Anti-DDoS on Linux

Hard and soft ware discusion.

Moderator: Moderators

Anti-DDoS on Linux

Postby afonic » Wed Dec 05, 2007 12:26 am

I've been terribly busy in the last couple of days as one of my servers seems to be under constant DDoS attack by multiple IPs from Russia.

I managed to keep the server alive for about two days but today when I went to work it got overloaded (according to my host that monitors the servers and autoreboots the RAM filled) and rebooted twice. (its a Dual Opteron, 4GB, CentOS 4.5 box)

I am using APF (Advanced policy firewall) with a custom set of rules and DoS protection turned on. It does work but still stresses the server.

The questions are:
1) What other setup of tools you use for protection in Linux?
2) Any tips that could improve stability even under heavy load?

I am asking here since solutions from the admins in managed support of my host suggest either a hardware Cisco firewall or moving to better hardware (Dual Quad Core Xeon) both of which are pretty costly.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby afonic » Wed Dec 05, 2007 12:27 am

Please note:
I did try
Code: Select all
yum update && yum install chuck_norris
but it didn't work. :D
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece

Postby zoli » Wed Dec 05, 2007 11:10 am

This is a quite complicate situation.
In general you need to determine what is you bottleneck.
If the bandwidth, than just the ISP can help you to move the traffic away.
If the box itself, than you may use ipconfig rules to control the access. But this is very difficult - because you need to filter out what request is a real one and with comes with the attack.

First of all close/deny all ports that does not have service.

Second, counting request from the source in certain time period helps. For example block requests from a source if there are more than 10 in a second - you may tune this according the application you run.
This is rather effective. It filters well, the box is up and it does not require resources.

That your dual CPU box with lot of RAM died under the attack - this is clear sign of not doing such filtering, but letting through all request to the application, that probably does not have any process limits.

Read more at http://iptables-tutorial.frozentux.net/ ... orial.html

In fact, the expensive Cisco hardware does the same, just in front of your box - saving your time if you have rich sponsors :)

Third method is to apply limits to the application. How many processes to start, how long to run, how many memory to use.

Please, let me know if you need concrete help.
Regards,
Z
---
Zoltan Arpadffy
zoli
Forum Admin
Forum Admin
 
Posts: 784
Joined: Mon Sep 30, 2002 1:27 am
Location: Stockholm, Sweden

Postby afonic » Thu Dec 06, 2007 10:11 am

Well actually things seems to have stabilized as most attacking IPs have been blocked.

Apache did have processing and memory limits but for some reason the memory filled up. My guess by reading the logs is that the attacker decided to reload my homepage over and over again killing MySQL first and Apache later. So I guess it is time to apply some limits to MySQL too. Unfortunately under normal circumstances this reduces the performance a bit.

I had already done most of the standard protection procedures, installing Advanced policy firewall and blocking all unused ports, and I even enabled the antiDos tools APF has.

Seems like I need to stop relying on "automated" firewall acting like an iptables frontend and dive more into advanced iptables settings in order to set a limit in the requests as you describe.
User avatar
afonic
Forum Admin
Forum Admin
 
Posts: 686
Joined: Tue Oct 14, 2003 11:11 pm
Location: Salonica, Greece


Return to Computers

Who is online

Users browsing this forum: No registered users and 10 guests

cron