Announcement

Collapse
No announcement yet.

DDOS attacks

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DDOS attacks

    I've had to contact online chat support quite a lot recently because of web sites loading painfully slowly. It normally turns out to be a DDOS attack and after your op blocks the relevant ips everything goes back to it's normal snappy performance.

    Don't think I'm blaming EukHost for this. But it is becoming an increasingly bad problem.

    Would I be better off moving to a hosting package with fewer users per machine so there is less chance of sharing with a site that is being attacked, or is it EukHost in general that is getting targeted ?

    Is there anything more that EukHost can do to automatically detect and block these attacks ?

    I know it's not an easy problem, but it is a serious one. so I thought I would post here to encourage discussion of potential solutions.

  • #2
    Originally posted by Noel View Post
    I've had to contact online chat support quite a lot recently because of web sites loading painfully slowly. It normally turns out to be a DDOS attack & after your op blocks the relevant ips everything goes back to it's normal snappy performance.

    Don't think I'm blaming EukHost for this. But it is becoming an increasingly bad problem.

    Would I be better off moving to a hosting package with fewer users per machine so there is less chance of sharing with a site that is being attacked, or is it EukHost in general that is getting targeted ?

    Is there anything more that EukHost can do to automatically detect & block these attacks ?

    I know it's not an easy problem, but it is a serious one. so I thought I would post here to encourage discussion of potential solutions.
    Hi Noel !

    I always had an urge on posting a small tut on such network attacks, their working, mitigation, etc etc.. but time didn't permit me, until now.. thank you for making me finally write :wink:

    The Internet is growing at a very rapid pace. Networks have become interconnected & the intrusion tools have become advanced, which means that the security of your machine depends more on the security of other computers than on your own. It's a fact that vulnerabilities on the Internet can put governments, businesses, & individual users at risk. No one could have imagined that the Internet would grow to become the huge, complex, & dynamic structure of interconnected networks that it is today. The Internet has no clear boundaries & no central command control.

    Security issues are still not well understood & are not given high priority by software developers, network managers, or even end users. Therefore, it is difficult to ensure the integrity, availability, & privacy of information, especially on the Internet. In addition, the Internet is virtual, not physical. This means that it has no geographic status, location, or well-defined boundaries. Conventional rules of physical security are impossible to apply on the Internet. Instead, new technologies & innovative thinking are required to understand the working & the vulnerabilities of the Internet.

    When the Internet was designed, security was not the main concern. The aim of the Internet was to be an open-ended system with distributed control & responsibility. Further, users on the Internet were expected to have mutual trust. But things have not been the same as imagined

    DoS attack, short for Denial of Service attack, does exactly what the name suggests: it denies access to a service to the legitimate users of a computer. The general concept of DoS attack is to flood a server with requests to make it too busy to accept new legitimate requests or to make it respond so slowly as to be rendered effectively unavailable. DoS attacks have become a very dangerous weapon in Internet warfare. A Denial of Service attack can cause a system to deny access to legitimate users without actually invading the victim system or choking its bandwidth. The concept might sound very strange. The explanation lies in the basics of TCP/IP protocols & the way operating systems handle them. Such DoS attacks create many “half-open" connections in the victim server.

    Before coming to the attack, let's first get an overview of how a TCP connection is established between two computers. TCP establishes a connection between two computers using a three-stage mechanism. Suppose that computer X, which has a client program, wants to establish a connection with computer Y, which has a server program.

    The following steps are involved in creating a normal TCP connection:

    1. X <———SYN———> Y
    2. X <———SYN/ACK———> Y
    3. X <———ACK———> Y


    Let me explain each of these steps in detail..

    STEP 1) The client informs the server that it requires a connection by setting the SYN flag to on. The only purpose of the SYN flag is to inform the server about the state of the flag. The client computer also replies to the server that the sequence number field is valid. Therefore, the server must check the SYN & note it. The sequence number field in the TCP header is set to its ISN, Initial Sequence Number (ISN).

    STEP 2) The server receives this segment & responds back with its own ISN; therefore, the SYN flag is set to on. The server also sends back an acknowledgement (ACK) as a receipt of the client’s first segment. The value of this ACK is client’s ISN+1.

    STEP 3) The client receives the acknowledgement (ACK) for its data as well as the server ISN. If these three steps complete successfully, the connection is established & data transfer may begin.

