Pages

Thursday, December 21, 2023

Navigating Server Security: A Comprehensive Guide to Mitigating DDoS Attacks

Distributed Denial of Service (DDoS) attacks can cripple your server, disrupting operations and services. Understanding how to detect and mitigate these attacks is crucial for maintaining uptime and security. This blog provides a structured approach to identifying, combating, and preventing DDoS attacks.

Confirming a Potential Attack

Understanding Connection States: Use the netstat command to analyze the state of network connections:

netstat -an|awk '/tcp/ {print $6}'|sort|uniq -c

This command will list the number of connections in various states:

  1. ESTABLISHED: Valid connections to the server.
  2. SYN_SENT: Active attempts at establishing connections.
  3. SYN_RECV: Received connection requests.
  4. FIN_WAIT: Closing sockets.
  5. TIME_WAIT: Sockets waiting post-closure to handle remaining packets.
  6. LISTEN: Sockets listening for incoming connections.
  7. LAST_ACK: Awaiting acknowledgment after remote shutdown.

A high count in SYN_SENT, SYN_RECV, TIME_WAIT, or FIN_WAIT indicates a likely attack.

Initial Defensive Tweaks

Adjusting System Configuration: Tweak the /etc/sysctl.conf settings to reduce vulnerability:

# Enable TCP SYN cookie protection net.ipv4.tcp_syncookies = 1 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 3 # Turn off the tcp_window_scaling and tcp_sack net.ipv4.tcp_window_scaling = 0 net.ipv4.tcp_sack = 0

Apply changes with sysctl -p.

Identifying the Attack Vector

Determining the Source: If the attack comes from a single or few IPs, block them using the firewall. If the attack is distributed, deeper investigation is necessary.

Pinpointing the Targeted Port: When SYN_RECV connections are high, identify the targeted port with:

netstat -lpan | grep SYN_RECV | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -nk 1

Use tcpdump to further analyze traffic to a specific port:

tcpdump -nn -tttt -i any port 80

Mitigating the Attack

Adjusting Apache Settings: If the attack targets a web service, modify Apache configurations to handle increased load:

MaxClients 500 
KeepAlive On 
KeepAliveTimeout 3 
/etc/init.d/httpd restart

Isolating the Affected Domain/IP: Use netstat to determine if a specific IP is targeted. Check Apache logs or use the top command to identify if a particular domain is under attack.

Advanced Defense Strategies

Employing ModSecurity and Firewall Rules:

  1. Disable ModSecurity’s automatic IP blocking.
  2. Add specific rules to block malicious traffic to targeted domains.
  3. Use iptables to block access to the domain on port 80:
iptables -I INPUT -p tcp --dport 80 -m string --string "domain.com" --algo bm -j DROP

Implementing Bandwidth Throttling: Limit connections to the targeted domain to reduce the load.

Nullrouting as a Last Resort: If the situation doesn't improve, nullroute the IP causing issues:

iptables -I INPUT -d XX.XX.XX.XX -j DROP

For dedicated IPs, remove them from /etc/ips and restart ipaliases. For shared IPs, consider reducing the TTL and reassigning domains.

Preventative Measures

Fortifying the Server with iptables: Add rules to mitigate future attacks:

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

Conclusion: DDoS attacks are a formidable threat, but with the right knowledge and tools, you can protect your server and ensure it remains secure and operational. Regularly update your configurations, monitor your traffic, and stay informed about new attack methods to maintain robust security.


Understanding Predefined Scheduling in CRON

Cron is a time-based job scheduler in Unix-like operating systems, allowing users to schedule jobs (commands or scripts) to run periodically at fixed times, dates, or intervals. It's particularly useful for automating system maintenance or administration tasks. However, writing CRON expressions might be daunting for some. That's where predefined scheduling definitions come in handy. These special values can substitute complex expressions in the CRON format and make scheduling more intuitive. Here's a guide to understanding these predefined schedules.

@yearly (or @annually)

  • Description: Runs once a year at midnight on the morning of January 1st.
  • Equivalent To: 0 0 1 1 *

@monthly

  • Description: Runs once a month at midnight on the morning of the first of the month.
  • Equivalent To: 0 0 1 * *

@weekly

  • Description: Runs once a week at midnight on Sunday morning.
  • Equivalent To: 0 0 * * 0

@daily

  • Description: Runs once a day at midnight.
  • Equivalent To: 0 0 * * *

@hourly

  • Description: Runs once an hour at the beginning of the hour.
  • Equivalent To: 0 * * * *

@reboot

  • Description: Runs at startup. This is particularly useful for jobs that need to start whenever the system boots up.
  • Equivalent To: @reboot

Special Note on Seconds Field

In some cron implementations, like Quartz, there's an additional seconds field at the beginning of the pattern. This provides even more granularity, allowing you to schedule tasks down to the second. When using such systems, remember to account for this extra field in your expressions.

Benefits of Predefined Schedules

  1. Simplicity: They make writing and understanding CRON jobs much simpler, especially for those new to cron schedules.
  2. Readability: It’s immediately clear when the job is supposed to run.
  3. Maintenance: Easier to remember and modify without needing to refer to CRON syntax.

When to Use Them

Predefined schedules are incredibly useful for common tasks that need to run at regular intervals, like daily backups, weekly reports, or monthly maintenance. They remove the complexity of writing and understanding traditional CRON expressions, making your cron jobs easier to manage.