La saturation du nombre d’ouverture de session TCP en cours.
2 – Le fonctionnement
2.1 – Schéma
2.2 – Envoi du SYN
Le fonctionnement est de générer une trame TCP de demande de synchronisation à destination de la cible. Cette demande de synchronisation SYN est la première étape d’une ouverture de session TCP. Voici le schéma de l’entête TCP avec ce fameux flag SYN basé sur 1 bit :
Les 5 autres flags doivent être positionnés à 0.
2.3 – Réception par la cible A
La cible recevant la synchronisation TCP mémorise cette demande nécessitant donc de la mémoire et du processeur. Voici l’état des connexions d’un Windows XP avant la réception d’un Synflood :
Et voici après la réception des demandes de SYN :
La cible passe les requêtes reçues en SYN_RECEIVED. Cet état est temporaire, le temps de durée de vie est variable en fonction de la pile IP.
Dans mon exemple, la cible tourne sur une station XP limitée en nombre de sessions simultanée. Ceci ayant pour conséquence l’indisponibilité temporaire du port ciblé.
* testé depuis la machine ayant effectuée le Synflood
Today though, we’re going to spend a little time looking at Layer 7, or what we call an HTTP Flood Attack.
An HTTP flood attack is a type of Layer 7 application attack that utilizes the standard valid GET/POST requests used to fetch information, as in typical URL data retrievals (images, information, etc.) during SSL sessions. An HTTP GET/POST flood is a volumetric attack that does not use malformed packets, spoofing or reflection techniques. – DDoSAttacks.biz
If you’re wondering, yes, we deal with these every day, and we protect our client websites via our Website Firewall.
Today I’m going to share with you some details on a rather large DDoS attack that leveraged the following HTTP request flood attack to wreak havoc on a clients website. I’ll also share the steps we took to mitigate the issue.
Layer 7 DDoS – HTTP Flood Attacks
The first thing to understand about Layer 7 attacks is that they require more understanding about the website and how it operates. The attacker has to do some homework and create a specially crafted attack to achieve their goal. Because of this, these types of DDoS attacks require less bandwidth to take the site down and are harder to detect and block.
Layer 7 DDoS – Part 1: Random URLs
This specific client came to us after his site was down for almost a week. They tried other services to protect their website with not much luck. As soon as he switched his DNS to us, we gained a much deeper appreciation and started to see why.
He was getting thousands of requests like these every second:
To be more exact, he was getting 5,233 HTTP requests every single second. From different IP addresses around the world.
What is important to note here is how this worked against the client’s platform. The client’s website was built on WordPress. The uniqueness of the requests were bypassing the caching system, forcing the system to render and respond to every request. This was bringing about system failures as the server quickly became overwhelmed by the requests.
For illustration purposes, here is a quick geographic distribution of the IP’s hitting the site. This is for 1 second in the attack. Yes, every second these IP’s were changing.
Stopping the DDoS: Once we identified the type of attack, blocking was easy enough. By default, they were not passing our anomaly check, causing the requests to get blocked at the firewall. One of the many anomalies we look for are valid user agents, and if you look carefully you see that the requests didn’t have one. Hopefully, you’ll also noticed that the referrers were dynamic and the packets were the same size, another very interesting signature. Needless to say, this triggered one of our rules, and within minutes his site was back and the attack blocked.
Gave me a list of addresses connected to the site. The number of addresses was way way above the number normally connected to the site. A site which although modestly doing 100,000s of page views per day will normally have only 300-500 port 80 connections at any one instance. This time however we had a 2 or 3 thousand.
A quick copy and paste into the following tool http://software77.net/geo-ip/multi-lookup/(max 2000 ips per lookup) which is very usefully for bulk ip address to location lookups, yielded the following
1.26.199.253 # CN China
1.81.157.62 # CN China
1.83.168.34 # CN China
1.180.57.96 # CN China
1.26.201.167 # CN China
1.62.140.66 # CN China
1.189.82.78 # CN China
1.193.76.146 # CN China
1.26.241.209 # CN China
1.190.209.36 # CN China
1.189.162.213 # CN China
1.31.57.105 # CN China
1.62.17.196 # CN China
1.58.137.111 # CN China
1.83.229.4 # CN China
1.180.10.45 # CN China
1.180.5.200 # CN China
1.26.169.201 # CN China
1.180.187.10 # CN China
1.190.2.102 # CN China
1.25.134.125 # CN China
1.62.161.233 # CN China
1.182.28.181 # CN China
(And on and on)
We clearly had an issue with China, but a quick log in to Google Analytics indicated almost no real-time traffic visiting the site.
