PaulDotCom mailing list archives
DDOS
From: bcg at struxural.com (Ben Greenfield)
Date: Thu, 22 Apr 2010 17:04:28 -0400
Before you even jump into iptables, there is a lot of kernel tuning that you can do to help mitigate DDoS and DoS attacks. Set timeouts for both connections and translations. ? /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established should not be more than double tcp_fin_timeout ? /proc/sys/net/ipv4/netfilter/tcp_fin_timeout should not be greater than 60 This next one is one of my favorites, mostly because of how technical it is. It comes straight from Center for Internet Security guidance. Verify unicast reverse-path forwarding (RPF) is enabled on all external or high risk interfaces. ? for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do ? /bin/echo "1" > ${interface} ? done What steps have you already taken in iptables? I'd rather not repeat anything you've already done. On Thu, Apr 22, 2010 at 2:29 PM, Karl Bailey <karlrobertbailey at googlemail.com> wrote:
We host a UK Government solution that has a VERY strict SLA. A government advisory body scheduled the pen test (& defined the scope), the pen test company were terrible, doing application specific testing during SLA hours, even though they had been told to do it only outside of these hours. They were given a 12 hour window on a Sunday to perform (according to the scope) destructive testing (which I think is STUPID against LIVE systems), the pen test company warned us a few days in advance the exploits they planned (all of which were DoS in some way shape or form). So yes, they did do DoS ... now I'm no pen tester .. I'm a sys admin with a keen interest in the black art of exploitation .. but in all honesty I could have done what this company did & produce a report that they did ... it was not the best experience in the world & I would not recommend the company to anyone .. I dread to think what they charged the UK government .. & I wish I could jump on that bandwagon. So ... anyone got any clever ideas for iptables to help prevent DDoS rather than Just DoS? Regards Karl On Thu, Apr 22, 2010 at 4:21 PM, Ben Greenfield <bcg at struxural.com> wrote:Just for clarification, are you saying that on a recent pentest the testers performed DoS attacks? ?Or just that they uncovered potential vulnerabilities that create a greater exposure to DoS attacks? If so, did you know in advance that an active DoS attack would be include as part of the testing scope? It's just not standard operating procedure in my world to perform a DoS on a pentest, and in fact it's extremely taboo. The only time we would ever perform DoS style attacks on a pentest is if the client explicitly asked us to, and those requests are usually just to help do load testing. On Thu, Apr 22, 2010 at 3:37 AM, Karl Bailey <karlrobertbailey at googlemail.com> wrote:We had a recent pen test that highlighted allot of problems on our infrastructure with DoS, things like slowaris causing issues, I've been considering using iptables to limit the number of connections from a single IP ... not allot of help with a DDoS, but would have saved us allot of grief as the pen testing all came from 3 IP addresses, is there something a little cleverererer iptables can do around dropping bad traffic? Regards Karl On Tue, Apr 20, 2010 at 10:36 PM, Geoff Shukin <shukin at gsenterprises.biz> wrote:Hi! I am curious to know what folks are doing to combat the issue of DDOS attacks.? I have heard about solutions from Arbor and TopLayer but wonder if they are effective.? Are there any other suggestions out there in PaulDotCom land? We have seen DDOS attacks against one of our websites (using a combination of ICMP, TCP SYN and UDP flood attacks). Firewall stops the attacks in that the web servers are ok but the firewall falls over with 100% CPU. Thanks Geoff _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- -- Benjamin C. Greenfield, CISSP bcg [at] struxural.com Domains and Hosting for Less from Struxural: http://www.struxural.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- -- Benjamin C. Greenfield, CISSP bcg [at] struxural.com Domains and Hosting for Less from Struxural: http://www.struxural.com