I was curious as the what is the best way to determine if you are being dos'd if you a running a linux server. I browsed the forums but counldn't find a tutorial on it.
Printable View
I was curious as the what is the best way to determine if you are being dos'd if you a running a linux server. I browsed the forums but counldn't find a tutorial on it.
If you check your logs you should notice that you have packets coming in a certain time interval (like every 5 seconds) from the same IP (or range of IP if it's a bot farm).
Or it might just mean you got popular (or /.ed or dugg or whatever)
Did you piss someone off recently? :)
Edit/Add:
I was trying to find an example log file on the web to post but I found something better.
http://www.securityfocus.com/infocus/1655
This is an article on Security Focus that explains how to Identify a DDos Attack (it also has an example log file on the page)
Hope that helps!
What flavor of Linux? Some come with Ethereal installed natively...try that, or download it and sniff the incoming line.
Tim
Nice post\link Ippersiel
BTW...welcome back ;)
MLF
Thanks for the greenies (are they still called that?) It's nice to be back!
I haven't pissed anyone off yet. I work for a web hosting company and I'm just curious on what I would need to look for currently I just use our IDS to locate and filter attacks but I would like to increase my knowledge. While im not currently familiar with what version these boxes run I know most of them use Red Hat. Also we have freebsd boxes. By the way thank you for the information provided so far it is very helpful.
An easy solution for DoS attacks is TCP Intercept (I know some Cisco routers have this service...)---it proxy-SYN-ACK's a SYN request, and if it does not ACK back (as most DoS attacks do NOT), then the router drops the packet. Also, see if on the routing device if you can limit the number of half-open TCP connections.
Tim
I like how you said yet :DQuote:
Originally Posted by HackerSlayer
I'm not too familiar with these things, but if someone was being flooded by 10,000 connections, wouldn't that overload the TCP Intercept and in essence satisfy the DoS attack as well?Quote:
Originally Posted by c1sc0m4n
I may well be wrong, but as far as I am aware a DoS attack is a pretty crude event?
Like you are bigger than they are and win or they are bigger than you and you lose?
:confused:
The perfect solutions would be to have anyone with a border router to not allow any traffic to exit there network that is not a source IP contained within their network, hence stopping spoofing, a technique used by zombies/trojans/virii. A majority of directed attacks use this technique
This would never happen of course, due to so many ISP's knowing close to nothing about security let alone how TCP/IP works
Quote:
Originally Posted by Ippersiel
This is how the SYN attack works. The tcp 3 way hand shake. remote sends a SYN, you send a SYN/ACK back and wait for a period of time(3 seconds) if you do not get an ACK back, you resend the SYN/ACK and wait,(now 6 seconds) This happens about 4 times, holding a socket open for apprximately a minute or so.
Now if you receive 10,000 SYN's eventually all of your file descriptors for sockets get used up and can no longer service sockets.
What TCP Intercept does is keep track of the number of opened connections(those without a corresponding ACK). IF any IP sends lets say 5 open connections and does not receive an ACK , TCP Intercept will no longer accept connections from that IP and will not use any more resources for that IP.(I think the term Cisco uses for this is embryonic or something close to that)
Now if it is 10,000 connections from 10,000 different IPs, TCP intercept only sees 1 open connection from each IP and will not shun them until the limit of 5 open connections are seen whith would then need to be 50,000 connections and you are toast by then anyways
Thanks for the explination Opus00.
So from my understanding, if you're being DDos'd from a small group of people, lets say, like a script kiddies "clan" then the ACK back method would shield someone from being overloaded.
But if you have a bot net that's flooding your gates, your router will be locked up with too many waits for ACK backs.
Another question about this: If the router gets those 10,000 packets and gets held up waiting for 50,000 backs, does it lock up and require a reboot or can it eventually process all 50,000 and start to ignore all 10,000 IPs?
Even the most basic firewall or routing devices wouldn't have any problem handling the types of syn attacks mentioned by Opus00. The firewall or device will normally have a setting for the embryonic limit which basically means how many half open (or waiting) connections can someone try to open into one of my internal machines.Quote:
Originally Posted by Ippersiel
All firewalls (normally) then have an embryonic connection timeout period where all connections are simply dropped. There is no attempt to process any more data, just toss it in the bit bucket, or if you've configured it to send it to a log file of some sort.
Hope this helps, but if it's too simply explained please feel free to make your eyes bleed reading:
http://www.cisco.com/en/US/tech/tk82...800f67d5.shtml
Exactly right Opus, at layer 3---tcp syn attacks are at the transport layer, though. An acl could easily avoid spoofing attacks as you have stated (deny ip 10.x to your network, as well as 172.16.x.x/12 and 192.168.x.x/16).
First off,limiting the number of 1/2 open TCP connections (TCP-SYN requests that have not yet been SYN-ACK'd by an answering node) to 500 would prevent the 10,000 TCP-SYN requests from flooding the border router. Also, limiting the inbound and outbound TCP keepalives helps. A decent router that is capable of TCP Intercept (or a similar technology) can proxy answer tcp syn requests all day long, especially coming from not so many different IP addresses---once a syn request is not answered by the attacking host, not only is the packet dropped, but the router may also be configured to then block the IP address on the fly by way of CBAC, or Context-Based Access Control.
Tim
A follow-up question. Would this not also make it hard for a legitimate request from coming in? Wouldn't the 500 be busy dealing with the bogus requests that the legitime user be missed, or just receive a slow response?Quote:
Originally Posted by c1sc0m4n
The CBAC that he mentioned does give a small performance hit on any router. This is just due to the fact that you're doing all your processing in software and the more you do the more you slow your router (Routers are not specifically designed as a firewall, but do a good enough job, sometimes).Quote:
Originally Posted by Ippersiel
This type of attack would not noticably hurt even the CBAC system, but this is because of the way traffic is handled by any gateway device (the old name for a firewall). See traffic is not automatically allowed into your network, in fact traffic that does adhere to your specific set of rules (or your access lists) does not even get the curtosy of being examined further or fowarded, it is simply dropped.
To the question of legitimate traffic, well that's defined two ways. Either by your rules that I just mentioned, or by dynamically created access lists that are created as a packet leaves and only remain open for a specific time frame. These (very simplified) work something like this: (forgive me if I don't want to build a real packet, that would require opening an old college book)
sender's IP :to: destination IP :using: port number
The router will only allow something to come back in that looks like
destination IP :to: sender IP :using: (port number expected by router)
So what I'm trying to say is that properly configured gateway devices do not suffer in the event of most dos, ddos or syn attacks as they do not suffer the attackers (yes, it's a play on words).