Due to the sheer volume of connections for the next 45 mins, I was regularly running this command pasting into excel, then bulk iptabling the the ip address as well as the 65,000 neighbouring addresses.
sudo iptables -A INPUT -s 59.56.0.0/16 -m comment –comment “China IP” -j DROP
sudo iptables -A INPUT -s 1.26.0.0/16 -m comment –comment “China IP” -j DROP
Stopping a DDOS (distributed denial of service attack) or DOS (denial of service attack) is no simple task. Frequently, these attacks become more than just a nuisance, they completely immobilize your server’s services and keep your users from using your website.
We’ve found a few common sense ways to help ease the pain of DDOS and/or DOS attacks. While no method is fool proof, we certainly can minimize the profound effect these attacks have on your users and subsystems.
Identify the Source
Good luck with that one. Many DDOS and DOS attacks are from roaming IP addresses. A distributed denial of service attack can come from many different IP addresses and it quickly becomes impossible for the Linux system administrator to isolate and confine each IP with a firewall rule.
Wikipedia does a great job of describing the various types of attacks here: http://en.wikipedia.org/wiki/Denial-of-service_attack. For the purpose of this tutorial, I’ll leave the research on the types of attacks up to you, and address the most common form that we’ve encountered over the years, the Apache directed DDOS or DOS attack.
Apache Based Attacks
Symptoms of the Apache DDOS or DOS attack:
Website(s) serve slow
You notice hanging processes
Apache Top tells you that the same IP address is requesting a system resource
The system resource continues to multiplex, causing more processes to spawn
Says that you have a few too many connections to feel comfortable with.
The end result:
Apache goes down
System load goes sky high
Server stops responding
You cant ssh to the server node
You’ve lost connectivity completely and a reboot is mandatory in order to restore access to the system
Preventative Measures and Counter Measures:
Enable SYN COOKIES at the kernel level
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Enable and Configure iptables to prevent the attack or at least work to identify the attack
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
/sbin/iptables -A syn-flood -j LOG --log-prefix "SYN flood: "
/sbin/iptables -A syn-flood -j DROP
Install the APF firewall to work to identify risky behavior
APF stands for Advanced Policy Firewall. Its a rock solid firewall that normally plays nice with iptables. You can grab a the most recent copy here: http://www.rfxn.com/projects/
Great software, rock solid, and plays nice with either APF or iptables. Install and configure the service in seconds using the commands below. Edit the .conf file to utilize whichever flavor of firewall you’d like to integrate it with. Set a few configuration settings and you’re done.
So a few tools are outlined above. We’ve found that this will stop 90% of the attacks that are out there. Some nice firewall rules above your server (at the router or switch level) also help. Most of the time we can identify suspicious traffic before it even hits your servers, so a shameless plug here is probably in order.
This how to article will go over stopping a DDoS attack when all you have access to is the targeted Linux host using netfilter and iptables. The two methods are either to simply drop packets from the offending IP/range or to only allow the offending IP/range X number of requests per second, if the range exceeds the requests per second rate traffic is dropped from the range.
*NOTE This method is for small attacks on services you are running on your Linux host. For large attacks using your gateway’s (firewall, load balancer, switch, or router) anti DDoS features maybe necessary or even having your ISP mitigating maybe the only option. I do often see attacks on HTTP from a hundred hosts or so and this article works on that scale.
Here is a example of a script for dropping packets from a offending IP/range lets say for our purposes the range is 206.250.230.0/24
#!/bin/bash
/sbin/iptables -I INPUT 1 -s 206.250.230.0/24 -j DROP
/sbin/iptables -I OUTPUT 1 -d 206.250.230.0/24 -j DROP
/sbin/iptables -I FORWARD 1 -s 206.250.230.0/24 -j DROP
/sbin/iptables -I FORWARD 1 -d 206.250.230.0/24 -j DROP
Here is a example of a script for dropping packets from a offending IP/range if it exceeds 30 requests per second lets say for our purposes the range is 206.250.230.0/24
