory>$ sudo fail2ban-client sta­tus

Fig­ure 2: Ac­tive at­tacks in the net­work en­vi­ron­ment

Fig­ure 4: Con­fig­u­ra­tion file of DDoS De­flate

Fig­ure 3: DDoS De­flate work­ing en­vi­ron­ment

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.