DDoS, prevention, cure! – Part 2

DDoS/DoS Prevention and Cure :

DDoS/DoS cannot be completely prevented by any of the service provides, but certain measures could help us to reduce the impact of attack.

The companies must develop and produce certain strict policies and rules to ensure the best practices are allowed. Strict security policies must be used and should be always updated. Having a AUP is a key tool to remove the abusive user from the network/system.

Having a separate team to handle abusive incidents is a good practice to whom the incidents could be notified and alerted.

Upgrades and Updates : Through testing must be done before a system is introduced to a production environment. Security should be considered from the start of the system design. Things to consider include:

• Operating system lockdown and removal of any unnecessary processes,services and software. This should be done via scripts or by checklists preferably developed using industry best practices.

• Review of system protocols to ensure communication paths are properly authenticated and if necessary encrypted.

• Scanning of the systems to confirm and mitigate, if necessary, any security risks found.

• If software source code is available, security source code reviews should be performed to eliminate buffer overflows and other vulnerabilities.

• Apply patches in time

Here are some steps by which we could defend the impact of DDOS to a certain extent.

Setup machine / network keeping security in mind (Implement Good Security policy)

Setup a firewall which does Ingress and Egress Filtering at Gateway

Eg: Steps to Install AFP

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

 tar -zxf apf-current.tar.gz

cd apf-<version number>

./install.sh 

Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf

Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root’s cron has an entry like the one below

*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1

Install IDS on your gateway/hosts to alert you when someone tries to sniff In.

Eg: AIDE

wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz

tar -zxvf aide-0.7.tar.gz

 cd aide-0.7

 ./configure -with-gnu-regexp 

Final steps to install make;make install. Now the main step..To configure AIDE.AIDE stores all its rule sets in the file called aide.conf. Lets populate it get more details of how to configure and all from man aide.conf

Here I am taking an example .See below

Here is a sample short aide.conf:

Rule = p+i+u+g+n+s+md5

 /etc p+i+u+g

 /sbin Rule

 /usr/local/apache/conf Rule

 /var Rule

 !/var/spool/.*

 !/var/log/.* 

In the above configuration listed , a rule called “Rule” is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn’t. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place.

After configuring AIDE should be initiated with all these rules.

For that execute aide -init

Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications.

Use tools like RKDET(vancouver-webpages.com/rkdet),RKHUNTER(www.rootkit.nl) and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any.

Please find a simple Audit check List below to be done on a Hosts

Eg: Audit Check List

A quick checklist:

* Software Vulnerabilities.

* Kernel Upgrades and vulnerabilities.

* Check for any Trojans.

* Run chkrootkit.

* Check ports.

* Check for any hidden processes.

* Use audittools to check system.

* Check logs.

* Check binaries and RPMS.

* Check for open email relays.

* Check for malicious cron entries.

* Check /dev /tmp /var directories.

* Check whether backups are maintained.

* Check for unwanted users, groups, etc. on the system.

* Check for and disable any unneeded services.

* Locate malicious scripts.

* Querylog in DNS.

* Check for the suid scripts and nouser scripts.

* Check valid scripts in /tmp.

* Use intrusion detection tools.

* Check the system performance.

* Check memory performance (run memtest).

Enforce and Implement Security Measures on all hosts in the network.

Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status “OK-to go live” after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are uptodate and can fight any attacks.

Audit network on a regular basis to see if your network is vulnerable to attacks

Use Open Source Tools like NESSUS(www.nessus.org) ,NMAP(www.insecure.org/nmap),SAINT( www.saintcorporation.com/products/saint_engine.html),SARA (www-arc.com/sara/sara.html)for auditing a network to find its vulnerabilities.

Create a DSE (Dedicated Security Expert ) Team for your company.

Collect your networks and hosts data . Analysis them and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend,for sure.

Implement Sysctl protection against DDOS

Eg:

 vi /etc/sysctl.conf 

add the below code:

# Enable IP spoofing protection, turn on Source Address Verification

 net.ipv4.conf.all.rp_filter = 1

 # Enable TCP SYN Cookie Protection

 net.ipv4.tcp_syncookies = 1 

Add the below code in /etc/rc.local and restart network

for f in /proc/sys/net/ipv4/conf/*/rp_filter;

 do echo 1 > done

 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 

Install Mod_dosevasive to your apache.

Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below

Install Mod_dosevasive

wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

tar -zxvf mod_evasive_1.10.1.tar.gz

cd mod_evasive_1.10.1

 $APACHE_ROOT/bin/apxs -iac mod_evasive.c 

Dont get scared by the variable “$APACHE_ROOT” . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)

vi /usr/loca/apache/conf/httpd.conf 

After this add the below code in httpd.conf

<IfModule mod_dosevasive.c>

 DOSHashTableSize 3097

 DOSPageCount 2

 DOSSiteCount 50

 DOSPageInterval 1

 DOSSiteInterval 1

 DOSBlockingPeriod 10

 </IfModule> 

/usr/loca/apache/bin/apachectl restart 

Install Mod_security .

Since DDOS normally targets http. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below

Eg: Installation Steps

http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz

 tar -zxvf modsecurity-apache-1.9.2.tar.gz

 cd modsecurity-apache-1.9.2

/usr/local/apache/bin/apxs -cia mod_security.c 

Create a file named mod_security.conf under the folder /usr/local/apache/conf

 vi /usr/local/apache/conf/mod_security.conf 

Create the rule with reference to the link http://www.modsecurity.org/documentation/quick-examples.html

and add it in the mod_security.conf file.

Add the location of mod_security.conf to httpd.conf

 vi /usr/local/apache/conf/httpd.conf 

Add the string below Include /usr/local/apache/conf/mod_security.conf

 /usr/local/apache/bin/apachectl stop

 /usr/local/apache/bin/apachectl start 

Continue Reading

DDoS, prevention, cure! – Part 1

DDoS – Distributed Denial Of Service  Wiki : http://en.wikipedia.org/wiki/Denial-of-service_attack

DDoS is an attack on a computer/server or its resources and thereby making it unavailable to intended users.

Web-hosts must be familiar with this term and will be a victim at-least once. The intention of this post is to give  a brief description about DDoS, its prevention and cure if effected. Please note that this will not server as a perfect guide to the mentioned “Subject-line”, but a “tip-note”.

Understanding DDoS:

The four commonly used programs used by attackers to launch DDoS attacks are

1. Trinoo
2. TFN
3. TFN2K
4. Stacheldraht

Symptoms of DDos:

1. Unusually slow network performance (opening files or accessing web sites)
2. Unavailability of a particular web site
3. Inability to access any web site
4. Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)
5. Packet loss for pings to IP/Domain

How DDoS is done:

Pictorial representation of Stacheldraht DDoS attack.

In Stacheldraht DDoS attack, the attacker uses a client program to connect handlers which is a set of compromised machines that issues commands to the agents which in-turn facilitate the DDoS attack. The agents are another set of machines which is compromised using handlers by the attacker. Each handler can control thousands of agents  and all these widely distributed agents floods the target server and thereby increasing the impact of attack.

DoS and DDoS are not the same:

If the attacker initiates an attack from a single host, it is classified as a DoS  as it is not ‘distributed’. In fact, any attack against availability would be classed as a Denial of Service attack. On the other hand, if an attacker uses a thousand systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.

Then what is DRDoS? DRDoS is Distributed Refected Denial of Service. These attacks forge the source address of the IP packets with the victim’s IP and send pings/packets to intermediate hosts. When the intermediate sends back the reply to these pings , it is sent to the victims IP thereby flooding the victim.

Some other types/methods of DDoS/DRDoS/Dos attacks are :

Reflective ICMP attack: The reflective ICMP attack uses public sites like google.com that responds to ICMP ping requests to that of victims IP. The attacker spoofs the victims IP and send requests to the Public servers which will then reply to the actual IP.

TCP SYN flood attack : The attacker sends a packet with SYS bit set of the well known TCP three way handshake. The victim responds to the request by sendong a reply packet with SYN_ACK bit set, but the attackr never responds and thereby increasing the TCP receive queues and denying new TCP connetions. But modern  UNIX and Windows fixed this by increasing the queue qize and limited the number of TCP SYS packets allowed.

UDP attacks : The UDP is one of the most effective way of DDos/DoS attacks. UDP is a stateless protocol and does not have any acknowledgement mechanism by design. PROTOS,the SNMP test suite, and other SNMP tools have been used successfully to launch application level DoS attacks. The Slammer worm was extremely fast because it did not require a response from the compromised computer.

TTL Expiration : The attacker forges the victims IP and send packets with low TTL set to it so that it will expire in the transmit at high speed router. When the TTL reaches zero, the router drops the packet and sends an ICMP TTL expired message to the source address, ie the Victim IP. This attack could be lowered by rate limiting ICMP to all routers in the service provider’s network.

Permanent DoS attacks (PDoS) :  PDoS is an attack that damages the system so badly that it needs the hardware to be replaced or reinstalled. The PDoS is purely a hardware targeted attack in which the attacker modifies the devide fireware by the legitimate method caled flashing. The attacker replaces the hardware firmware with his own modified version which will make the device unstable and render it from the original purpose for which it is made or designed for. The is done by exploiting the hardware security flaws which will allow remote administration of devices such as routers, printers and other networking hardwares.

