Created
February 12, 2017 11:46
-
-
Save bom-d-van/6627b721cbad08eb27a01048716a941b to your computer and use it in GitHub Desktop.
Detecting and Mitigating DDOS Attacks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Detecting and Mitigating DDOS Attacks | |
| #List all Finish (FIN) packets | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 1 != 0' | |
| #List all SYN and SYN-ACK packets | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 2 != 0' | |
| #List all Reset (RST) packets | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 4 != 0' | |
| #List all Push (PSH) packets | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 8 != 0' | |
| #List all acknowledge (ACK) packets | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 16 != 0' | |
| #List all null packets | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 0xff = 0' | |
| OR | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] = 0' | |
| #List all packets for your destination port 80 (assuming you are on destination host) | |
| machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[2:2] = 80' | |
| #List count of TCP connections by IP address | |
| machine1 : netstat -npt | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | |
| 554 X.175.191.23 | |
| 5 Y.49.92.30 | |
| 3 Z.225.121.76 | |
| 2 A.219.69.149 | |
| 2 B.152.24.254 | |
| #List count of TCP connections by IP address on specific service port | |
| machine1 : netstat -npt | grep <port> | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | |
| 554 X.175.191.23 | |
| 5 Y.49.92.30 | |
| 3 Z.225.121.76 | |
| 2 A.219.69.149 | |
| 2 B.152.24.254 | |
| #List count of Established TCP connections by IP address on specific service port and are in ESTABLISHED state | |
| machine1 : netstat -npt | grep <port> | grep ESTABLISHED | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | |
| 413 X.175.191.23 | |
| 2 Y.49.92.30 | |
| 2 Z.225.121.76 | |
| 2 A.219.69.149 | |
| 2 B.152.24.254 | |
| #List count of connections by state | |
| machine1 : netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head | |
| 1749 ESTABLISHED | |
| 118 TIME_WAIT | |
| 6 LAST_ACK | |
| 5 SYN_RECV | |
| 4 FIN_WAIT2 | |
| 1 Foreign | |
| 1 FIN_WAIT1 | |
| 1 CLOSE_WAIT | |
| SYN flood attacks & mitigations | |
| 1)Detect if you are having SYN flood: | |
| SYN_RECV state it means your server has received the initial SYN packet, it has sent it's own SYN+ACK packet and is waiting on the ACK from the external machine to complete the TCP handshake. | |
| machine1 : netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head | |
| 1749 SYN_RECV | |
| 18 ESTABLISHED | |
| 6 LAST_ACK | |
| Command clearly shows you have lot many connections in SYN_RECV state and possible SYN flood attack. | |
| 2)Detect if its from single IP(DOS attack) or multiple IPs(DDOS attack): | |
| Single IP attack: | |
| machine1 : netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | |
| 413 X.175.191.23 | |
| 2 Y.49.92.30 | |
| 2 Z.225.121.76 | |
| 2 A.219.69.149 | |
| 2 B.152.24.254 | |
| Now you know the culprit IP, you could just block the IP. There are various ways you could block the IP. | |
| Common and quick ways are: | |
| a)Drop packets using ip command: | |
| machine1: ip route add blackhole X.175.191.23/32 | |
| b)Drop packets using iptables command: | |
| iptables -A INPUT -s X.175.191.23 -j DROP | |
| Is ip or iptables command better to use? Hard to say since both works at layer 3/4 of OSI model. You need to check how large is your routing table or iptables. The one to traverse fast should be used. | |
| Multiple IP attack (common subnet): | |
| machine1 : netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | |
| 345 X.175.191.13 | |
| 243 X.175.190.27 | |
| 34 X.175.181.33 | |
| 78 X.175.41.24 | |
| 2 Y.42.91.30 | |
| 2 Z.125.121.76 | |
| Common and quick ways are: | |
| a)Drop subnet using ip command: | |
| machine1: ip route add blackhole X.175.0.0/16 | |
| b)Drop subnet using iptables command: | |
| iptables -A INPUT -s X.175.0.0/16 -j DROP | |
| Its pretty common to have SYN flood attacks from multiple IPs by spoofing source IP address in packets. This way its becomes hard to distinguish sometimes which are real IPs and which are fake. | |
| Multiple IP attack (different subnet): | |
| machine1 : netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head | |
| 3 X.175.191.23 | |
| 2 Y.42.91.30 | |
| 2 Z.125.121.76 | |
| 2 A.219.69.149 | |
| 2 B.152.24.254 | |
| 2 C.142.44.254 | |
| 2 D.52.54.214 | |
| 1 E.15.27.250 | |
| SYN cookies dramatically reduces your CPU and memory usage durin SYN flood attack and helps to keep machine a bit happy.When SYN Cookie is enabled on JUNOS software with enhanced services and becomes the TCP-negotiating proxy for the destination server, it replies to each incoming SYN segment with a SYN/ACK containing an encrypted cookie as its Initial Sequence Number (ISN). The cookie is an MD5 hash of the original source address and port number, destination address and port number, and ISN from the original SYN packet. After sending the cookie, JUNOS software with enhanced services drops the original SYN packet and deletes the calculated cookie from memory. If there is no response to the packet containing the cookie, the attack is noted as an active SYN attack and is effectively stopped.If the initiating host responds with a TCP packet containing the cookie +1 in the TCP ACK field, JUNOS software with enhanced services extracts the cookie, subtracts 1 from the value, and recomputes the cookie to validate that it is a legitimate ACK. If it is legitimate, JUNOS software with enhanced services starts the TCP proxy process by setting up a session and sending a SYN to the server containing the source information from the original SYN. When JUNOS software with enhanced services receives a SYN/ACK from the server, it sends ACKs to the server and to the initiation host. At this point the connection is established and the host and server are able to communicate directly. | |
| Syn Cookies | |
| #Check if SYN cookie is enabled or not: | |
| machine1 : sysctl -a | grep tcp_syncookies | |
| net.ipv4.tcp_syncookies = 0 | |
| #Enable it: | |
| machine1 : sysctl -w net.ipv4.tcp_syncookies=1 | |
| IPTABLES | |
| #Custom SYN-ATTACK chain | |
| :SYN-ATTACK - [0:0] | |
| #Rule | |
| -A INPUT -i <your interface> -m -p tcp --syn -j SYN-ATTACK | |
| -A SYN-ATTACK -m limit --limit 100/second --limit-burst 100 -j RETURN | |
| -A SYN-ATTACK -m limit --limit 10/h --limit-burst 10 -j LOG --log-prefix "SYN-ATTACK Attack:" | |
| -A SYN-ATTACK -j DROP |
We can use the following commands to filter tcp flag packets with tcpdump. It is much easier to understand.
tcpdump -i utun1 tcp[tcpflags] == 'tcp-syn'
tcpdump -i utun1 tcp[tcpflags] == 'tcp-syn' or tcp[tcpflags] == 'tcp-ack'
thanks, this is very useful.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Copied from: http://balodeamit.blogspot.com/2013/10/detecting-and-mitigating-ddos-attacks.html