Posts tagged ddos
A quick fix when under DDOS attack
Oct 8th
A friend of mine asked me what he should do when experiencing a DDOS attack.
Well the excerpt itself would be long as on how to handle a DDOS attack, as each type of Denial of Service needs different handles… as experienced is a sys-admin, as throughout he/she would be able to handle the attack.
However, for all here is a simple straight forward methodology..
1) Find the IPs from which the SYN flood is coming from
and
2) Block those IPs
easy he?
So how do you do that on a linux machine?
Again, this is just a small excerpt
a simple command such as
netstat -n -p|grep SYN_REC | wc -l
would list all the active SYN_REC connections on the server… depending on the server’s size, 30 to 40 SYN_REC could be a sign of a DDOS attack.
Again, do not be fixed on numbers, different variant play when deciding to ring the DDOS emergency bell
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
will therefore list all the IPs that are maintaining the SYN_REC connections.
and why not, also add a uniq -c filter etc… and get fancier?
anyway.. once you decide an IP source is flooding your port, simply block it with an
iptables -I INPUT -s IP -j DROP
cheers,
Denial of Service – Sockstress
Oct 8th
Sock Stress is a new type of Denial of Service which was developed by Jack C. Louis. According to nmap creator Fyodor, the attacker sends a TCP SYN packet to a targeted port, but first by making sure that a firewall protects his own machine as to prevent it to interfere with the attack process. The main reason for the protection is as to avoid the attacker’s computer to reset the unexpected returned SYN/ACK packet (2nd step of the TCP 3 way handshake). This is obvious since the attacker sent the SYN packet from userland and not the operating system’s API. According the Fyodor, the attacker’s pc from userland will therefore reply to each packet by sending another raw packet. That packet is therefore the acknowledgment packet.
That attempt to explain it was partially denied by Robert Lee as being the overall “methodology”, however has refused to comment further more on it. As far as it is being said, no current fix or system is known to be able to prevent Sock stress to take down a tcp stack server.
(for further info: http://blog.robertlee.name/2008/09/sockstress-podcast-interview.html)