Wednesday, 14 May 2014

DoS and DDoS attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is a attack in which the server resources become unavailable to its intended users.

A DOS attack is an attempt to make a system or server unavailable for legitimate users and, finally, to take the service down. This is achieved by flooding the server’s request queue with fake requests. After this, server will not be able to handle the requests of legitimate users.

In general, there are two forms of the DOS attack. The first form is on that can crash a server. The second form of DOS attack only floods a service.

In simple words DDOS attack is, when a server system is being flooded from fake requests coming from multiple sources (potentially hundreds of thousands), it is known as a DDOS attack. In this case, blocking a single or few IP address does not work. The more members in the zombie network, more powerful the attack it. For creating the zombie network, hackers generally use a Trojan.

There are basically three types of DDOS attacks:

Application layer DDOS attack: Application-layer DDOS attacks are attacks that target Windows, Apache, OpenBSD, or other software vulnerabilities to perform the attack and crash the server.

Protocol DDOS attack: A protocol DDOS attacks is a DOS attack on the protocol level. This category includes Synflood, Ping of Death, and more.

Volume-based DDOS attack: This type of attack includes ICMP floods, UDP floods, and other kind of floods performed via spoofed packets.

How to troubleshoot,

list of IP’s with maximum number of connections to server,

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

remember that ddos becomes more complex as attackers are using fewer connections with more number of attacking IP’s,

the number of active connections open to server,

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

Ex:
cd /edu-log/edurite/
cat 20140505.access.log | awk '{print $1}' |sort |uniq -c |sort -nr |more

------------
110.85.112.16
27.153.209.89
120.33.245.187
27.150.229.164
121.205.197.8
121.205.196.173
27.153.186.129
------------

Trace the IP using the follwoing URL,

http://tools.whois.net/whoisbyip/

One example for how to block a particular IP on the server,

iptables -A INPUT -s 27.153.186.129 -j DROP

/etc/init.d/iptables save
/etc/init.d/firewall restart

Ref:

http://webhosting.uk.com/kb/how-to-check-if-your-linux-server-is-under-ddos-attack/
http://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/

No comments:

Post a comment