Protect your Website from DOS attacks

A DoS (Denial of Service), has the goal of making it unusable a particular service listening on the web flooding it with requests fictitious, any services exposed on the internet that provides network services based on TCP / IP, and subject to the potential risk of attacks (D) DoS. The difference between DoS and DDoS (Distributed Denial of Service) is in the number of machines (PC, server, mobile, in general, any device connected to the Internet that has been compromised) used to launch the attack, in the case of a denial of the ‘attack goes on a single machine, while the far more difficult to block DDoS attack can take place simultaneously from hundreds of different machines.

A DoS (Denial of Service), has the goal of making it unusable a particular service listening on the web flooding it with requests fictitious, any services exposed on the internet that provides network services based on the TCP / IP protocol is subject to the potential risk of attacks (D) DoS.

protect your site

Protect your Website from DOS attacks

The difference between DoS and DDoS (Distributed Denial of Service) is in the number of machines (PC, server, mobile, in general, any device connected to the Internet that has been compromised) used to launch the attack, in the case of a denial of the ‘attack takes place from a single machine, while in the far more difficult to block the DDoS attack can take place simultaneously from hundreds of different machines.

How can so imagine all the advice in this article do not ensure you total protection against DDoS, because when they are well organized and the attack comes from a large number of different machines, the only way to try to block it or more realistically , mitigate it, is to act upstream, directly on the infrastructure of your provider (which then must contact), unless you have your own network infrastructure.

In this article we will see then how to prevent the boy on duty without a social life will block some services on the server showering them with requests thanks to some little program downloaded from an unknown site.

How to recognize an attack?

This is definitely the first thing to learn, learn to recognize a DoS attack, I have seen many times blame suffered an attack of this type just the services hosted on the servers are unreachable, even though the more likely things are very different.

First, if you are under attack, you will see a spike (which can vary from a few to several Mbit / s) in your graphics bandwidth used, and a peak in the connections netstat, for this would be good to generate graphs of all the most important services on your server.

Once satisfied that there are anomalous peaks in the use of bandwidth, use this command to display the status of all active connections on your server:

netstat -nat | awk ‘{print $ 6}’ | sort | uniq -c | sort -n

The output will be something like:

       1 CLOSING
       Established 1)
       1 Foreign
       5 LAST_ACK
      15 FIN_WAIT1
      16 LISTEN
      59 FIN_WAIT2
     424 TIME_WAIT
     442 ESTABLISHED

If you notice that there are several connections in state SYS_SENT‘re definitely under attack, at this point you just have to find the IP or IP addresses from which come more connections, you can do it with this command:

netstat -atun | awk ‘{print $ 5}’ | cut -d: -f1 | sed -e ‘/ ^ $ / d’ | sort | uniq -c | sort -n

At this point you will have a list sorted by number of open connections from any IP in the end most likely you will have the IP of the machine from which they are attacking you, now you just have to block these IP, as we shall see in the next chapter.

Another very useful utility for analyzing network traffic and see it in real time is tcptrack, once installed use the following commands to start the monitoring:

tcptrack -i eth0 will show you all the traffic on the active network card

tcptrack -i eth0 will show you all traffic on port 80

tcptrack -i eth0 src or dst 127.0.0.1 will show you all the traffic generated by the IP address specified.

In most tcptrack mosterà you real-time bandwidth usage.

Block an attack

Now that we detect an attack and figure out what IP is coming we can try to block it, as we see.

Given that the best thing would be to communicate the IPs of the attackers to your provider so that they can be blocked upstream and can not therefore even minimally affect on your available bandwidth, there are mainly two methods to block these IP on your server: secure with iptables, or put them in nullroute (that is, in my opinion, preferable).

To block these IP itptables you can use this simple command:

iptables -A INPUT -s IP-ATTACKER -j DROP

So if the IP address 123.234.80.65 dell’attacante was to give the command would be:

iptables -A INPUT -s 123.234.80.65 -j DROP

Instead, to put an IP nullroute, we have to run this command:

route add IP-gw 127.0.0.1 attacking him

We can also put in nullroute an entire subnet such as:

route add -net 127.0.0.1 gw 192.67.16.0/24 the

Then verify that the settings have actually been met with

netstat -nr

To remove the nullroute we can use the command route delete IP

To ensure that nullroute set are maintained on reboot write the same commands in /etc/rc.local

How to prevent attacks

So far we have seen how to behave when under attack, but saw that as children we were taught that prevention is better than cure, let’s see what we can do to avoid being with services down and having to restore fatigue.

First we recommend installing APF (Advanced Policy Firewall), an iptables-based firewall that will block many of his attacks known by comparing the pattern, in addition, thanks to its simple and versatile configuration becomes an excellent substitute for iptables that is often enough cumbersome to maintain.

You can install APF using a packet manager like apt or yum, or compile the latest version as well:

Download the latest stable version: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

Unzip the downloaded file: tar -xvzf apf-current.tar.gz

Go into the directory created and run ./install.sh

At this point APF must be configured properly to do edit the file /etc/apf/conf.apf

First septate DEVEL_MODE parameter to 1, so if you miss some settings and you close off the server after 5 minutes, the firewall will automatically be stopped. Remember to put this parameter to 0 once the configuration, otherwise the firewall will only work for 5 minutes on each reboot.

Set this to 1 all parameters that enable the lists of evil from which network connections will be rejected (DLIST_ *).

Septate manually TCP ports that must remain open in the variable IG_TCP_CPORTS (eg 80 for web traffic, if you have changed the port of ssh as you would have had to remember to set it here, otherwise you will close off the server), everything else will be closed.

Same thing for UDP ports just below, if they do use.

Set the parameter SYSCTL_SYNCOOKIES to 1, will protect you from attacks syn flood.

Ok, these are the basic parameters to configure, but I recommend a complete reading of the configuration file that we will find many interesting options.

In addition to a firewall designed for this purpose, it would be good to set the network parameters of the kernel.

But if the attack is not a (D) DoS standard, but simply someone who is having fun with apache benchmark to knock you down the site? Sure, it’s easy to be locked using the instructions in the first few paragraphs, but while you try to lock it probably the site will be down for a few minutes or even longer if you are not at your PC, maybe if this happens over the weekend.

To try to block upstream these attacks you can use the module NginxHttpLimitReqModule included by default in nginx, thanks to this you can limit the number of simultaneous connections from the same IP address, or if you use Apache, you can use the form mod_limitpconn.