Petit problème de maths, paru dans Le Monde il y a quelques années:
Coccinelle
Une population d’insectes a un rythme de croissance effrayant: au 1er janvier 2004, elle comptait 2 004 individus. Au 2 janvier, ce nombre était de 4009 (le double plus un). Au 3 janvier, il était de 12028 (le triple du nombre précédent, plus un).
Chaque jour de janvier, la population se révèle être celle de la veille multipliée par le quantième du mois et augmentée de 1.
En février, le principe est le même, mais avec un accroissement de deux unités au lieu d’une ainsi la population du 1er février est celle du 31 janvier augmentée de deux, la population du 2 février équivaut au double de celle du 1er février plus deux, et ainsi de suite jusqu’au 29 février, où elle est égale à 29 fois celle du 28 février plus deux.
En mars, même principe, mais on ajoute 3, en avril on ajoute 4, etc. En décembre, on ajoute 12.
Ces insectes ont l’habitude de voler en formations de 13 individus.
Quand leur nombre n’est pas un multiple de 13, ils s’arrangent pour que le nombre d’insectes isolés soit le plus petit possible.
Combien d’insectes seront ils isolés au soir du 31 décembre 2004 ?
First off, if you want the real deal and get your service DDoS protected from even the most complex types of DDoS attacks by security specialists today, don’t bother reading about SYNPROXY and instead check out our Anti DDoS Hosting and Remote DDoS Protection. If you feel confident that you can use SYNPROXY as an addition to your current DDoS mitigation strategy and are an experienced system or network admin, continue reading.
It’s nothing new that DDoS attacks are increasing constantly in size and quantity over the years, making them more likely to affect you personally every month passing by. Apart of DNS Amplifictation Attacks, SYN Floods are one of the most common DDoS attack types today. Until recently Linux systems were very bad at handling SYN Floods properly compared to *BSD, which has a SYN Proxy feature built into its default firewall « PF » for quite a while now, which is a good approach for SYN Flood DDoS mitigation. The Linux default firewall « IPTables » hasn’t had a similar feature for a long time and the only approach to mitigate SYN Floods was the Kernel’s « syncookie » feature, which isn’t by far as performant as one would wish when under SYN Flood.
Finally, after years of lacking appropiate SYN Flood mitigation options under Linux, the new « SYNPROXY » target was introduced with the 3.12 kernel and IPTables version 1.4.21 trying to fill that gap quite successfully. Although it’s not a cure for every SYN Flood, because most ISPs are likely to nullroute your IP before the attack clogs your TCP/IP stack and probably your NIC will cause interrupts before your kernel, but tests have shown that there is a major increase of performance when under SYN Flood, SYN-ACK Flood or ACK Flood.
While a Linux kernel with default settings usually starts to cause software interrupts and starts dropping packets at as little as 200.000 packets per second (PPS), it can handle multiple millions of packets per second with the strategy explained in this tutorial. The number of SYN packets it can handle per second increases by a factor of 10 and the number of ACK packets it can handle per second even increases by a factor of 20, which can be a major advantage when you have to handle large amounts of packets (read: you’re under SYN or ACK Flood).
IPTables « SYNPROXY » on Debian Wheezy In this example we’ll use a Debian Wheezy system for our setup. I can imagine this being used on Vyatta boxes in the future to effectively protect whole network segments with very cheap hardware. The first things we’ll have to do is to upgrade our kernel and iptables version.
After a few days of being attacked by a 25,000 zombie botnet, believe me i have tried almost everything possible to make it stop. The best thing that helped was this script, thought it could help here when it’s your turn getting those script-kiddies attackers visiting your servers.
#!/bin/sh
#------------------------------------------------------------------------------
#
# File: SIG-antiDDoS.sh
#
# Compiler: Ruslan Abuzant <ruslan@abuzant.com>
# PS> Collected From Lots Of Sources
# PS> Credits: Real Authors (no idea)
#
# URL: http://www.liteforex.org/
#
# License: GNU GPL (version 2, or any later version).
#
# Configuration.
#------------------------------------------------------------------------------
# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"
# Logging options.
#------------------------------------------------------------------------------
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
# Defaults for rate limiting
#------------------------------------------------------------------------------
RLIMIT="-m limit --limit 3/s --limit-burst 8"
Nodaways seems that every script kid is able to produce a soft DDOS attack, happily they are small and limited so they cant saturate your DNS unless they really know what they are doing.
This is a more or less step by step guide intended for begginers to help stabilize the linux server and prevent further attacks.
There are some basic settings you should have already implemented in your linux server as part of security 101 but this is not always the case and also it is not enough.
Questions and Answers:
Limiting the ammount of concurrent connections from the same IP address to your Server.
Identifying the offending IP.
And kill the Ongoing TCP Connections with TCPKILL.
Or use Cutter to kill the connections on any port/Network interface.
Drop it With Iptables.
Make the DROP Persistant after a reboot. (iptables save and restore)
Basic Iptables-save trouble shoot.
Stop Start Iptables
This article assumes you have root access to your linux BOX / Server, the IP addresses shown in this guide are randomly generated and in no case are offending connections.
I couldn’t really find a suitable topic for this post actually but I will try to find answers for the following questions:
How can we fragment an IP packet manually in scapy
How does a fragmented packet look like and how the transport layer (TCP/UDP) header is located
How do we forward fragmented packets, do we reassemle them?
If we don’t reassemble, can we force reassembly?
First of all a bit of a theory: if an incoming IP packet is to be forwarded to another next hop and the MTU of this new path is smaller than the packet to be transmitted, we must find a way to forward the packet. If the packet has DF (Don’t Fragment) bit on i.e we are instructed not to fragment the packet most probably by the source, then normally we are expected to send an ICMP packet with type “Fragmentation needed” and pray that on the way back to the source no devices block all ICMP type of traffic. Second scenario is that what if the source lets us fragment the packet. Then we need to fragment it and story from now on is about this part of the scenario and the topology we will use is something like below.
Scapy is a fantastic tool to generate your own packets. It is exremely flexible and in our example, we will perform the fragmentation of a packet via our script.
Nodaways seems that every script kid is able to produce a soft DDOS attack, happily they are small and limited so they cant saturate your DNS unless they really know what they are doing.