Protection against udp flood. Flooding is the simplest and most common way to carry out DDoS attacks

Useful tips

Your morning begins with reading bug reports and analyzing logs. You daily
update the software and update the firewall rules hourly. Snort is your best
friend, and Zabbix is an invisible assistant. You have built a real bastion to which
can't be reached from either side. But! You are completely defenseless against yourself
The most insidious and sneaky attack in the world is DDoS.

It is difficult to say when the term DoS attack first appeared. Experts say
about 1996, simultaneously hinting that this type of attack “reached” the general public only in
1999, when one after another the websites of Amazon, Yahoo, CNN and eBay were hit.
Even earlier, the DoS effect was used to test the stability of systems and
communication channels. But if you dig deeper and use the term DoS for
designation of the phenomenon, it becomes clear that it has always existed, since the time
the first mainframes. Just think about it as a means of intimidation
started much later.

In simple terms, DoS attacks are some type of malicious
activities aimed at bringing the computer system to such
state where it will not be able to serve legitimate users or
correctly perform the functions assigned to it. To the state of "refusal in
maintenance" usually result from errors in the software or excessive load on the network
channel or system as a whole. As a result, the software, or the entire operating system
machine, “falls” or finds itself in a “looped” state. And this threatens
downtime, loss of visitors/customers and losses.

Anatomy of DoS attacks

DoS attacks are divided into local and remote. Local ones include
various exploits, fork bombs and programs that open a million files or
running some kind of cyclic algorithm that eats up memory and CPU
resources. We will not dwell on all this. But remote DoS attacks
Let's take a closer look. They are divided into two types:

Remote exploitation of errors in software in order to render it inoperative
state.
Flood - sending a huge amount of meaningless (less commonly
– meaningful) packages. The purpose of flooding can be a communication channel or resources
cars. In the first case, the packet stream occupies the entire bandwidth channel and does not
gives the attacked machine the ability to process legitimate requests. In the second
- machine resources are captured through repeated and very frequent
accessing any service that performs complex, resource-intensive
operation. This could be, for example, a long call to one of the
active components (script) of the web server. The server wastes all the machine's resources
to process the attacker's requests, and users have to wait.

In the traditional version (one attacker - one victim) now remains
Only the first type of attack is effective. Classic flooding is useless. Just because
that with today's server channel width, level of computing power and
widespread use of various anti-DoS techniques in software (for example, delay
when the same actions are performed repeatedly by the same client), the attacker
turns into an annoying mosquito, unable to inflict any
damage. But if there are hundreds, thousands or even hundreds of thousands of these mosquitoes, they
will easily put the server on its shoulder. The crowd is a terrible force not only in life, but also in
computer world. Distributed Denial of Service (DDoS) attack
usually carried out using many zombified hosts, can
cut off even the most resilient server from the outside world, and the only effective
protection - organizing a distributed system of servers (but this is far from affordable
not everyone, hello Google).

Fighting methods

The danger of most DDoS attacks lies in their absolute transparency and
"normality". After all, if an error in software can always be corrected, then complete
Gobbling up resources is an almost common occurrence. Many people encounter them
administrators, when machine resources (channel width) become insufficient,
or the website is subject to a slashdot effect (twitter.com became unavailable after
a few minutes after the first news of Michael Jackson's death). And if you cut
traffic and resources for everyone, you will be saved from DDoS, but you will lose good
half the clients.

There is virtually no way out of this situation, but the consequences of DDoS attacks and their
efficiency can be significantly reduced by proper tuning
router, firewall and continuous analysis of anomalies in network traffic. IN
In the next part of the article we will consider sequentially:

methods for recognizing an incipient DDoS attack;
methods to combat specific types of DDoS attacks;
universal tips that will help you prepare for a DoS attack and
reduce its effectiveness.

At the very end, the answer to the question will be given: what to do when the
DDoS attack.

Fighting flood attacks

So, there are two types of DoS/DDoS attacks, and the most common one is
is based on the idea of flooding, that is, overwhelming the victim with a huge number of packages.
There are different floods: ICMP flood, SYN flood, UDP flood and HTTP flood. Modern
DoS bots can use all of these types of attacks simultaneously, so you should
take care in advance of adequate protection against each of them.

