Real story: A Dos attack on a website

Web site encounters a Dos attackOne, event background

Long vacations for IT staff is a short period of recuperation, but it system can not stop. The more holidays, the more likely to be a big problem, the following is a case of a Dos attack.

Spring Festival holiday just finished, Xiao Li Company's webserver on the fault. 1 o'clock in the afternoon. After eating dinner back, Xiao Li habitually check the webserver. Webserver's traffic monitoring system shows the downward red curve, and at the same time received a mail alarm, to infer that the server has a situation.

Based on the above questions. Xiao Li immediately began to check the webserver log. Try to find some clues about what caused the interruption.

In the course of inquiry clues, the department manager told Xiao Li. He has received a complaint from a customer on the phone, saying that he cannot access their site.

In the Webserver log file found no matter what suspicious, so the next little Li carefully view the firewall logs and router logs. Print out a record of the server's problems and filter out normal traffic. Keep a suspicious record.

Table 1 shows the printed results.

Table 1 Firewall Log statistics

Source IP Address	Destination IP Address	Source Port	Destination Port	Agreement
172.16.45.2	192.168.0.175	7843	7	17
10.18.18.18	192.168.0.175	+	7	17
10.168.45.3	192.168.0.175	34511	7	17
10.18.18.18	192.168.0.175	19	7	17
192.168.89.111	192.168.0.175	1783	7	17
10.18.18.18	192.168.0.175	19	7	17
10.231.76.8	192.168.0.175	29589	7	17
192.168.15.12	192.168.0.175	17330	7	17
10.18.18.18	192.168.0.175	19	7	17
172.16.43.131	192.168.0.175	8935	7	17
10.23.67.9	192.168.0.175	22387	7	17
10.18.18.18	192.168.0.175	19	7	17
192.168.57.2	192.168.0.175	6588	7	17
172.16.87.11	192.168.0.175	21453	7	17
10.18.18.18	192.168.0.175	19	7	17
10.34.67.89	192.168.0.175	45987	7	17
10.65.34.54	192.168.0.175	65212	7	17
192.168.25.6	192.168.0.175	52967	7	17
172.16.56.15	192.168.0.175	8745	7	17
10.18.18.18	192.168.0.175	19	7	17

He did the same work on the router log and printed a record that looked unusual. In table 5-1, the site is under attack. The router log information after the normalized processing.

To get a lot of other information, Xiao Li then looked at the NetFlow comprehensive statistics in the router, details such as the following:

In order to have a reference, he also printed the cached data (these are the normal state of the data) that he saved in the first few weeks of the webserver start failure.

The normal routing log, as seen in the following:

IP packet size distribution The two lines under this heading show the percentage of packets distributed by size range.

The content shown here shows that only 2% of the packet size is between 33~64 bytes.

Note that the number of visits to the site has plummeted. Very obvious. During this time no one could visit his webserver. Xiao Li started to study what had happened. And how to fix the fault as soon as possible.

Second, difficult questions and answers

1. What happened to Xiao Li's webserver? What are the possible types of attacks?

2. Assuming that the address is not disguised, how can Xiao Li track down the attacker?

3. Assume that the address has been masked. So how does he track the attackers?

Third, event inference

What kind of attack did Xiao Li's webserver suffer? This attack is implemented by sending UDP packets continuously via the Echo port (echoport number 7). The attack appears to have originated from two locations, possibly two attackers using different tools at the same time.

In any case, overloaded traffic can drag down webserver. However, the attack address source is not sure, it is not known whether the attack source itself is distributed, or the same real address disguised a lot of different fake IP addresses. The problem is more difficult to infer.

If the source IP address is not spoofed, you can consult the Arini US Internet number registry to find out which network the intrusion IP address belongs to from its "Whois" database. Next, simply contacting the administrator of that network to get further information is just not likely to be a Dos attack.

If the source address is disguised, it is much more troublesome to trace the attacker. If you are using a Cisco router. You also need to query the NetFlow fast cache.

However, in order to trace this disguised address, you must query the NetFlow cache on each router, the ability to determine which interface the traffic enters, and then through these router interfaces. Trace back one after the other until the IP address source is found.

