DDOS

[bcg at struxural.com (Ben Greenfield)]

Before you even jump into iptables, there is a lot of kernel tuning
that you can do to help mitigate DDoS and DoS attacks.

Set timeouts for both connections and translations.

?       /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
should not be more than double tcp_fin_timeout
?       /proc/sys/net/ipv4/netfilter/tcp_fin_timeout should not be greater than 60

This next one is one of my favorites, mostly because of how technical
it is.  It comes straight from Center for Internet Security guidance.

Verify unicast reverse-path forwarding (RPF) is enabled on all
external or high risk interfaces.

?       for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
?             /bin/echo "1" > ${interface}
?       done

What steps have you already taken in iptables?  I'd rather not repeat
anything you've already done.

On Thu, Apr 22, 2010 at 2:29 PM, Karl Bailey
<karlrobertbailey at googlemail.com> wrote:
> We host a UK Government solution that has a VERY strict SLA. A government
> advisory body scheduled the pen test (& defined the scope), the pen test
> company were terrible, doing application specific testing during SLA hours,
> even though they had been told to do it only outside of these hours.
> They were given a 12 hour window on a Sunday to perform (according to the
> scope) destructive testing (which I think is STUPID against LIVE systems),
> the pen test company warned us a few days in advance the exploits they
> planned (all of which were DoS in some way shape or form).
> So yes, they did do DoS ... now I'm no pen tester .. I'm a sys admin with a
> keen interest in the black art of exploitation .. but in all honesty I could
> have done what this company did & produce a report that they did ... it was
> not the best experience in the world & I would not recommend the company to
> anyone .. I dread to think what they charged the UK government .. & I wish I
> could jump on that bandwagon.
> So ... anyone got any clever ideas for iptables to help prevent DDoS rather
> than Just DoS?
> Regards
> Karl
>
> On Thu, Apr 22, 2010 at 4:21 PM, Ben Greenfield <bcg at struxural.com> wrote:
> > Just for clarification, are you saying that on a recent pentest the
> > testers performed DoS attacks? ?Or just that they uncovered potential
> > vulnerabilities that create a greater exposure to DoS attacks?
> >
> > If so, did you know in advance that an active DoS attack would be
> > include as part of the testing scope?
> >
> > It's just not standard operating procedure in my world to perform a
> > DoS on a pentest, and in fact it's extremely taboo.
> >
> > The only time we would ever perform DoS style attacks on a pentest is
> > if the client explicitly asked us to, and those requests are usually
> > just to help do load testing.
> >
> >
> >
> > On Thu, Apr 22, 2010 at 3:37 AM, Karl Bailey
> > <karlrobertbailey at googlemail.com> wrote:
> > > We had a recent pen test that highlighted allot of problems on our
> > > infrastructure with DoS, things like slowaris causing issues, I've been
> > > considering using iptables to limit the number of connections from a
> > > single
> > > IP ... not allot of help with a DDoS, but would have saved us allot of
> > > grief
> > > as the pen testing all came from 3 IP addresses, is there something a
> > > little
> > > cleverererer iptables can do around dropping bad traffic?
> > > Regards
> > > Karl
> > >
> > > On Tue, Apr 20, 2010 at 10:36 PM, Geoff Shukin
> > > <shukin at gsenterprises.biz>
> > > wrote:
> > > > Hi!
> > > >
> > > > I am curious to know what folks are doing to combat the issue of DDOS
> > > > attacks.? I have heard about solutions from Arbor and TopLayer but
> > > > wonder if
> > > > they are effective.? Are there any other suggestions out there in
> > > > PaulDotCom
> > > > land?
> > > >
> > > > We have seen DDOS attacks against one of our websites (using a
> > > > combination
> > > > of ICMP, TCP SYN and UDP flood attacks). Firewall stops the attacks in
> > > > that
> > > > the web servers are ok but the firewall falls over with 100% CPU.
> > > >
> > > > Thanks
> > > >
> > > > Geoff
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > --
> > Benjamin C. Greenfield, CISSP
> >
> > bcg [at] struxural.com
> >
> > Domains and Hosting for Less from Struxural:
> > http://www.struxural.com
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
--
Benjamin C. Greenfield, CISSP

bcg [at] struxural.com

Domains and Hosting for Less from Struxural:
http://www.struxural.com