Protecting your server from attacks

OK, I think this is going to be the new series.  I have just spent my past 7 days, blocking from attacks, and dropping notes here.

What are server attacks, aka denial of service (DOS)?

It’s basically, creating lots of server request from forged IP and making servers busy with these fake traffics then cause real traffics to jam. And here are how.

How to prevent it?

There are few ways to prevent it, but if you are working with large scale service and getting heavy hits, then I recommend investing some $ in hardware appliances and optimize.

  1. Application front end hardware.

You can check vendors like below;

https://www.arbornetworks.com/
http://www-03.ibm.com/security/xforce/resources.html
https://www.lancope.com/
they provide network system where they monitor and study incoming traffic and block before getting to the firewall.
Application level Key Completion Indicators
In order to meet the case of application level DDoS attacks against Cloud based applications, approaches may be based on an application layer analysis, to indicate whether an incoming traffic bulk is legitimate or not and thus enable the triggering of elasticity decisions without the economical implications of a DDoS attack. These approaches mainly rely on an identified path of value inside the application and monitor the macroscopic progress of the requests in this path, towards the final generation of profit, through markers denoted as Key Completion Indicators
checking into this now…
Blackholing and sinkholing
With blackholing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP.
Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks.
 checking into this now…
DDS based defense
More focused on the problem than IPS, a DoS Defense System (DDS) can block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).
Firewalls
At firewall level, you can choose which port is open and closed.  I suggest close all unused ports to avoid all unwanted access. But this isn’t perfect, most of attacks probably come from open ports…
IPS based prevention
Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.
An ASIC based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.
A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.
Routers
Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has optional features that can reduce the impact of flooding.
Switche
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.
These schemes will work as long as the DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using bogon filtering. Automatic rate filtering can work as long as set rate-thresholds have been set correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.
Upstream filtering
All traffic is passed through a “cleaning center” or a “scrubbing center” via various methods such as proxies, tunnels or even direct circuits, which separates “bad” traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the “cleaning center” or “scrubbing center”.
MS Azure also provide Azure Security Center which helps you to detect attack and prevent it. This is definitely 7 minutes worthy video to watch.

How to find who did it?

Well, unless the attacker is very amateur.. it is not easy to find who is doing it, as the attacker is hidden behind all nodes.

You can see many of current DDOS at http://map.norsecorp.com/#/

Looks like west coast gets lot of attacks..

スクリーンショット_042816_034347_PM


For people who is doing it.  It is illegal to attack in many countries.  If you are doing it for fun, you shouldn’t, you will be in big pain when you get caught.  If you are doing it for revenge of some kinds, you are better off talking to that person or company direct, or just find some other legal ways to do it.  If you are doing it for money, that’s definitely not cool and you should stop.

 

Leave a Reply