1. ICMP flood.

A very primitive method of clogging up bandwidth and creating loads on
network stack through monotonous sending of ICMP ECHO requests (ping). Easily
detected by analyzing traffic flows in both directions: during an attack
like ICMP flood, they are almost identical. An almost painless way to
protection is based on disabling responses to ICMP ECHO requests:

# sysctl net.ipv4.icmp_echo_ignore_all=1

Or using a firewall:

# iptables -A INPUT -p icmp -j DROP --icmp-type 8

2. SYN flood.

One of the common ways to not only clog a communication channel, but also introduce
operating system network stack to a state where it can no longer
accept new connection requests. Based on initialization attempt
a large number of simultaneous TCP connections by sending a SYN packet with
non-existent return address. After several attempts to send a reply
ACK packet to an inaccessible address, most operating systems install an unspecified
connection to the queue. And only after the nth attempt the connection is closed. Because
the flow of ACK packets is very large, soon the queue becomes full, and the kernel
refuses attempts to open a new connection. The smartest DoS bots are also
analyze the system before launching an attack in order to send requests only to open
vital ports. It is easy to identify such an attack: just
try connecting to one of the services. Defensive measures are usually
include:

Increasing the queue of "half-open" TCP connections:

# sysctl -w net.ipv4.tcp_max_syn_backlog=1024

Reducing the holding time of "half-open" connections:

# sysctl -w net.ipv4.tcp_synack_retries=1

Enabling the TCP syncookies mechanism:

# sysctl -w net.ipv4.tcp_syncookies=1

Limiting the maximum number of "half-open" connections from one IP to
specific port:

# iptables -I INPUT -p tcp --syn --dport 80 -m iplimit --iplimit-above
10 -j DROP

3. UDP flood.

A typical method of swamping bandwidth. Based on an infinite premise
UDP packets to ports of various UDP services. Easily removed by cutting
such services from the outside world and setting a limit on the number of connections in
unit of time to the DNS server on the gateway side:

# iptables -I INPUT -p udp --dport 53 -j DROP -m iplimit --iplimit-above 1

4. HTTP flood.

One of the most common methods of flooding today. Based on
endlessly sending HTTP GET messages to port 80 in order to download
web server so that it is unable to process everything
other requests. Often the target of a flood is not the root of the web server, but one of
scripts that perform resource-intensive tasks or work with a database. In any
In this case, an abnormally rapid growth of logs will serve as an indicator of the beginning of an attack.
web server.

Methods to combat HTTP flood include tuning the web server and database
in order to reduce the effect of the attack, as well as screening out DoS bots using
various techniques. First, you should increase the maximum number of connections to
database at the same time. Secondly, installing in front of the Apache web server is easy
and productive nginx - it will cache requests and serve static data. This
solution from the “must have” list, which will not only reduce the effect of DoS attacks, but also
will allow the server to withstand huge loads. A small example:

# vi /etc/nginx/nginx.conf
# Increase the maximum number of files used
worker_rlimit_nofile 80000;
events (
# Increase the maximum number of connections
worker_connections 65536;
# Use efficient epoll method to handle connections
use epoll;
}
http(
gzip off;
# Disable timeout for closing keep-alive connections
keepalive_timeout 0;
# Don't give nginx version in response header
server_tokens off;
# Reset connection due to timeout
reset_timedout_connection on;
}
# Standard settings for working as a proxy
server (
listen 111.111.111.111 default deferred;
server_name host.com www.host.com;
log_format IP $remote_addr;
location/(
proxy_pass http://127.0.0.1/;
}
location ~* \.(jpeg|jpg|gif|png|css|js|pdf|txt|tar)$ (
root /home/www/host.com/httpdocs;
}
}

If necessary, you can use the nginx module
ngx_http_limit_req_module, which limits the number of simultaneous connections with
one address (http://sysoev.ru/nginx/docs/http/ngx_http_limit_req_module.html).
Resource-intensive scripts can be protected from bots using delays, "Click" buttons
me", setting cookies and other techniques aimed at checking
"humanity".