Degradation Of Service Attacks : The compromised computers are used by the atackers to launch short-lived flooding on victims website which will slow down the website rather than crashing it. This is degradation of service rather than deniel of service and is more seriver than DoS as this is pretty difficult to detect and resolve.

Un-intentional Denial Of Services :  Sudden spike in popularity for a website is the major cause for this. This happens when an extremely popular wesite posts a link to a second site as a part of referrence for news or article. This will lead significant increase in traffic to the secondary website which will result in crashing or server/services. An example for this hapened when Michael Jackson died in 2009 which took down sites like Google and Twitter. (In this case you cant just blame someone )

Blind Denial Of Service : In Blind Deniel of Service, the attacker must be able to receive traffic from the victim, then the attacker must either subvert the routing fabric or use the attacker’s own IP address. Either provides an opportunity for the victim to track the attacker and/or filter out his traffic. With a blind attack the attacker uses a forged IP addresses, making it extremely difficult for the victim to filter out those packets. The TCP SYN flood attack is an example of a blind attack. Designers should make every attempt possible to prevent blind denial of service attacks.

Continue Reading

Blacklisted ? Switch your Mail Server IP

Hello,

I’m pretty sure that many of us are tired of the word ‘Spam’. How about your mails being rejected from your domain when sending to Top level E-mail providers like GMail, Yahoo and MSN Hotmail ? It may be a familiar weird issue to many of you. This post is about how to tackle those situations. But if you are an End-user, please contact your System Admin. But if you are the one by that name, read on !

Case

The E-mails being rejected to the Top level providers since your server IP is blacklisted. You can check whether your server IP is blacklisted at : http://www.mxtoolbox.com/blacklists.aspx (Read xxx.xxx.xxx.xx as your server IP)

When the IP is entered and you click ‘Blacklist Check’, the resultant screen should be expected as (Assuming your server IP is on a blacklist)

There you go, your server IP is blacklisted, only thing that varies is the number of blacklists. So, what is the solution ? Most will be preferring to provide a dedicated IP to the domain which is having the issue. But when a whole Server IP is blacklisted, this will not work. But as usual, there is nothing new under the Sun !!

Solution

Switch the Mail server IP of the Server.

Work

Find a free IP, make sure its allocated to  the server, or else add it to the server. That is upto you. After this, there are a few steps, which is just a Walk in the Park

1) Access the WHM of the Server, as root. Go to Exim Configuration Editor. Find out the Category Domains and IPs, and enable this option :

Send outgoing mail from the ip that matches the domain name in /etc/mailips (*: IP can be added to the file to change the main outgoing interface)

Save the Changes.

2) Login to server through SSH, Switch to root

root@server[~]# vi /etc/mailips

Add this line
* : xxx.xxx.xxx.xx (Your Mail server IP)

So the following should be seen when reading the content in /etc/mailips

root@server[~]# cat /etc/mailips
*: xxx.xxx.xxx.xx

3) Add a Reverse DNS entry for the IP, you may need to contact DC for this. When you are finished this do the steps :

root@server[~]# vi /etc/mail_reverse_dns

Add this line
xxx.xxx.xxx.xx: hostname

4) Change File attributes of /etc/mailips

root@server[~]# chattr +i /etc/mailips
root@server[~]# lsattr /etc/mailips
----i-------- /etc/mailips

5) Final Steps : Build Exim Config file to reflect changes, Restart Exim Service

root@server[~]# /scripts/buildeximconf
root@server[~]# service exim restart

Case is Resolved ! Now you must be able to send E-mails everywhere. Try it.

Continue Reading

File Transfer Protocol (FTP)

Hello there. So many of us are familiar with the term FTP, but we hardly know how complex it is in its working. Lets take a look on FTP in this post.

In this post, I would rather explain the concepts less in words, but more with the aid of Pictures. A Picture is worth a thousand words, isn’t it ?!

File Transfer Protocol (FTP) is a Network protocol used to transfer files from one host to another over a network, such as the Internet. FTP is based on a client-server architecture. It has separate control and data connections between the client and server. FTP is TCP based. It is working in two ports.

FTP Ports

FTP relies on a pair of TCP Ports and hence it operates in two connection channels.

Port 20 – FTP Data Channel : This port is used for the data transfer between the client and the server. Any data from the server (such as the command ls would initiate direcotry listing from the server) will go over this port.

Port 21 – FTP Control Channel : The commands we use to send and the FTP Server responses will be going through this port.