However, it is very difficult to do so. There may be many routers between the Web server and the attacker's originating PC. and belong to different organizations. Other than that. These analyses must be done while the attack is in progress.

It is not very difficult to find the source if it is not intervened by the judiciary.

After analysis, the firewall logs and the information in the router log are linked together to find some interesting similarities. As shown in table 5-1, in bold black markings. The target of the attack is obviously webserver (192.168.0.175,port is UDP 7. This looks very much like a denial of service attack (but is not yet sure because the source IP address of the attack is distributed randomly). The address appears to be random, with only one source address fixed. Its source port number has not changed. This is very interesting. He then focused on the router log.

He found that there were a large number of 64-byte packets on the router log at the time of the attack, and there was no problem with webserver logs. He also found that there was a large number of "udp-other" packets in the router log when the incident occurred, and that the webserver logs were all normal. This behavior is consistent with UDP-based denial-of-service attacks.

At this point, if the attacker is using a lot of small UDP packets to webserver Echo (echo 7) port to flood the attack, so Xiao Li their next task is to stop this attack behavior. First, Xiao Li intercepted the attack on the router. A filtering rule is set for the router at high speed. Because source addresses are randomly sourced, they find it very difficult to block an attack by restricting an address or a range of addresses. Therefore, it was decided to prohibit all UDP packets sent to 192.168.0.175.

This can cause the server to lose some functionality, such as DNS, but at least allow webserver to work properly.

The router initially has a temporary DOS access control list (ACL) such as the following:

Access-list 121 remark Temporary block DoS attack on Web server 192.168.0.175

Access-list deny UDP any host 192.168.0.175

Access-list Permit IP any any

This reduces the burden for webserver, but the attack can still reach the web. To some extent, network performance is reduced.

Then the next step is to contact the upstream bandwidth provider, want to ask them to temporarily limit all at Xiao Li's site port7 UDP into traffic, this will significantly reduce the network to server traffic.

Iv. Targeting measures

There is no panacea for the prevention and mitigation of such bandwidth-related Dos attacks. Essentially, this is a "thick pipe to defeat the thin pipe" attack. Attackers can "instruct" many other bandwidths. Sometimes even huge bandwidth can overwhelm the network with insufficient bandwidth. In such a case. Prevention and mitigation should complement each other.

There are many ways to make an attack more difficult to take place, or to reduce its impact when an attack occurs, such as the following:

The Network portal filtering Network service provider should set up ingress filtering on his downstream network to prevent false packets from entering the network.

This will prevent the attacker from disguising the IP address. Thus easy to track. Network traffic filtering software to filter out the network does not need traffic is always not wrong. This also prevents Dos attacks, but in order to achieve the effect, these filters should be set up upstream of the network as far as possible.

Network traffic rate limit. Some routers have the highest traffic rate limit.

These restrictions will strengthen the bandwidth policy. And agree that a given type of network traffic matches a limited bandwidth.

This measure can also pre-empt ongoing attacks.

Intrusion detection system and host monitoring tool. IDS can alert network administrators of the timing of attacks and attack tools used by attackers. This will help to stop the attack. The host monitoring tool can warn the administrator if a DOS tool appears in the system

Unicast RPF (Reverse Path Forwarding), which is the CEF (router's Cisco Express Forwarding feature abbreviation), is also a feature that checks packets received on the interface. Assuming that the source IP address CEF table does not have a route that is consistent with the interface to the receiving packet, the router loses the packet. The beauty of discarding RPF is that it blocks all attacks that disguise the source IP address.

1) Detect Dos attacks

The combined analysis of the host monitoring system and IDS system is used. The ability to find problems very quickly, such as through the EtherApe tool (an open source tool for monitoring connectivity), and, of course, the same results with sniffer pro and the Web Analytics tool. Sniffer can display the network connection situation in real-time, assuming a Dos attack, from which the internal dense wiring. and an IP address to determine the type of attack initially. At this time can be used in the Ossim system flow monitoring software such as ntop. and the IDs system for careful inference. The latter two will be in the "Unix/linux Network log analysis and traffic monitoring," a book specifically explained. The quickest way is the command line, we enter the following command:

# Netstat-an|grep Syn_recv|wc–l

Through the results can be found in the network there are a large number of TCP synchronization packets, and the successful establishment of TCP connection is very few, according to the TCP three-time handshake principle analysis, this is certainly not normal phenomenon, the network certainly has problems. It is necessary to further verify that, assuming that the values are very high, such as reaching thousands of values, it is very likely that they are being attacked. 1 of what you see.

