Tuesday, September 1, 2009

DOS & DDOS Attacks 2

In the last post we explained DOS & DDOS's attack by example. In this post we will -inShaAllah- demonstrate the mechanism of prevention of these attacks. First, let me give some explanation how DOS & DDOS attacks happen in more deep details. DOS & DDOS are normally attacks against network stack that called TCP/IP. They mostly focus on fourth layer of OSI which is called Transport layer and fifth layer of OSI which is called Network layer, as a following:

  • OSI's layer four: Transport layer that is has tcp (SYN flood) and udp (udp flood) protocols
  • OSI's layer five : Network layer that is has ip and icmp (ping of death) protocols

As mentioned before, the experiment applied here is ping of death that is against icmp protocol. What is icmp protocol? simply, it is used for reporting for network packets, such as: Is the host on line? Is this packet has delivered to destination?. Just reporting nothing more.

Probably ,you may be decided to DISABLE icmp protocol totally where is not used for delivering or receiving packets and it is just ask and answer: Does the packets delivered? whereas Sending and Receiving is the job of TCP & UDP protocols not icmp. The approach of disabling icmp is absolutely wrong. Why? look to example:

let us take one of icmp's types, e.g. TTL=11.

11     Time Exceeded    

Codes
0  Time to Live exceeded in Transit
1  Fragment Reassembly Time Exceeded

We know TTL (time to live type) which is used to report us is the packets arrived to destination or not. Imagine we disabled it who will report us with packet's status, like i sent e_mail to far place but i am not sure is delivered or not. In this case, existence of TTL is very very important and should not be disabled because it used for this function. Obviously idea of disabling all the icmp types is became clear that is wrong. So, just we should disable what is making DOS & DDOS against our servers. In our example, there are two types of icmp that make DOS & DDOS and they are echo and echo-reply types:

Echo:
8     Echo             

Codes
0  No Code

Echo-Reply:
0     Echo Reply      

Codes
0  No Code

Using of iptables Firewall prevents these stuff of attacks as following:

open a terminal in a victim who has IP=10.1.1.1 and be a root:

sudo -i
enter a password

then type to see rules of Firewall:

iptables -L













Figure 1: no rules in iptables Firewall.


When a victim received a packet from echo (type 8) should answer by echo-reply (type 0). So, to prevent DOS & DDOS we should drop type 8 in INPUT (iptables policy) as a following:

iptables -A INPUT -p icmp --icmp-type 8 -j DROP













Figure 2: iptables after added drop's rule.


Now, ping of death attack is prevented, and no one of attacker's machines do DOS/DDOS.













Figure 3: attacker can not send ping packets (echo type) after a rule has added to a victim's server.

Before ending of this post, we must keep some important points in our mind:
  1. In real Servers, do not disable/enable any protocol's features without discuss IT's team (programmers, data base programmer, system admin, ...). After a good discussion then adapt and configure your server accordingly.Why? To avoid the conflicting of least requirement, such as i configured Firewall to allow just 2 KiB per Second, but the application needs 3 KiB per Second. In this case if i do not correct it all of application's processes will be cancelled!!.
  2. Attacks against TCP that is called SYN Flood and against UDP that is called UDP Flood have different ideas that is better to use NIDS/HIDS beside the firewall. We will see -inShaAllah- how to install and configure them. Snort is example of NIDS and OSSEC is example of HIDS.
  3. It is recommended to SHUTDOWN AND REMOVE all of servers that no need to use it anymore. Such as of these servers, Mail Server, Web Server, Database Serevr, LDAP Server, Samba Server, ftp Server, SSH Server... etc. Not only drop packets destined to port and server still up.
Posted by at

3 comments:

  1. MustafaSeptember 1, 2009 at 11:44 PM

    that is right abbas that why the application firewall alaways make conflict with the other application.
    but the problem of firewall in the network layer is make the traffic so slow that why until now don't surprise if you find some organization they don't have a firewall.......
    even i can implement rule for the firewall as a policy but you should know which program they need to use depend on that you can open and close the port depend on their need

    ReplyDelete
  2. MustafaSeptember 2, 2009 at 12:09 AM

    ohh i have a suggestion (it is just an idea if people a gree i will try to help also)we can make questions and answer this question if we answered we can get a good understanding on (DOS) as flow :

    a) Why do half-open (SYN flooding) DoS attacks cause problems for servers?

    b) What can be done to stop half-open Dos attacks?

    c) Why is rate limiting good as a way to reduce the damage of some DoS attacks?

    d) Why is it limited in effectiveness?

    e) Why is DoS protection a community problem, not just a problem for individual victim firms to solve?

    ReplyDelete
  3. Moh'd AbbasSeptember 2, 2009 at 1:16 AM

    Hello Mustafa, may you wait until next post that i will explain IDS/IPS for network and host. I can answer you now but actually it needs too much details that it needs full post because IPS has feature is called BLOCKING. This blocking divided into two types: 1) just terminate (cancel) the current connection. 2) Block the connection for all or specified time. Also, we need to dig TCP flags and review ICMP types. Just do it with experiments it is soooooooooooooooooooo nice ;-)

    ReplyDelete

Subscribe to: Post Comments (Atom)