But the ports are not always 20 and 21, it depends on the type of FTP connection.

Types of FTP

From a Networking perspective, there are two types of FTP :

(i) Active FTP
(ii) Passive FTP

From a User perspective, FTP can be classified into :

(i) Regular FTP
(ii) Anonymous FTP

Active FTP

a) Client machine initiates and FTP Control connection from a high port (usually greater than 1024) to the Port 21 on the server. For example, when a command ‘ls’ is initiated, it is sent over here.
b) Server initiates the Data connection from Port 20 to the port specified by the client. The listing as a result of the ls command comes over here.

This is a secure mode for the server since, Port 20 is only open for Active FTP Connections. If the client is protected by a Firewall, then there is a probability that the connection gets blocked since the firewall might block the port, which should be opened in order to establish the connection. Active mode FTP operates on the client side. Here, the client doesn’t establish the actual connection with the server (data port), rather it simply tells the server what port it is listening and the server connects back to that specified port on the client. For the client’s firewall this appears to be an external system initiating the connection to an internal client and that is why the connection gets blocked usually.

Passive FTP

a) Client machine initiates FTP Control connection from a high port (usually greater than 1024) to the Port 21 on the server. Server responds with the port which is opened for the connection.
b) Client initiates the Data connection from the high port to a high port specified by the server.

This is the most widely used FTP connection nowadays. This is developed as an alternative method of Server initiating the connection for the client. This is not a secure way for the server since the connection is established between the high ports of client and server. Server don’t know which port should be kept opened exactly. So it needs to open a range of ports for establishing the connection. But most of the FTP daemons allows the administrator to specify which ports should be opened in the server for establishing the connection. Since client initiates the required connections, passive FTP works better for clients protected by a firewall.

Anonymous FTP

Anonymous FTP accounts come into play when a group of unknown users needs to interact with a Web server or Website frequently. Using anonymous FTP, users can exchange files with the website with a limited access to the server. The virtue of Anonymous FTP is that, a user can access the public files like Documents, Music and other stuff without being an official member of the server or website. Usually Anonymous FTP connections has the destination directory ‘public_ftp’. Anonymous users would not get access to anywhere else in the server. The username would be ‘anonymous’. The password would be your E-mail address. Some servers will let you in without providing the password.

Secure FTP

Secure FTP is an extension to FTP that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. SFTP performs all operations over an encrypted SSH transport.

A widely implemented security extension to the FTP protocol is the use of the SSL (Secure Sockets Layer) version 3.0 or TLS (Transport Layer Security) version 1.0 protocol. Since the SSL/TLS protocols lie above the TCP/IP (Transport) layer its relatively easy to implement Secure mode over Protocols such as HTTP and FTP.

Secure extensions provide strong authentication, integrity, and confidentiality on both the control and data channels.

There are two types of Secure FTP :

(i) Explicit Security
(ii) Implicit Security

Explicit Security

In Explicit Security, for establishing the SSL link, the FTP client should invoke a specific command to the FTP server after establishing the connection. The default FTP server port is used (Port 21)

Implicit Security

In Implicit method, security automatically begins with an SSL connection immediately after the FTP client connects to the FTP server. Here, the FTP server defines a specific port for the client (Port 990) for secure connections.

References

http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html

http://slacksite.com/other/ftp.html

http://www.enterprisedt.com/publications/FTP_Overview.html

Continue Reading

Plesk Windows Horde This request cannot be completed because the link you followed or the form you submitted was only valid for minutes. Please try again now.

Error when trying to logout would be as below and won’t let you logout as well.

“This request cannot be completed because the link you followed or the form you submitted was only valid for minutes. Please try again now.”

Solution

Edit C:\inetpub\vhosts\webmail\horde\lib\horde.php (Drive Letter will depend on where you installed Webmail/Plesk and configured IIS to load virtual hosts from)

And search for section ” SESSION['horde_form_secrets' " in the Horde.php  and instead of

if ($_SESSION['horde_form_secrets'][$token] +  $GLOBALS['conf']['urls']['token_lifetime'] * 60 < time()) {
return PEAR::raiseError(sprintf(_(“This request cannot be completed because the link you followed or the form you submitted was only valid for %s minutes”),  $GLOBALS['conf']['urls']['token_lifetime']));
}

it should be

if (($_SESSION['horde_form_secrets'][$token] + $GLOBALS['conf']['urls']['token_lifetime']) * 60 < time()) {
return PEAR::raiseError(sprintf(_(“This request cannot be completed because the link you followed or the form you submitted was only valid for %s minutes”), $GLOBALS['conf']['urls']['token_lifetime']));
}

Note the extra braces in red + bold

Continue Reading