To avoid getting into a hopeless situation during a DDoS storm on
systems, it is necessary to carefully prepare them for such a situation:

All servers with direct access to the external network must be
prepared for a simple and fast remote reboot (sshd will save my father
Russian democracy). Having a second one will be a big plus,
administrative, network interface through which you can access
to the server if the main channel is clogged.
The software used on the server must always be up to date
condition. All holes are patched, updates are installed (as simple as
boot, advice that many do not follow). This will protect you from DoS attacks,
exploiting bugs in services.
All listening network services intended for administrative
use must be hidden behind a firewall from anyone who should not
have access to them. Then the attacker will not be able to use them to carry out
DoS attacks or brute force.
On the approaches to the server (the nearest router) must be installed
traffic analysis system (NetFlow to help), which will allow timely
find out about an incoming attack and take timely measures to prevent it.

Add the following lines to /etc/sysctl.conf:

# vi /etc/sysctl.conf
# Anti-spoofing protection
net.ipv4.conf.default.rp_filter = 1
# Check TCP connection every minute. If on the other side - legal
machine, she will answer immediately. The default value is 2 hours.
net.ipv4.tcp_keepalive_time = 60
# Try again after ten seconds
net.ipv4.tcp_keepalive_intvl = 10
# Number of checks before closing the connection
net.ipv4.tcp_keepalive_probes = 5

It should be noted that all the techniques given in the previous and this sections
are aimed at reducing the effectiveness of DDoS attacks aimed at
use up the machine's resources. Protect yourself from floods clogging the channel with garbage
practically impossible, and the only correct one, but not always feasible
the way to fight is to "deprive the attack of meaning." If you have in
you have at your disposal a truly wide channel that will easily pass traffic
small botnet, consider that your server is protected from 90% of attacks. There are more
sophisticated method of protection. It is based on a distributed organization
computer network, which includes many redundant servers that
connected to different main channels. When computing power or
channel capacity runs out, all new clients are redirected
to another server (or are gradually “spread” across servers according to the principle
round-robin). This is an incredibly expensive, but very stable structure, fill up
which is almost impossible.

Another more or less effective solution is to purchase expensive
hardware systems Cisco Traffic Anomaly Detector and Cisco Guard. Working in
bunch, they can suppress an incoming attack, but like most others
decisions based on learning and state analysis fail. Therefore it should
think carefully before extorting tens of thousands from your bosses
dollars for such protection.

It seems to have begun. What to do?

Before the immediate start of the attack, the bots “warm up”, gradually
increasing the flow of packets to the attacked machine. It is important to seize the moment and start
active actions. Constant monitoring of the router will help with this,
connected to an external network (analysis of NetFlow graphs). On the victim server
You can determine the beginning of an attack using improvised means.

The presence of SYN flood is easily established - by counting the number of "half-open"
TCP connections:

# netstat -na | grep ":80\ " | grep SYN_RCVD

In a normal situation there should be none at all (or a very small amount:
maximum 1-3). If this is not the case, you are under attack, immediately proceed to drop
attackers.

HTTP flooding is a bit more complicated. First you need to count the number
Apache processes and the number of connections on port 80 (HTTP flood):

# ps aux | grep httpd | wc -l
# netstat -na | grep ":80\ " | wc -l

Values several times higher than the statistical average give grounds for
think about it. Next you should view the list of IP addresses from which requests are coming
for connection:

It is impossible to unambiguously identify a DoS attack; you can only confirm your
guesses about the presence of one if one address is repeated too much in the list
times (and even then, this may indicate visitors behind NAT).
Additional confirmation would be packet analysis using tcpdump:

# tcpdump -n -i eth0 -s 0 -w output.txt dst port 80 and host IP server

An indicator is a large flow of monotonous (and not containing useful)
information) packets from different IPs directed to the same port/service (for example,
the root of the web server or a specific cgi script).

