Sunday, January 25, 2009

Prevent DDOS Attack in Linux

Prevent DDOS Attack in Linux

Apa akan terjadi bila kena attack?

1. Programs run very slowly
2. Services (e.g., HTTP) fail at a high rate
3. Large number of connection requests from different networks
4. User complaints about slow (or no) site access
5. Machine shows a high CPU load

Macam mana nak prevent dari kena attack?

1) Check CPU load and have a large number of httpd usage.

Blessen@work >w
12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57

2) Kira jumlah proses httpd

[root@blessen root]# ps -aux|grep -i HTTP|wc -l
23

3) Determine the attacking network

bash# netstat -lpn|grep :80|awk '{print $5}'|sort

if you have more than 30 connections from single ip, chane are that you
under attack. Identify these networks for later reporting, perhaps by using the
'whois' command.

If more than 5 such hosts/IPs connect from the same network, that's a very
clear sign of DDoS.

4) Block the attacking network

iptables -A INPUT -s <Source IP> -j DROP

Edit /etc/apf/deny_hosts.rules for apf

===========================================================

5) How to prevent this issue later.

http://www.rfxnetworks.com/apf.php
http://freshmeat.net/projects/aide/

6) Implement Sysctl-based protection. Enable the following in your '/etc/sysctl.conf':

# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

7) Conversely, you could add this code to your '/etc/rc.local':

for f in /proc/sys/net/ipv4/{conf/*/rp_filter,tcp_syncookies}
do
echo 1 > $f
done

0 comments: