Nazaretyan's blog blog about everthing ….

AntiDDOS or magic shield :)

DDOS what does it means, and how to prevent it read here

botnet - is a group of machines that infected with virus(bot) that are requesting something from admintool hosted somewhere and doing bad job.

most common attack types are - syn flood, http flood, icmp flood. we will try here to understand what means each attack and how to prevent it.

1. syn flood

Most people know how problematic protection against SYN denial of service attacks can be. Several methods, more or less effective, are usually used. In almost every case proper filtering of packets is a viable solution. In addition to creating packet filters, the modification of the TCP/IP stack of a given operating system can be performed by an administrator. This method, the tuning of the TCP/IP stack in various operating systems, will be described in depth in this article.While SYN attacks may not be entirely preventable, tuning the TCP/IP stack will help reduce the impact of SYN attacks while still allowing legitimate client traffic through. It should be noted that some SYN attacks do not always attempt to upset servers, but instead try to consume all of the bandwidth of your Internet connection. This kind of flood is outside the scope of scope of this article, as is the filtering of packets which has been discussed elsewhere.

What can an administrator do when his servers are under a classic, non-bandwidth flooding SYN attack? One of most important steps is to enable the operating system's built-in protection mechanisms like SYN cookies or SynAttackProtect. Additionally, in some cases it is worth tuning parameters of the TCP/IP stack. Changing the default values of stack variables can be another layer of protection and help better secure your hosts. In this paper I will concentrate on:

• Increasing the queue of half-open connections (in the SYN RECEIVED state).
• Decreasing the time period of keeping a pending connection in the SYN RECEIVED state in the queue. This method is accomplished by decreasing the time of the first packet retransmission and by either decreasing the number of packet retransmissions or by turning off packet retransmissions entirely. The process of packet retransmissions is performed by a server when it doesn't receive an ACK packet from a client. A Packet with the ACK flag finalizes the process of the three-way handshake.

Note that an attacker can simply send more packets with the SYN flag set and then the above tasks will not solve the problem. However, we can still increase the likelihood of creating a full connection with legitimate clients by performing the above operations.

What to do in case of attack  ?

A tcp_max_syn_backlog variable defines how many half-open connections can be kept by the backlog queue. For instance 256 is a total number of half-open connections handled in memory by Linux RedHat 7.3. The TCP/IP stack variables can be configured by sysctl or standard Unix commands. The following example shows how to change the default size of the backlog queue by the sysctl command:

# sysctl -w net.ipv4.tcp_max_syn_backlog="2048" 

and one more step on system level with iptables

SYN_OPTIONS="-m limit --limit 12/second --limit-burst 24"
$IPTABLES -N FLOOD
$IPTABLES -A FLOOD $SYN_OPTIONS -j RETURN
$IPTABLES -A FLOOD -j LOG_FLOOD

#call it from another chain like this
$IPTABLES -A IN_TCP -p tcp --syn -j FLOOD

2. http get flood

most common attack for server overload.

there is few methods and depends what youre using on your server side.

1. antiddos script provided by Russian programmers  http://klavasoft.com/antiddos site is complity on russian thats why i will try to translate.

a. it will work on your LAMP (linux, apache, mysql,php) system and will not work on wamp (windows apache mysql php)

b. you need to download http://klavasoft.com/codefiles/ksantiddos30.zip, and extract it on ddosed virtual server root.

c. you need to add some config on your index.php ( and all other php files that runing the site) or just make a empty index.php put configuration and call him on every other file runs. (this script is runing now on nazaretyan.com) for try you need just refresh any of blog pages 4 times in 10 seconds. and you will be baned for 30 senonds

2. you can check your apache logs  and find out which exactly url from your domain is under ddos. you can  create  html file (with javascript redirection). it will not stop ddos but most of bots didnt have java redirection follow function which means they will just call blank page which will reduced load on your webserver.

3. icmp flood

first thing that you need to do its DROP icmp packages on firewall ( ask DC if you didnt have access to your hardware firewall) , or you need to drop them on linux level via iptables or ipfw or another firewall.

after you can just grep alll incomming droped ICMP via TCPDUMP , and make a null routes for them on you AC .. boring but helpfull,

more information regarding ddos and how to prevent it. you can ask here or just go direct to my skype : mnazaretyan

regards

Moushegh