Having finally decided, we begin to drop unwanted people by IP addresses (there will be
much more effective if you do this on a router):

# iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port http -j
DROP

Or directly by subnet:

# iptables -A INPUT -s xxx.xxx.0.0/16 -p tcp --destination-port http -j
DROP

This will give you some head start (very small; often the source IP address
spoofed) which you must use to address
provider/hoster (with logs of the web server, kernel,
firewall and a list of IP addresses you have identified). Most of them, of course,
will ignore this message (and hosting companies that pay for traffic will also be happy -
A DoS attack will bring them profit) or they will simply shut down your server. But in any case
In this case, this must be done – effective DDoS protection is possible
only on main channels. Alone you can handle small attacks
aimed at depleting server resources, but you will find yourself defenseless against
more or less serious DDoS.

Fighting DDoS in FreeBSD

We reduce the waiting time for a response packet to a SYN-ACK request (protection from
SYN flood):

# sysctl net.inet.tcp.msl=7500

Turning the server into a black hole. This way the kernel will not send response packets when
trying to connect to unoccupied ports (reduces the load on the machine during
DDoS on random ports):

# sysctl net.inet.tcp.blackhole=2
# sysctl net.inet.udp.blackhole=1

We limit the number of responses to ICMP messages to 50 per second (protection from
ICMP flood):

# sysctl net.inet.icmp.icmplim=50

We increase the maximum number of connections to the server (protection from all
types of DDoS):

# sysctl kern.ipc.somaxconn=32768

Enable DEVICE_POLLING - independent polling of the network driver by the kernel
high loads (significantly reduces the load on the system during DDoS):

We rebuild the kernel with the option "options DEVICE_POLLING";
Activate the polling mechanism: "sysctl kern.polling.enable=1";
Add the entry "kern.polling.enable=1" to /etc/sysctl.conf.

Naive Internet

In their heyday, DoS attacks were a real disaster for servers
and regular workstations. The website could easily be taken down using
a single host that implements a Smurf-type attack. Workstations with
installed Windows OS fell like dominoes from attacks like Ping of Death, Land,
WinNuke. Today there is no need to fear all this.

Largest botnets

400 thousand
computers.
- 315 thousand
computers.
Bobax - 185 thousand computers.
Rustock - 150 thousand computers.
Storm - 100 thousand computers.
Psybot - 100 thousand ADSL routers based on Linux.
BBC botnet - 22 thousand computers.
,
created by the BBC.

Mark on history

1997 - DDoS attack on the Microsoft website. One day of silence.
1999 – the websites of Yahoo, CNN, eBay and others were “out of range”.
October 2002 - attack on the Internet's root DNS servers. For a while there were
7 out of 13 servers were disabled.
February 21, 2003 - DDoS attack on LiveJournal.com. Two days service
was in a paralyzed state, only occasionally showing signs of life.

Intelligent systems

INFO

Round-robin - distributed computing load balancing algorithm
system by searching through its elements in a circular cycle.

The fundamental concepts of cyber security are availability, integrity and confidentiality. Attacks Denial of Service (DoS) affect the availability of information resources. A denial of service is considered successful if it leads to the unavailability of an information resource. The difference between the success of an attack and the impact on target resources is that the impact causes damage to the victim. For example, if an online store is attacked, a prolonged denial of service can cause financial losses to the company. In each specific case, DoS activity can either directly cause harm or create a threat and potential risk of loss.

First D V DDoS means distributed: distributed denial of service attack. In this case, we are talking about a huge mass of malicious requests arriving at the victim’s server from many different places. Typically, such attacks are organized through botnets.

In this article, we will take a closer look at what types of DDoS traffic and what types of DDoS attacks exist. For each type of attack, brief recommendations for preventing and restoring functionality will be provided.

Types of DDoS traffic

The simplest type of traffic is HTTP requests. With the help of such requests, for example, any visitor communicates with your site through a browser. The basis of the request is the HTTP header.

HTTP header. HTTP headers are fields that describe what kind of resource is being requested, such as a URL or a form, or a JPEG. HTTP headers also inform the web server what type of browser is being used. The most common HTTP headers are ACCEPT, LANGUAGE and USER AGENT.

The requester can use as many headers as he likes, giving them the desired properties. DDoS attackers can modify these and many other HTTP headers, making them difficult to detect. In addition, HTTP headers can be written in such a way as to control caching and proxy services. For example, you can instruct the proxy server not to cache information.