    When a DoS attacker computer initiates Step 1, however, the scenario changes significantly. During Step 2, a space is allocated for the client computer to store the details of the connection. In Step 1, while sending SYN to the server, the attacking computer spoofs its address & sends a request for a connection with a wrong source address. In the second step, the server computer sends the SYN-ACK packet to the wrong address. This wrong address must be a non-existent address; otherwise, the attack will not be effective for reasons I explain later. The server, however, is now in the middle of a nowhere situation. The server is still waiting for the final Step 3 ACK packet, which will never come.

    There is a data structure in the system memory of the server. This data structure describes all those connections that have not yet been approved or disapproved by the server. Each such data structure is of a finite size & occupies space in system memory. Too many half-open connections can fill this space. When this space eventually gets filled, the server will not accept any new connections, resulting in Denial of Service.

    Every server generally has a timeout for each pending connection. This means that after a while, half-open connections will be thrown off the system memory, which also helps the victim computer recover a bit. But a continuously running attack can cause a huge gap in the victim server’s performance. In a multi-server coordinated attack, the victim computer will have more spoofed requests coming in than the ones that are expiring.

    Therefore, the DoS attack results in a server that denies access to legitimate users even without invading the system or choking its bandwidth. The computer might crash or stop responding due to the lack of free space. The force & strength with which a hacker is attacking your computer is not affected by the bandwidth that the hacker is using. The hacker uses the kernel data structures to establish incomplete network connection. As a result, intruders can attack even from a dial-up connection.

    The need for the spoofed address to be a non-existent address, this is necessary because if the address exists, the computer that receives the SYN/ACK packet will return an RST packet to the victim computer. We already discussed that in the TCP information fields, the RST field is sent a flag that contains a connection termination message. When the segment containing the RST field reaches the victim computer, system memory for that address would be freed. If many or all fake addresses are reachable, the effect of the attack will be minimized.

    If the address does not exist, the IP part of the TCP/IP combination will use ICMP to inform TCP that the computer that had generated the initial SYN is unreachable. However, TCP would consider these errors to be momentary & leave their resolution to Internet Protocol. IP will continue to try & reroute the packets until it finally reaches the conclusion that the host actually doesn’t exist. By this time, several more spoofed requests would have reached the server.

    Let’s illustrate this, X is the offending computer, Y is the victim server, & Z is a non-existent address that was faked by X. The following sequence of interactions takes place between X, Y, & Z:
    • X sends many connection requests to Y that contain a fake address, Z.
    • Y sends an ACK response to each connection request, but the ACK replies are sent at the Z address. Because Z is a non-existent address, no one actually receives the requests.
    • Y keeps trying to send the packets through alternate routes & finally decides to send the terminate connection request (RST).

    By this time, many more connection requests come from X. Eventually, Y exhausts all available memory to accommodate fake connections. Whenever a connection is timed out & an RST request is sent, more connection requests are sent from X, & Y is paralyzed. The source of the SYN packets is unreachable. Therefore, the location of the system from where the attacks are being originated is unknown. The victim computer has no method to find the true source of the packets because the network forwards packets based on the destination addresses.

    DDOS or Distributed Denial of Service is an advanced version of DOS (Denial of Service) attack. Like DOS, DDOS also tries to deny important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The specialty of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which have already been compromised.

    Normally, DDOS consists of 3 parts, the Master, the Slave & at last the Victim. The master is the attack launcher, i.e. the person/machine behind all this. The slave is the network that is being compromised by the Master & Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim’s site/machine. Hence it’s also called coordinated attack.

    A DoS attack can do the following damage:
    • Flood network & block legitimate network traffic.
    • Disrupt communication between two computers & prevent everyone from accessing a service.
    • Prevent an authorized user from accessing a service on the computer.
    • Choke all services on a specific or entire system.

    DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase, that they install DDOS tools & start attacking the victims machines/site. This Phase is called Distributed DoS attack phase.

    An attacker tries to choke a service by giving it more tasks than it can handle. For example, if you have a Web server capable of accepting or publishing 5,000 pages per second, a DoS attack might send 50,000 fake requests. This means that many genuine page view requests would be denied permission due to an overloaded server. The server might even stop responding & freeze. Typically, DoS attacks are targeted at easily accessible targets, such as HTTP servers, routers, or network gateways.

    A DoS attack can be used in combination with Trojans to multiply the attack strength. An attacker can arrange a group of Trojan computers to attack the victim. The underlying statement in DoS attacks is that the actual request that is sent to the victim computer by the offender is a common request, but the number of such requests is so high that the server is unable to handle them. Also, the server cannot easily differentiate between attack requests & genuine user requests resulting in Denial of Service.