Figure 1 Ossim Discovery Dos attack

In Figure 1, snort in the Ossim system detects a Dos attack and graphically displays a large amount of alarm information. For example, a site is under a Dos attack when a TCP connection such as the following:

We count the number of "SYN_RECV" states. Commands such as the following:

#netstat –na |grep syn_recv |wc–l

1989

Such a large number, in conjunction with the above 5-1 graph can infer that the site is under DOS attack.

Tip: You can also use the following shell commands. Shows which IP connection is the most.

#netstat-nta |awk ' {print $} ' |cut–d:f1 |sort|uniq–c |sort–n

1 192.168.150.10

2 192.168.150.20

... ...

1987 192.168.150.200

The information given by this command is more specific.

The value reaches 1989, and there are nearly 2000. This clearly indicates a Dos attack. At this time we use the Wireshark tool for packet decoding can be a lot of other problems, the current communication is all using TCP protocol. The view TCP flag sends all packets to the SYN 1, which is the TCP synchronous request packet, and these packets tend to point to the same IP address. It is now possible to verify the above inference: this host is subjected to a Dos attack, and the attack mode is SYN flood attack.

Five, troubleshooting

1. Xiao Li's server was attacked by DOS. The attack is implemented by sending small UDP packets to the PORT7 continuously.

This attack appears to originate from two locations, and it is likely that two attackers use a different tool.

A lot of data flow is very fast to drag down webserver. The difficulty is that the attack source is not deterministic, and the attack sources themselves are distributed. Or the same address masquerading a lot of different IP addresses are not OK.

2. If the address is not disguised. Xiao Li inquires arin. From its whois database, find out which network the intrusion IP address belongs to.

3. Assume that the IP address is disguised, so that the tracking is more troublesome, you need to query the NetFlow data on each router, the ability to determine the traffic in and out of which interfaces, and then to these routers one interface of the back-hop tracking query, until the originating IP address source found. However, this involves multiple as (autonomous systems). Suppose to find its source of attack at home

The process often involves very many operators, as well as the judicial authorities. Work and time will be extended. It is more complicated to assume that cross-border tracing is involved. The hardest thing to do is to have the ability to do accurate analysis during an attack. Once the attack is over, just go to the log system and query.

Looking at the actual cases above, we also learned that many Dos attacks are very difficult to deal with. The requests made by the compromised host are completely legal and conform to the standard, just too large. We were able to block ICMP echo requests on the router first with the appropriate ACLs.

Router (config) #ip TCP intercept list 101

Router (config) #ip tcp intercept Max-incomplete high 3500

Router (config) #ip tcp intercept Max-incomplete low 3000

Router (config) #ip tcp intercept One-minute high 2500

Router (config) #ip TCP intercept One-minute low 2000

Router (config) #access-list 101 Permit any

Assuming that you can take context-based Access control (the context Based-CONTROL,CBAC), you can use its timeout and threshold settings to handle the SYN torrent and udp garbage torrent.

Like what:

Router (config) # IP inspect TCP synwait-time 20

Router (config) # IP inspect TCP idle-time 60

Router (config) # IP inspect UDP idle-time 20

Router (config) # IP inspect Max-incomplete high 400

Router (config) # IP inspect max-incomplete low 300

Router (config) # IP inspect one-minute high 600

Router (config) # IP inspect one-minute low 500

Router (config) # IP inspect TCP max-incomplete host Block-time 0

warning : It is not recommended to use the TCP intercept and CBAC defense features at the same time, as this may cause the router to overload.