HTTP GET

HTTP(S) GET request is a method that requests information from the server. This request may ask the server to pass some file, image, page or script in order to display it in the browser.
HTTP(S) GET flood is a DDoS attack method of the application layer (7) of the OSI model, in which the attacker sends a powerful stream of requests to the server in order to overwhelm its resources. As a result, the server cannot respond not only to hacker requests, but also to requests from real clients.

HTTP POST

HTTP(S) POST request is a method in which data is placed in the body of the request for subsequent processing on the server. An HTTP POST request encodes the transmitted information and places it on a form, and then sends this content to the server. This method is used when it is necessary to transfer large amounts of information or files.
HTTP(S) POST flood is a type of DDoS attack in which the number of POST requests overwhelms the server to the point that the server is unable to respond to all requests. This can lead to exceptionally high system resource usage, which can lead to a server crash.

Each of the HTTP requests described above can be transmitted over a secure protocol HTTPS. In this case, all data sent between the client (attacker) and the server is encrypted. It turns out that “security” here plays into the hands of attackers: in order to identify a malicious request, the server must first decrypt it. Those. you have to decrypt the entire stream of requests, of which there are a lot during a DDoS attack. This creates additional load on the victim server.

SYN flood(TCP/SYN) establishes half-open connections with the host. When the victim receives a SYN packet on an open port, it must respond with a SYN-ACK packet and establish a connection. After this, the initiator sends a response with an ACK packet to the recipient. This process is conventionally called a handshake. However, during a SYN flood attack, the handshake cannot be completed because the attacker does not respond to the SYN-ACK of the victim server. Such connections remain half-open until the timeout expires, the connection queue becomes full, and new clients are unable to connect to the server.

UDP flood are most often used for broadband DDoS attacks due to their sessionless nature, as well as the ease of creating Protocol 17 (UDP) messages in various programming languages.

ICMP flood. The Internet Control Message Protocol (ICMP) is used primarily for error messages and is not used for data transmission. ICMP packets can accompany TCP packets when connecting to a server. ICMP flood is a DDoS attack method at layer 3 of the OSI model, using ICMP messages to overload the network channel of the attacked person.

MAC flood- a rare type of attack in which the attacker sends multiple empty Ethernet frames with different MAC addresses. Network switches consider each MAC address separately and, as a result, reserve resources for each of them. When all the memory on the switch is used, it either stops responding or turns off. On some types of routers, a MAC flood attack can cause entire routing tables to be deleted, thereby disrupting the entire network.

Classification and goals of DDoS attacks by OSI levels

The Internet uses the OSI model. In total, there are 7 levels in the model, which cover all communication media: starting from the physical environment (1st level) and ending with the application level (7th level), at which programs “communicate” with each other.

DDoS attacks are possible at each of the seven levels. Let's take a closer look at them.

OSI Layer 7: Applied

What to do: Application monitoring - systematic software monitoring that uses a specific set of algorithms, technologies and approaches (depending on the platform on which the software is used) to identify 0-day application vulnerabilities (layer 7 attacks). By identifying such attacks, they can be stopped once and for all and their source traced. This is done most simply on this layer.

OSI Layer 6: Executive

What to do: To mitigate the damage, consider measures such as distributing SSL encryption infrastructure (i.e., hosting SSL on a great server, if possible) and inspecting application traffic for attacks or policy violations on the application platform. A good platform will ensure that traffic is encrypted and sent back to the originating infrastructure with the decrypted content residing in the secure memory of the secure bastion node.

OSI Layer 5: Session

What to do: Keep your hardware firmware up to date to reduce the risk of a threat.

OSI Layer 4: Transport

What to do: Filtering DDoS traffic, known as blackholing, is a method often used by providers to protect customers (we use this method ourselves). However, this approach makes the client's site inaccessible to both malicious traffic and legitimate user traffic. However, access blocking is used by providers to combat DDoS attacks to protect customers from threats such as network equipment slowdowns and service failures.

OSI Layer 3: Network

What to do: Limit the number of processed requests via the ICMP protocol and reduce the possible impact of this traffic on the speed of the Firewall and Internet bandwidth.

OSI Layer 2: Duct

What to do: Many modern switches can be configured in such a way that the number of MAC addresses is limited to reliable ones that pass authentication, authorization and accounting checks on the server (AAA protocol) and are subsequently filtered.