    A more dangerous aspect of a DoS attack is that the attacker needs to send a very small amount of data. This data gets so amplified by the time it reaches the victim computer that even a high-end bandwidth server cannot handle it. This kind of DoS uses Internet Address spoofing along with other techniques.

    DoS attacks can be precisely targeted at particular services on a network. To make DoS attacks effective, the non-renewable or scarce resources of a computer might be identified & targeted.

    There is no 100% perfect solution for DDoS but we can just prevent it to certain extend by securing our networks & servers. NO software or measures could handle attacks from multiple servers say from 500 - 1000 servers all at a time. All that can be done is to take preventive measures.

    How can we prevent or defend ourselves from these attacks?

    Prevention is always better than cure. This is very much true in the case of DDOS too. DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. Attackers use those security holes to compromise the servers in different network & install the DDOS tools.

    To prevent DDOS in future, follow these steps (for Linux only, I'll post for Windows shortly ):
    1. Setup machine/network keeping security in mind (Implement Good Security policy).
    2. Setup a firewall which does Ingress & Egress Filtering at Gateway(APF/CSF).
    3. Audit network on a regular basis to see if your network is vulnerable to any attacks.
    4. Enforce & Implement Security Measures on all hosts in the network.
    5. Use the Cisco Anomaly Guard Module if you've a data center & can work at router levels.
    6. Go for ProxyShield mitigation system, which is a costly but an effective solution against DDoS.
    7. Implement Sysctl protection against DDOS by enabling IP spoofing protection & turning on Source Address Verification (/etc/sysctl.conf).
    8. Install Mod_security & Mod_dosevasive to work in compliance with the Apache web server.
    9. Install IDS (Intrusion Detection System) on your gateway/hosts to alert you when someone tries to sniff in.
    10. Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications.
    11. Use tools like RKDET, RKHUNTER & CHKROOTKIT to find if any rootkit has been already installed & to locate the effected binaries in the machine, if any.
    12. Use Open Source Tools like NESSUS, NMAP, SAINT, SARA for auditing a network to find its vulnerabilities.

    Here's a simple audit/security checklist:
    • Software Vulnerabilities, use updates, patches.
    • Kernel Upgrades & vulnerabilities.
    • Check for any Trojans.
    • Run chkrootkit.
    • Check ports, both open & active.
    • Check for any hidden processes.
    • Use audit tools to check system.
    • Check logs, specially security ones.
    • Check binaries & RPMS (rkhunter/chkrootkit do this job well).
    • Check for open email relays.
    • Check for malicious cron entries.
    • Check /dev /tmp /var directories.
    • Check whether backups are maintained.
    • Check for unwanted users, groups, etc. on the system.
    • Check for & disable any unneeded services.
    • Locate malicious scripts.
    • Querylog in DNS.
    • Check for the suid scripts & nouser scripts.
    • Check valid scripts in /tmp.
    • Use intrusion detection tools.
    • Check the system performance.
    • Check memory performance (run memtest) & utilisation.

    Best solution to fight DDOS to a certain extend will be to setup load balanced servers for your services. Using these, your services will remain online at any point of time, even during a massive DDoS on the network..

    To conclude this, I'd like to point out a fact that with the development of security services, intruders also are becoming organized, they really are! Intruders discover vulnerabilities within weeks of the release of software. Moreover, intruders prefer to use the open-architecture approach. Highly sophisticated & user-friendly intruder tools are being developed & distributed over the Internet. Even though a user might simply download these tools to experiment with hacking, he or she could inadvertently fall into a trap & become a victim of an attack. Use genuine softwares/applications purchased from licensed/registered vendors only. Check & ask for patches regularly from such vendors, if they're out in the market, for any known vulnerabilities..

    More importantly, all users should be made security conscious, only then will they understand the importance of security measures. Server owners & users should be made aware of such issues & network attacks which can rise due to bad security measures...

    Be Secure & Be Safe !
    Rock _a.k.a._ Jack Daniel

    Follow eUKhost on Twitter || Join eUKhost Community on Facebook

    Comment


    • #3
      Rock,

      Thanks for such a full response. It will take me a while to digest all that - and I've just had a glass or 2 so I'll read in detail tomorrow - but what can I say, just fantastic

      Comment


      • #4
        Wow, thanks for the info, Rock.

        cPanel Hosting | Fastest Hosting | WordPress Hosting | Web Hosting Forum

        Comment


        • #5
          Great post Rock. Thanks.

