Chia Sẽ Kinh Nghiệm Về IT



Tìm Kiếm Với Google
-


Gởi Ðề Tài Mới  Gửi trả lời
 
Công Cụ Xếp Bài
Tuổi 13-07-2009, 04:17 PM   #1
hoctinhoc
Guest
 
Trả Lời: n/a
Các Cách ngăn ngừa tấn công Ddos (Preventing DDOS attacks)
Preventing DDOS attacks

Blessen Cherian DDOS, or Distributed Denial of Service is an advanced version of DOS(Denial of Service) attack. Like DOS, DDOS also tries to deny important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised.
Normally, DDOS consists of 3 parts . The Master, the slave and at last the victim. The master is the attack launcher, i.e the person/machine behind all this. The slave is the network that is being compromised by the Master and Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack.

Here is how I see it. Master is the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target.
DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase, that they install DDOS tools and start attacking the victims machines/site. This Phase is called Distributed DoS attack phase.
What Allowed them to do it? Simple.
  1. Vulnerable softwares/Applications running on a machine or network.
  2. Open network setup.
  3. Network/ machine setup without taking security into account.
  4. No monitoring or Data Analysis are being conducted.
  5. No regular Audit / Software upgrades being conducted.
What should we do if we are under DDOS attack?

Check if your machines load is high and you have large number of HTTP process running.

To find the load just use the command w or uptime -
#w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
To find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l "

<div style="text-align: center;">
bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz bash# tar -zxf apf-current.tar.gz bash# cd apf-<version number> bash# ./install.sh
Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf
Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root's cron has an entry like the one below
*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
Install IDS on your gateway/hosts to alert you when someone tries to sniff In.

(a) Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz
(b) Untar it
tar -zxvf aide-0.7.tar.gz cd aide-0.7
(d) Then execute
./configure -with-gnu-regexp
(e) Final steps to install
make;make install
(f) Now the main step. To configure AIDE. AIDE stores all its rule sets in the file called aide.conf. To get more details on how to configure from 'man aide.conf'
(g) Here is a sample short aide.conf:
Rule = p+i+u+g+n+s+md5 /etc p+i+u+g /sbin Rule /usr/local/apache/conf Rule /var Rule !/var/spool/.* !/var/log/.*
In this configuration, a rule called "Rule" is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn't. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place.
(h) After configuring AIDE should be initiated with all these rules.
For that execute
aide -init
Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications.

Use tools like RKDET(vancouver-webpages.com/rkdet), RKHUNTER(www.rootkit.nl) and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any.
This is a simple Audit check List to check for.
  • Software Vulnerabilities.
  • Kernel Upgrades and vulnerabilities.
  • Check for any Trojans.
  • Run chkrootkit.
  • Check ports.
  • Check for any hidden processes.
  • Use audit tools to check system.
  • Check logs.
  • Check binaries and RPMS.
  • Check for open email relays.
  • Check for malicious cron entries.
  • Check /dev /tmp /var directories.
  • Check whether backups are maintained.
  • Check for unwanted users, groups, etc. on the system.
  • Check for and disable any unneeded services.
  • Locate malicious scripts.
  • Querylog in DNS.
  • Check for the suid scripts and nouser scripts.
  • Check valid scripts in /tmp.
  • Use intrusion detection tools.
  • Check the system performance.
  • Check memory performance (run memtest).

Enforce and Implement Security Measures on all hosts in the network.

Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status ``OK-to go live'' after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are up-to-date and can fight any attacks.
Audit network on a regular basis to see if your network is vulnerable to attacks

Use Open Source Tools like NESSUS (www.nessus.org), NMAP(www.insecure.org/nmap), SAINT( www.saintcorporation.com/products/saint_engine.html), SARA (www-arc.com/sara/sara.html) for auditing a network to find its vulnerabilities.
Create a DSE (Dedicated Security Expert ) Team for your company.

Collect your networks and hosts data . Analysis them and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend,for sure.
Implement Sysctl protection against DDOS
bash# vi /etc/sysctl.conf
Add this code to this file:
# Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 Add the below code in /etc/rc.local and restart network for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > done echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Install Mod_dosevasive to your apache.

Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below
Eg: Install Mod_dosevasive
# wget http://www.nuclearelephant.com/proje..._1.10.1.tar.gz # tar -zxvf mod_evasive_1.10.1.tar.gz # cd mod_evasive_1.10.1 # $APACHE_ROOT/bin/apxs -iac mod_evasive.c
``$APACHE_ROOT'' is a variable that stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)
# vi /usr/loca/apache/conf/httpd.conf
After this add the below code in httpd.conf
<IfModule mod_dosevasive.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 </IfModule>
Then restart Apache
# /usr/local/apache/bin/apachectl restart
Install Mod_security

Since DDOS normally targets HTTP. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below
bash# http://www.modsecurity.org/download/...e-1.9.2.tar.gz bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz bash# cd modsecurity-apache-1.9.2 bash# /usr/local/apache/bin/apxs -cia mod_security.c
Create a file named mod_security.conf under the folder /usr/local/apache/conf
bash# vi /usr/local/apache/conf/mod_security.conf
Create the rule with reference to the link http://www.modsecurity.org/documenta...-examples.html and add it in the mod_security.conf file.
Add the location of mod_security.conf to httpd.conf
bash# vi /usr/local/apache/conf/httpd.conf
by adding the string below
Include /usr/local/apache/conf/mod_security.conf
Restart apache
# /usr/local/apache/bin/apachectl stop # /usr/local/apache/bin/apachectl start
Best solution to fight DDOS to a certain extend will be to setup load balancer for your services.

Creating awareness on Security

This is the most important part. People, including users should be Security conscious. Only then will they understand the importance of Security measures . Server owner's and users should be made aware of the issues which can rise due to bad security measures.

Blessen Cherian works in Bobcares. He is passionate about Server Security and looks forward to gain expertise in this area.
  Trả lời ngay kèm theo trích dẫn này
Gửi trả lời



Quyền Hạn Của Bạn
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is Mở
Hình Cảm xúc đang Mở
[IMG] đang Mở
Mã HTML đang Tắt




Bây giờ là 09:38 PM. Giờ GMT +7



Diễn đàn tin học QuantriNet
quantrinet.com | quantrimang.co.cc
Founded by Trương Văn Phương | Developed by QuantriNet's members.
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.