Databases, Systems & Networks

Source: Digital Point

After a few days of being attacked by a 25,000 zombie botnet, believe me i have tried almost everything possible to make it stop. The best thing that helped was this script, thought it could help here when it’s your turn getting those script-kiddies attackers visiting your servers.

#!/bin/sh
#------------------------------------------------------------------------------
#
# File: SIG-antiDDoS.sh
#
# Compiler: Ruslan Abuzant <ruslan@abuzant.com>
#           PS> Collected From Lots Of Sources
#           PS> Credits: Real Authors (no idea)
#
# URL: http://www.liteforex.org/
#
# License: GNU GPL (version 2, or any later version).
#
# Configuration.
#------------------------------------------------------------------------------

# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"


# Logging options.
#------------------------------------------------------------------------------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"


# Defaults for rate limiting
#------------------------------------------------------------------------------
RLIMIT="-m limit --limit 3/s --limit-burst 8"

Lire la suite…

Nodaways seems that every script kid is able to produce a soft DDOS attack, happily they are small and limited so they cant saturate your DNS unless they really know what they are doing.

This is a more or less step by step guide intended for begginers to help stabilize the linux server and prevent further attacks.

There are some basic settings you should have already implemented in your linux server as part of security 101 but this is not always the case and also it is not enough.

Questions and Answers:

• Limiting the ammount of concurrent connections from the same IP address to your Server.
• Identifying the offending IP.
• And kill the Ongoing TCP Connections with TCPKILL.
• Or use Cutter to kill the connections on any port/Network interface.
• Drop it With Iptables.
• Make the DROP Persistant after a reboot. (iptables save and restore)
• Basic Iptables-save trouble shoot.
• Stop Start Iptables

This article assumes you have root access to your linux BOX / Server, the IP addresses shown in this guide are randomly generated and in no case are offending connections.

Lire la suite…

About Fragmented IP packet forwarding.

I couldn’t really find a suitable topic for this post actually but I will try to find answers for the following questions:

• How can we fragment an IP packet manually in scapy
• How does a fragmented packet look like and how the transport layer (TCP/UDP) header is located
• How do we forward fragmented packets, do we reassemle them?
• If we don’t reassemble, can we force reassembly?

First of all a bit of a theory: if an incoming IP packet is to be forwarded to another next hop and the MTU of this new path is smaller than the packet to be transmitted, we must find a way to forward the packet. If the packet has DF (Don’t Fragment) bit on i.e we are instructed not to fragment the packet most probably by the source, then normally we are expected to send an ICMP packet with type “Fragmentation needed” and pray that on the way back to the source no devices block all ICMP type of traffic. Second scenario is that what if the source lets us fragment the packet. Then we need to fragment it and story from now on is about this part of the scenario and the topology we will use is something like below.

Scapy is a fantastic tool to generate your own packets. It is exremely flexible and in our example, we will perform the fragmentation of a packet via our script.

Lire la suite…

IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms.

Understanding the attack starts with understanding the process of IP fragmentation, a communication procedure in which IP datagrams are broken down into small packets, transmitted across a network and then reassembled back into the original datagram.

Fragmentation is necessary for data transmission, as every network has a unique limit for the size of datagrams that it can process. This limit is known as the maximum transmission unit (MTU). If a datagram is being sent that is larger than the receiving server’s MTU, it has to be fragmented in order to be transmitted completely

Example of how an IP datagram is fragmented and reassembled

The IP header in every datagram contains flags detailing whether fragmentation is allowed to take place. In cases where a “don’t fragment” flag is attached to the IP header, the packet is dropped and the server sends out a message saying that the ICMP datagram is too big to transmit. The offset explains to the recipient device the exact order the fragments should be placed in for reassembly.

Attack Types

IP fragmentation attacks can take several forms. While they all exploit the breakdown of datagrams in order to overbear the target networks, there are some notable differences in how different attack vectors are executed.

• UDP and ICMP fragmentation attacks – These attacks involve the transmission of fraudulent UDP or ICMP packets that are larger than the network’s MTU, (usually ~1500 bytes). As these packets are fake, and are unable to be reassembled, the target server’s resources are quickly consumed, resulting in server unavailability.
• TCP fragmentation attacks (a.k.a. Teardrop) – Also known as Teardrop attacks, these assaults target TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets. As a result, the data packets overlap and quickly overwhelm the victim’s servers, causing them to fail.Teardrop attacks are a result of an OS vulnerability common in older versions of Windows, including 3.1, 95 and NT. While patches were thought to have put a stop to these attacks, a vulnerability resurfaced in Windows 7 and Windows Vista, making Teardrop attacks once again a viable attack vector.The vulnerability was re-patched in the latest version of Windows, but operators should keep an eye out to ensure that it stays patched in all future versions.

Methods of Mitigation

IP fragmentation attacks are mitigated in several different ways, depending on the type and severity of the attack. Most mitigation methods ensure that malicious data packets never reach their target destinations. The most common one involves inspecting incoming packets for violations of fragmentation rules (e.g., using a router or a secured proxy).

At Incapsula, these inspections are augmented by dedicated DDoS protection hardware. On top of leveraging our on-edge position to observe fragmentation rules, Incapsula also employs blacklisting/whitelisting mechanisms that filter traffic based on factors such as IP reputation and rate patterns. Using these methods, our platform provides complete immunity from all types of IP fragmentation attacks.

Source: incapsula

Source: nixCraft

Q. Can you explain how to setup network parameters such as IP address, subnet, dhcp etc using /etc/network/interfaces file?

A. /etc/network/interfaces file contains network interface configuration information for the both Ubuntu and Debian Linux. This is where you configure how your system is connected to the network.

Defining physical interfaces such as eth0

Lines beginning with the word “auto” are used to identify the physical interfaces to be brought up when ifup is run with the -a option. (This option is used by the system boot scripts.) Physical interface names should follow the word “auto” on the same line. There can be multiple “auto” stanzas. ifup brings the named inter faces up in the order listed. For example following example setup eth0 (first network interface card) with 192.168.1.5 IP address and gateway (router) to 192.168.1.254:

iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
gateway 192.168.1.254

Setup interface to dhcp

To setup eth0 to dhcp, enter:
auto eth0
iface eth0 inet dhcp

Lire la suite…