DDoS and its intrusion detection code

Replies

• 

  slashfear

  Hi ubaid (Guess that's your name),
  
  DDoS Attack??? sounds interesting buddy I cant give you the code for performing the attack as the admin of this blog will surely kick me out of this place!!! as it is illegal so all I can do is tell you the preventive measures like how to detect, stop and prevent these type of attack.
  
  So Let me Explain everything because there are people who doesnt know what is DDoS Attack,
  
  What Is A DDoS Attack?
  
  Simply stated, DDoS (Distributed Denial of Service) is an advanced version of the DoS (Denial of Service) attack. Much like DoS, DDoS also tries to block important services running on a server by flooding the destination server with packets. The specialty of DDoS is that the attacks do not come from a single network or host but from a number of different hosts or networks which have been previously compromised.
  
  DDoS, like many other attack schemes, can be considered to consist of three participants; we can refer to these as the Master, the Slave, and the Victim. The Master is the initial source of the attack - i.e., the person/machine behind all this (sounds COOL, right?) The Slave is the host or network which was previously compromised by the Master, and the Victim is the target site/server under attack. The Master informs the Slave(s) to launch an attack on the victim's site/machine; since the attack comes from multiple sources at once (note that the Master is usually not involved in this phase), it is called a Distributed (or co-ordinated) attack.
  
  
  How Do They Do It?
  
  DDoS occurs in two phases. In the first phase, the owner of the Master host compromises vulnerable machines in different networks around the world and installs DDoS tools (i.e., programs that will perform the attack once they're triggered.) This is called the Intrusion phase. In the next phase, the Master sends out the triggering information to those compromised hosts, which usually includes the IP to be attacked (conversely, that IP could have been pre-programmed into the tools, and the attack could be time-triggered - e.g., the Code Red virus DDoS against the #-Link-Snipped-# servers.) This is called the Attack phase.
  
  
  What Should We Do If We Are Under Attack?
  
  If your host is one of the Slaves in a DDoS, you will most likely never even be aware of it - unless you carefully examine your logs and watch for untoward network activity. If, on the other hand, you're the Victim, the results will be dramatic and obvious.
  
  Symptoms (Victim):
  
  1. Programs run very slowly
  2. Services (e.g., HTTP) fail at a high rate
  3. Large number of connection requests from different networks
  4. User complaints about slow (or no) site access
  5. Machine shows a high CPU load
  
  If you discover that you're under attack, follow these steps:
  
  Check if your CPU load is high and you a have large number of HTTP process running
  Check the load using the 'w' or the 'uptime' commands:
  

  Blessen@work >w
   12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57 
  

  Count the number of HTTP processes (it helps to know what your normal count is for comparison):
  
  

  [root@blessen root]# ps -aux|grep -i HTTP|wc -l 
  23 
  

  Determine the attacking network:
  In a heavily-loaded server, the number of connection may be above 100 - but during a DDoS attack, the number will go even higher. That's when we need to find out, as quickly as possible, which networks are launching these attacks. In a DDoS attack, the individual slave machine doesn't have much importance; it is the network which matters the most, since an attacker could be using any or even all of the machines on a compromised network. Consequently, the network address is of crucial importance.
  
  Executing the following command will show the IPs arranged in order of established connections:
  
  

  bash# netstat -lpn|grep :80|awk '{print $5}'|sort
  

  For an average host, if you have more than 30 connections from a single IP, chances are that you're under attack. In normal operation, there is very rarely any reason for that many connection requests from a single IP. Identify these networks for later reporting, perhaps by using the 'whois' command.
  
  If more than 5 such hosts/IPs connect from the same network, that's a very clear sign of DDoS.
  
  
  Block the attacking network
  This can be done by using 'iptables' or 'apf':
  
  

  iptables -A INPUT -s  -j DROP 
  

  If you're running 'apf', simply add these IPs to the '/etc/apf/deny_hosts.rules' file. Continue this elimination process until the attack on the machine is reduced (and hopefully, eventually stopped altogether.) As a follow-up measure, contact the datacenter/NOC responsible for that network to inform them of the compromised systems.
  
  As a longer-term strategy, once the immediate attack is over (or, if you're smart, you can do it right now 😀, install Portsentry (see the software listed Below)
  
  
  How can we prevent or defend ourselves from these attacks?
  
  There is no complete or perfect solution to DDoS. The logic is simple: NO software or countermeasures can stand up to attacks from, say, 100 servers at once. All that can be done is to take preventive measures, and respond quickly and effectively when the attack takes place.
  
  As it is often said, an ounce of prevention is better than a pound of cure - and this is very true in the case of DDoS. In the introduction, I had mentioned that DDoS often happens because of vulnerable software/applications running on a machine in a particular network. Attackers use those security holes to compromise the hosts and the servers and install the DDoS tools such as 'trin00'.
  