Turn on Cisco Express FORWARDING,CEF feature to help the router defend the torrent of packets for random source addresses. Be able to set up the scheduler to avoid the full CPU overload of the router under the impact of torrent:

Router (config) #scheduler allocate 3000 1000

After the configuration. iOS takes 3 seconds to process network interface interrupt requests. Then run other tasks in 1 seconds. For older systems. You may have to use the command scheduler interval<milliseconds>.

Another way is to use iptables to prevent DOS scripts

#!/bin/bash

Netstat-an|grep Syn_recv|awk ' {print$5} ' |awk-f: ' {print$1} ' |sort|uniq-c|sort-rn|awk ' {if (>1) print $ '

For I in $ (CAT/TMP/DROPIP)

Do

/sbin/iptables-a input-s $i-j DROP

echo "$i kill at ' Date '" >>/var/log/ddos

Done

The script will make a count of the IP that is in SYN_RECV and the number reaches 5. And the input chain written to Iptables is set to reject.

Vi. Summary of cases

Dos/ddos attacks must be taken seriously regardless of the purpose for which a larger-scale attack or other purpose is launched. The main way to prevent such attacks is to hit the patch from the manufacturer in time.

At the same time, close the vulnerable service or restrict access by visiting the control list.

Regular Dos attacks. In particular, DDoS attacks are more difficult to guard against. Assuming the entire bandwidth is exhausted by the ping torrent, we can do very limited.

For Dos attacks. First of all to analyze its attack mode, is the ICMP Flood, UDP Flood and Syn Flood and other traffic attacks, or similar to the TCP Flood, CC and other ways, and then look for a relatively effective response strategy. There are several ways to take this attack:

1). Use "Honey net" protection to enhance the first time analysis and response to attack tools and malicious samples.

Large-scale deployment of honey network devices to track botnet dynamics and capture malicious code.

Deploy site execution monitoring equipment, strengthen the Web page horse, visit redirect mechanism and domain name resolution monitoring, cut off the main infection path of malicious code.

Use of the sandbox technology and a variety of shelling technology of malicious code self-active analysis equipment, strengthen the research of new malicious code, improve the timeliness of research.

2). The Apache DOS protection strategy provided by the OSSIM system can be used as a monitoring function.

3). Leverage new technology platforms such as cloud computing and virtualization. Improve the efficiency of detection and protection of new attacks, especially application-layer attacks and low-rate attacks. Foreign scholars have begun to use the Hadoop platform for HTTP Get flood detection algorithm research.

4). Use the IP reputation mechanism.

In all aspects of information security protection to introduce a reputation mechanism, improve the efficiency and accuracy of security protection. such as the application of software and documents to give security credibility evaluation. Guide network users to download behavior, through the publication of authoritative IP reputation information, guide the security equipment to proactively generate protection policies, see the "Unix/linux Network log analysis and Traffic Monitoring" section 2.1.

5). The use of passive strategies to purchase large bandwidth can also effectively mitigate the threat of DDoS attacks.

6). Build a distributed system to deploy your own business in a multi-ground room. Spread the area of the visit to the appropriate room, consider deploying a CDN, in the important IDC node room to deploy firewalls (such as Cisco, Juniper Firewall, etc.) so that even if there is an attacker Dos attack, the scope of damage may not be a room, not the entire business impact.

7). If the scale is small, the room condition is general. That would consider using some anti-DDoS gadgets in the system. such as DDoS Deflate. Its official website address is http://deflate.medialayer.com, a free script for defending and mitigating DDoS attacks through the system's built-in netstat commands. To monitor the tracking of IP addresses that create a large number of network connections, the program blocks or blocks these IPs through APF or iptables when the detected node exceeds a preset limit.

Of course, this tool is not only mitigated, and does not prevent all attacks.

Finally, there is more than one connection to the Internet with different vendors, different as paths, and support for load balancing, but there is still a gap between the requirements of a conventional dos/ddos torrent that consumes high bandwidth. We are always able to use car (Committed Access rate, committed visit rates) or Nbar (network-based application recognition, network application recognition) to abandon the packet or limit the speed of the network stream that launched the attack, Reduce the burden on the routing device CPU. Reduce the occupancy of the host buffer and after the router.

Copyright notice: This article blog original article. Blogs, without consent, may not be reproduced.

Real story: A Dos attack on a website