OSI Layer 1: Physical

What to do: Use a systematic approach to monitoring the performance of physical network equipment.

Mitigation of large-scale DoS/DDoS attacks

Although an attack is possible at any level, attacks at layers 3-4 and 7 of the OSI model are especially popular.

DDoS attacks at the 3rd and 4th levels - infrastructure attacks - types of attacks based on the use of a large volume, powerful data flow (flood) at the network infrastructure level and transport level in order to slow down the web server and “fill” the channel , and ultimately prevent other users from accessing the resource. These types of attacks typically include ICMP, SYN, and UDP floods.
DDoS attack at level 7 is an attack that involves overloading some specific elements of the application server infrastructure. Layer 7 attacks are particularly sophisticated, hidden, and difficult to detect due to their similarity to useful web traffic. Even the simplest Layer 7 attacks, such as attempting to log in with an arbitrary username and password or repeating arbitrary searches on dynamic web pages, can critically load the CPU and databases. DDoS attackers can also repeatedly change the signatures of Layer 7 attacks, making them even more difficult to recognize and eliminate.

Some actions and equipment to mitigate attacks:

Firewalls with dynamic packet inspection
Dynamic SYN proxy mechanisms
Limiting the number of SYNs per second for each IP address
Limit the number of SYNs per second for each remote IP address
Installing ICMP flood screens on a firewall
Installing UDP flood screens on a firewall
Limiting the speed of routers adjacent to firewalls and networks

11.11.2012

Under the flood This means a huge flow of data in the form of messages, which is sent for posting on various forums and chats. If you look at it from a technical point of view, flood- this is one of the most common types of computer attack, and its purpose is to send such a number of requests that the server hardware will be forced to perform denial of service user services. If attack on computer equipment carried out from a large number of computers, then you are dealing with .

There are several types of DDoS flood attacks, the main ones are listed below:

SYN-ACK flood
HTTP flood
ICMP flood
UDP flood

SYN-ACK flood

SYN-ACK flood- one of the types network attacks, which is based on sending a huge number of SYN requests per unit of time. The result will be the disabling of the service, the operation of which was based on the TCP protocol. First, the client sends a packet to the server containing a SYN flag, the presence of which indicates the client’s desire to establish a connection. The server, in turn, sends a response packet. In addition to the SYN flag, it also contains an ACK flag, which draws the client’s attention to the fact that the request has been accepted and confirmation of the connection establishment is expected from the client. It responds with a packet with an ACK flag indicating a successful connection. The server stores all “connection” requests from clients in a queue of a certain size. Requests are kept in a queue until the ACK flag is returned from the client. A SYN attack is based on sending packets to the server from a non-existent source, the number exceeding the queue size. The server simply will not be able to respond to the packet at the fictitious address. The queue will not decrease and the service will cease to function.

HTTP flood

HTTP flood- applies when the service operates with database. The attack is aimed either at web server, or to a script working with the database. A huge number of GET requests are sent to port 80 so that the web server cannot pay due attention to requests of other types. Log files increase in size, and working with the database becomes impossible.

ICMP flood

ICMP flood- simple way reduction in throughput And increasing loads on the stack using means of sending similar ICMP PING requests. It is dangerous if little attention is paid to firewalls, since a server responding to endless ECHO requests is doomed. So in the case of the same amount of incoming and outgoing traffic, just write the rules in iptables.

UDP flood

UDP flood- another way bandwidth clutter, based on a protocol that does not require synchronization before sending data. The attack comes down to simply sending a packet to the server's UDP port. After receiving the packet, the server begins to intensively process it. The client then sends Udp packets with incorrect content one after another. As a result, the ports will stop functioning and the system will crash.

Basically, to determine type of DDoS attack Often it is not necessary to spend a lot of time. It is enough to know a few signs. If significantly The size of log files has increased– You are dealing with HTTP flood. If access to the service is limited as a result of exceeding the number of permissible connections - this is SYN-ACK flood. If outgoing and incoming traffic are approximately equal– You are dealing with ICMP flood. The main thing is not to forget about maintaining security of your server from DDoS and pay due attention to it. The best thing is to take care of