proteting against DoS attacks on a redhat linux platform

[prodikal]

hello ppl i was bored and decieded to write a short tutorial on protecting your self against D0S (denial of service) i decided to type this out instaed of uploading in txt format to here because my last tut was a mes TY to linuxelite who converted it to pdf format kudos well i have been doing a lot of reading lately and i read a lot on DOS attacks and how to protect your self so heres my tutorial the reason i put redhat is because it works on my redhat box i dont know about other linux distro`s i havent used any others. like redhat has a mail filtering proggramme called procmail i dont know if any other linux distro`s have this and i will be disscussing this later


denial of service is an aattck designed to crash your system or degrade its performance to an unusable level.
most ppl focus on overloading some system resources such as your avalibile disk space or your internet connection i will be covering some more common attacks and defenses i hope this can help some 1 so here goes



SMURFING

smurfing is a particular attack aimed at flooding your internet connection it can be quite difficult to defend against because it isnt easy to trace back to the host compuer.*i hope ppl understand this it is quite hard to explain*
smurfing works like this
the attack makes use of the ICMP protocol ICMP as u all knwo is used for checking the speed and availability of network connections using the ping command.you send a ping packet to a remote system over the net.and the remote computer will regognize it as a ICMP packet and ping you back your computer then can print a message revealing to you that the remote system is up and telling you hoow long it took to reply to that packet .
a smurfing attack uses a mailformed ICMP request to bury your computer in network traffic the kiddie does this by bouncing his or her pings of of a third party computer *didnt want to discriminate* in a way that the ping is duplicated dozen or even hundreds of times .a network with a fast net connection and a lot of compuetrs is used as the relay.the destination address of the packets are set to a whole subnet instead of a single host the return address is forged to be your machines address instead of the actual sender when the ICMP packet arrives at the unwitting network every host on that subnet replies to that ping furthermore they reply to your computer instead of the actual sender if the network has of computers your internet can be quickly flooded
the best thing is to contact the network admin str8 away to tell tham of the packet kiddie usually they will only need to reconfigure there routers to stop any further attacks .if the admin doesent coperate well with u you can minnimize the effect of the attack by blocking the ICMP protocol on your router this will at least keep the packets off your connection if u can convince your ISP to reject ICMP packets aimed at u it would help even more

MAIL BOMBING

well u guessed it its the kiddies favorite the mailbombers the 1 that feck up your inbox mail bombs are an email repeated over and over again to flood your inbox with pointless junk they usuall use this to eat up hard drive space on your box redhat has a proggramme called procmail built in im going to show u how to use this

PROCMAIL
the procmail tool comes built in with redhat i just found out 2 seconds ago that it is avalible for the downlaod
www.procmail.com
so to enable procmail for your users account make a file called .procmailrc in u r home directory the file should be made in mode 0600 so you are the 1 only able to read it the file replace thetype in the following replacing kiddie with the amil address that is bombing you

# delete mail from <kiddie>
:0
* ^From *kiddie
/dev/null

the online man page explains its its cappabilities in greater detail type man procmail at the command prompt to read it the procmail and procmailx pages will tell u more about the .procmailrc and give examples on hoe to selectively proccess diffrent types of mail

BLOCKING MAIL WITH SENDMAIL

the procmail tool woks well for a single user but what happens if they are bombing numerous users on a network you ould have to configure the sendmail daemon to block all email from the kiddie you can do this by adding the kiddie`s email addy to the /etc/mail directory
each line of the access file contains an e-mail address host name domain or IP address followed by a tab and then a key word specifying the keywords are as follws OK RELAY REJECT DISCARD and ERROR using the REJECT key word will bounce the email back with an error messege the key word DISCARD will cause the messege to be silently dropped without sending an error back you can even customize u r errors by using the ERROR keyword hehe

oh well heres an example

# check the /usr/share/doc/sendmail/README.cf file
# for a description of the format of this file search for( access_db in that file) the
#/usr/share/doc/sendmail/README.cf is part of the sendmail doc package
#
#by default we allow relaying from from localhost...
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
#senders we want to block
#
Iama31337hax0r@hotmail.com REJECT
spammer@yahoo.com REJECT
hotteens***s@dirtyoldman.com DISCARD
<ip address> ERROR:&550 u kiddie fewl

as with linux configuration files that begin witha # sign are comments the list of all the kiddies spammers and perverts are at the bottom of the list NOTE the address to block can be complete e-mali addys or a full host name a full domain an IP address or a subnet

to block a particular email address or host from mailbombing you can log in to your system as root and edit the /etc/mail/access file and add a line to DISCARD mail from the offending server after saving and exiting the file yoou must convert the access text file to the database format used by the send mail deamon by using the MAKEMAP command to convert the the denied file in to a hash index database called access.db type the following # makemap bash access.db < access
sendmail should now discard e-mail from the address u added

well i though this would have been quite short but hey as i said i was bored if u read this far im proud of u thanks to all how read this

[Redbone]

Wow prodikal, thanks for posting this information! I am a professed total linux newbie and I am here to learn things just like this! Since I have a cable connection I have to run a firewall to protect my network, but there isn't anything stopping someone from pounding my IP with a DoS attack. With this information I now have a means to recognize what is going on in case I am ever targeted. (Not that I am doing anything to make myself a target)

Great information!!

[G.Ben.M]

Good one man!

[|The|Specialist]

Nice tut.

About the mail bombing part....
If a address isn't protected from spam a kiddie could just surf around and post your address on as much sites and signup for as much 'SPECIAL' 'OFFERs' as the kiddie can so that the inbox becomes flooded. Though it's slower & not as effective as useing nukes, it is very annoying and the worse part is there isn't any s.kiddie tools or anything needed for this.

Most peaple I know don't filter their e-mail but I'd (HIGHLY) advise filtering and blocking spam.

[doktorf00bar]

Nice tut Prodikal. We can't afford to give the kiddies any satisfaction.

[prodikal]

thanks to all who replied im glad this info has helped some ppl thanks to all for replying its appreciated
| the | specialist i left out the spamming part becasue any n00b can do this and i didnt want to suggest it to them i might write a follow up on this in this thread later ways top prevent it etc