          Originally posted by Rock View Post
          More importantly, all users should be made security conscious, only then will they understand the importance of security measures. Server owners & users should be made aware of such issues & network attacks which can rise due to bad security measures...

          Be Secure & Be Safe !
          Should be particularly noted by those who were asking about setting up their own home-based web servers recently.

          Roger

          Comment


          • #6
            Thanks Jack for an Excellent explanation on DoS attack.
            RsyNc.
            Support Team

            SKYPE: john_rodricks

            Comment


            • #7
              Originally posted by Noel View Post
              Rock,

              Thanks for such a full response. It will take me a while to digest all that - and I've just had a glass or 2 so I'll read in detail tomorrow - but what can I say, just fantastic
              Thanks Noel, I'm sure you & others will find it useful :wink:
              Originally posted by HostXNow View Post
              Wow, thanks for the info, Rock.

              Thanks Chris, I'll post some more this weekend..
              Originally posted by compserv View Post
              Great post Rock. Thanks.

              Originally posted by Rock View Post
              More importantly, all users should be made security conscious, only then will they understand the importance of security measures. Server owners & users should be made aware of such issues & network attacks which can rise due to bad security measures...

              Be Secure & Be Safe !
              Should be particularly noted by those who were asking about setting up their own home-based web servers recently.

              Roger
              Rightly said Roger & thanks for your input, I hope this message is passed on to the masses..
              Originally posted by Rsync View Post
              Thanks Jack for an Excellent explanation on DoS attack.
              You're most welcome John.. You too can post some points, in case I missed any, based on your vast hands on experience in such issues..
              Rock _a.k.a._ Jack Daniel

              Follow eUKhost on Twitter || Join eUKhost Community on Facebook

              Comment


              • #8
                Originally posted by Noel View Post
                I've had to contact online chat support quite a lot recently because of web sites loading painfully slowly. It normally turns out to be a DDOS attack and after your op blocks the relevant ips everything goes back to it's normal snappy performance.

                Don't think I'm blaming EukHost for this. But it is becoming an increasingly bad problem.
                Noel, it's certainly not just you. We've lost our site on euKHost for nearly 24 hours now because of a DDOS attack. However, ours has never cleared - it degraded badly yesterday, and eventually disappeared entirely mid-afternoon. Whilst I appreciate by the very nature of such things that you can never 100 percent stop a DDOS attack, I am concerned at how much impact this one has had and the fact that there's yet to be an end in sight to the problem. Don't think we're quite going to hit the 99.95% uptime target this month.

                Comment


                • #9
                  Originally posted by ytfcbadger View Post
                  Noel, it's certainly not just you. We've lost our site on euKHost for nearly 24 hours now because of a DDOS attack. However, ours has never cleared - it degraded badly yesterday, and eventually disappeared entirely mid-afternoon. Whilst I appreciate by the very nature of such things that you can never 100 percent stop a DDOS attack, I am concerned at how much impact this one has had and the fact that there's yet to be an end in sight to the problem. Don't think we're quite going to hit the 99.95% uptime target this month.
                  Hi,

                  This has been taken care of & a new IP address has been provided to encounter this sort of attack.

                  As I've said earlier, there's very little we can do to encounter such threats but we're already doing whatever we can to stop this for now & for the future.

                  Thanks for your understanding..
                  Rock _a.k.a._ Jack Daniel

                  Follow eUKhost on Twitter || Join eUKhost Community on Facebook

                  Comment


                  • #10
                    How is eveything going ? it's been nearly 3days

                    Comment


                    • #11
                      Originally posted by fattyspad View Post
                      How is eveything going ? it's been nearly 3days
                      Hello

                      Kindly provide me your Domain name or the ticket number which you have opened for this issue. I will look into it right away for you.

                      Regards,
                      Ray

                      Comment


                      • #12
                        Originally posted by eUK-Ray View Post
                        Hello

                        Kindly provide me your Domain name or the ticket number which you have opened for this issue. I will look into it right away for you.

                        Regards,
                        Ray
                        PM sent Thanks eUK-Ray

                        Comment


                        • #13
                          Originally posted by fattyspad View Post
                          PM sent Thanks eUK-Ray
                          hello

                          I have replied to your PM with details .

                          Regards
                          Ray

                          Comment


                          • #14
                            So, presumably a server is targetted due to a website hosted on it (Not always, but likely) so changing the IP didnt work.. Probably because the website leading to the attack motive was also moved to the new IP.
                            Last edited by jhitchcock; 17-10-2010, 12:21.

                            Comment

                            Working...
                            X