Articles taggués ‘attacks’

Use a load-balancer as a first row of defense against DDoS

16/02/2019 Aucun commentaire


We’ve seen recently more and more DOS and DDoS attacks. Some of them were very big, requiring thousands of computers…
But in most cases, this kind of attacks are made by a few computers aiming to make a service or website unavailable, either by sending it too many requests or by taking all its available resources, preventing regular users to use the service.
Some attacks targets known vulnerabilities of widely used applications.

In the present article, we’ll explain how to take advantage of an application delivery controller to protect your website and application against DoS, DDoS and vulnerability scans.

Why using a LB for such protection since a firewall and a Web Application Firewall (aka WAF) could already do the job?
Well, the Firewall is not aware of the application layer but would be useful to pretect against SYN flood attacks. That’s why we saw recently application layer firewalls: Web Application Firewalls, also known as WAF.
Well, since the load balancer is in front of the platform, it can be a good partner for the WAF, filtering out 99% of the attacks, which are managed by script kiddies. The WAF can then happily clean up the remaining attacks.
Well, maybe you don’t need a WAF and you want to take advantage of your Aloha and save some money ;).

Note that you need an application layer load-balancer, like Aloha or OpenSource HAProxy to be efficient.

TCP syn flood attacks

The syn flood attacks consist in sending as many TCP syn packets as possible to a single server trying to saturate it or at least, saturating its uplink bandwith.

If you’re using the Aloha load-balancer, you’re already protected against this kind of attacks: the Aloha includes mechanism to protect you.
The TCP syn flood attack mitigation capacity may vary depending on your Aloha box.

It you’re running your own LB based on HAProxy or HAPEE, you should have a look at the sysctl below (edit /etc/sysctl.conf or play with sysctl command):

# Protection SYN flood
 net.ipv4.tcp_syncookies = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.tcp_max_syn_backlog = 1024

Note: If the attack is very big and saturates your internet bandwith, the only solution is to ask your internet access provider to null route the attackers IPs on its core network.

Lire la suite…

How to Protect Successfully your network against DDoS attacks: 5 steps

13/02/2019 Aucun commentaire

Every business needs DDoS protection.

protect ddos attacksToday it’s important for the success of your business to have an online presence. You always thought that you would never be a victim of DDoS attacks. But, what would happen if your website or online application is down because of a DDoS attack?

Here are some facts taken from digitalattackmap:

  • Attacks are cheaper (150$ for a week long DDoS)
  • Their number are increasing every weeks (2000/day)
  • Increase attributed downtime (1/3 of all downtime incidents)

You can even block a 1TB DDoS attack!

With enough preparation, anybody can block a DDoS attack of any size and we will tell you how in 5 steps.

  1. Become invisible
  2. Filter aggressively
  3. Identify attack patterns
  4. Block traffic patterns
  5. Deploy counter-measures solutions

Lire la suite…

Linux Iptables To Block Different Attacks

10/02/2019 Aucun commentaire


Iptables is a Linux kernel based packet filter firewall. The iptables modules are present in the kernel itself, there is no separate daemon for it. This makes it very fast and effective firewall. The iptables rules control the incoming and outgoing traffic on a network device. In this article, we will discuss about some common network attacks, and how we can block them using iptables. Some of the common network attacks are SYN flood attack, smurf attack, land attack, attacks by malfunctioning ICMP packet, and some other forms of DOS attack. Before going into the details of these attacks, let’s have an overview of iptables, and how to use this command.


iptables has 3 filtering points for the default table: INPUT, OUTPUT and FORWARD. These are called chains in iptables. As their names suggest, they specify whether a packets is destined for the system (INPUT), originating from it (OUTPUT) or is routed to another node in the network (FORWARD).
The rules in iptables are stored in the form of records in a table. To list the rules, run “iptables -L

root@local:~# iptables -L
 Chain INPUT (policy ACCEPT)
 target prot opt source destination

 Chain FORWARD (policy ACCEPT)
 target prot opt source destination

 Chain OUTPUT (policy ACCEPT)
 target prot opt source destination

Here, no rules are present for any chain.These rules are read from top to bottom, and if a match occurs, no further rules are checked. So if one rule overwrites any previous rule, then it must be below that rule. So we will append the rules below existing rules. But if your requirement is to insert explicitly, then you can insert them as well.

To insert a rule (above all other rules or at a specified number), -i, and to append, -A option is used. We need to specify the chain, for which we wish to write the rule. The -j option specifies the target, i.e. what we want to do with the packet if a rule is matched. Some of the values are ACCEPT, DROP (or REJECT), RETURN etc. This target can be some other existing or user defined chain. But for the purpose of this article, we will confine ourselves to existing chains only, and will not go in further details.

Lire la suite…

What Is SYN Flood Attack? Detection & Prevention In Linux

09/02/2019 Aucun commentaire


A SYN flood attack is a form of denial-of-service attack in which an attacker sends a large number of SYN requests to a target system’s services that uses TCP protocol. This will consume the server resources to make the system unresponsive to legitimate traffic. This attack can occur on any services that use TCP protocol and mainly on web service. In this article, we will go through the basics of SYN flood attacks and the mitigation steps in detail.

The SYN Flood attack exploits an implementation characteristic of the Transmission Control Protocol (TCP), which is called 3-way handshake. Following are the steps that happen in a normal 3-way handshake.

1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established


A SYN flood attack works by not responding to the server with the expected ACK code. By these half-open connections, the target machines TCP backlog will get filled up and hence all new connections may get ignored. This will cause the legitimate users will also get ignored.

Lire la suite…

How to stop Small DDOS attacks

06/02/2019 Comments off

dosNodaways seems that every script kid is able to produce a soft DDOS attack, happily they are small and limited so they cant saturate your DNS unless they really know what they are doing.

This is a more or less step by step guide intended for begginers to help stabilize the linux server and prevent further attacks.

There are some basic settings you should have already implemented in your linux server as part of security 101 but this is not always the case and also it is not enough.

Questions and Answers:

  • Limiting the ammount of concurrent connections from the same IP address to your Server.
  • Identifying the offending IP.
  • And kill the Ongoing TCP Connections with TCPKILL.
  • Or use Cutter to kill the connections on any port/Network interface.
  • Drop it With Iptables.
  • Make the DROP Persistant after a reboot. (iptables save and restore)
  • Basic Iptables-save trouble shoot.
  • Stop Start Iptables

This article assumes you have root access to your linux BOX / Server, the IP addresses shown in this guide are randomly generated and in no case are offending connections.

Lire la suite…