  To prevent or mitigate future DDoS attacks, follow these steps:
  
  => Create and implement a good security policy
  => Set up a firewall which does ingress and egress filtering at the gateway (e.g., APF from #-Link-Snipped-#)
  => Use host-based intrusion detection on your gateway/hosts to alert you to port scans and break-in attempts (e.g., AIDE from #-Link-Snipped-#)
  
  To prevent your network from being used as a slave, follow these steps:
  
  => Conduct regular audits on each host on the network to find installed DDoS tools and vulnerable applications.
  => Use tools like Rkdet, Rootkit Hunter, or chkrootkit to find if a rootkit has been installed on your system.
  => Perform a general security audit on your systems on a regular basis:
  o Keep your systems up to date to minimize software vulnerabilities (kernel and software upgrades)
  o Check for rootkits
  o Check logs for evidence of port sniffing, etc.
  o Check for hidden processes by comparing the output of 'ps' and 'lsof'.
  o Use auditing tools (i.e., Nessus, SAINT, or SARA)
  o Check system binaries with, e.g., Tripwire to see if they've been changed since your last snapshot
  o Check for open email relays
  o Check for malicious cron entries
  o Check /dev /tmp /var directories for odd files (i.e., '...', wrong permissions/ownership on device files, etc.)
  o Check whether backups are maintained
  o Check for unwanted users and groups (examine /etc/passwd)
  o Check for and disable any unneeded services
  o Check for SUID, SGID, and 'nouser' files on your system with the 'find' command
  o Check the system performance (memory and CPU usage); note the average levels
  => Create a DSE (Dedicated Security Expert) team for your company.
  => Enforce and implement security measures on all hosts in the network. The only hosts that should be allowed on your network are ones that have been vetted by your security admin or DSE (Dedicated Security Expert). All hosts on the network should be checked on a regular basis by your DSE team.
  => Collect your network and host data and analyze them to see what kind of attacks are being run against your networks.
  => Implement Sysctl-based protection. Enable the following in your '/etc/sysctl.conf':
  
  

  # Enable IP spoofing protection, turn on Source Address Verification 
  net.ipv4.conf.all.rp_filter = 1 
  
  # Enable TCP SYN Cookie Protection 
  net.ipv4.tcp_syncookies = 1 
  

  Conversely, you could add this code to your '/etc/rc.local':
  
  

  for f in /proc/sys/net/ipv4/{conf/*/rp_filter,tcp_syncookies}
  do
      echo 1 > $f
  done 
  
  

  => Install PortSentry to block scanning hosts.
  => Add 'Mod_dosevasive' to your Apache installation. This is an Apache module which performs 'evasive' action in the event of an HTTP DDoS attack or brute force attack.
  => Install the 'Mod_security' module. Since DDoS often targets HTTP (port 80), it's a good idea to have a filtering system for Apache; 'Mod_security' will analyze requests before passing them to the web server.
  => Set up load balancing for your services. In some ways, this is the most powerful network-based defense against DDoS.
  => Create awareness of security issues.
  
  
  Don't try DDoS attack its illegal!!!!!!!!;-)
  
  - Arvind (Slashfear)
• 

  shalini_goel14

  Hey slashfear , Good information shared . Is it possible for you to put some more light on DDoS tools used by Master ?
• 

  slashfear

  Hi Shalini,
  
  Yes of course buddy ;-)
  
  Click on the Link below to see the various tools that are used for DDoS attack (It also has a list of all virus on the web even Trojans and its behaviors):
  
  #-Link-Snipped-#
  
  Hope this is what you asked for....😉
  
  
  -Arvind(slashfear)
• 

  Saandeep Sreerambatla

  Excellent info Aravind.too good.
• 

  slashfear

  Thanks ES......;-)
• 

  shalini_goel14

  slashfear

  Hi Shalini,
  #-Link-Snipped-#
  
  Hope this is what you asked for....😉

  Oh so this Master use these programs and call them as tools. Cool. Thanks for the information slasfear but don't you think the tools which you gave to me are DoS tools and this topic was for DDos. 😀. Correct me if anything wrong asked. 😔
• 

  slashfear

  shalini_goel14

  Oh so this Master use these programs and call them as tools. Cool. Thanks for the information slasfear but don't you think the tools which you gave to me are DoS tools and this topic was for DDos. 😀. Correct me if anything wrong asked. 😔

  
  Hi Shalini,
  
  Denial of Service (DoS) attack is an attack against any system component that attempts to force that system component to limit, or even halt, normal services.
  
  Distributed Denial of Service (DDoS) attack is a DoS attack that occurs from more than one source, and/or from more than one location, at the same time. Often, the DDoS attackers are not aware that they are engaging in a DoS attack against a site, and are duped (technically or physically) into joining the attack by a third party.
  
  
  So the Tools used as the same but the way is different buddy, got it!! want any further info ask buddy!!!😉
  
  
  -Arvind(slashfear)