ad_728x90

參觀我的【 伊生活小舖】

2014年9月3日 星期三

DoS Deflate 免費防禦及降低DDoS攻擊<防禦及壓力攻擊>

最近網站被DDoS 分散式阻斷服務攻擊,主機硬碟燈恆亮,網站常常掛點連不上,安裝(D)DoS Deflate後,效果好很多。
本想委託種花但小廟無法承受之重,放棄乎.以下三張圖示,僅部分受攻擊截錄,全部承載來不及截圖...另已加裝路由器前端防護,後端目前正在尋覓適當防火牆,看可否行得通否 ? 懇請,若有同路"受害者"大大們,不吝指教(導),謝謝 !!! 目前已受 attacks 時間約有ㄧ個月餘...XXX.導彈佬.懇請放過一馬,我們需有營業且須有收入,也有職工需養家餬口...感謝體諒!



防禦部分:
版本:N/A
作業系統:Linux
軟體性質:免費
語言介面:英文
官方網站:http://deflate.medialayer.com/
如何確認網站是否被DDos攻擊,可執行以下指令:
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n



每個ip都有連接數,只要超過100個以上就不太正常了…
安裝(D)DoS Deflate
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
移除(D)DoS Deflate
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
(D)DoS Deflate白名單設定檔位置
/usr/local/ddos/ignore.ip.list
預設為127.0.0.1
如果有使用Bing網站管理員
記得將131.253.38.67 加入白名單,不然會出現尚未驗證網站所有權。立即驗證的畫面。
0704-1
(D)DoS Deflate設定檔位置
/usr/local/ddos/ddos.conf
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with –cron
#####          option so that the new frequency takes effect
FREQ=1  檢查時間,預設為1分鐘
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150  最大連線數,我的網站2個ip連線數達30以上就掛了,我是設為25
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1  Linux如果防火牆為iptables,請改為0
##### KILL=0 (Bad IPs are’nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1  當ip超過連線數,將會關閉該ip,預設為關閉
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"  當ip被關閉,會寄通知,預設為root
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600  關閉ip時間,預設為600秒,也就是10分鐘,建議改為18000
例行性工作排程 crontab -e 加入
* * * * * /usr/local/ddos/ddos.sh
因Debian 6(Squeeze)無法運作,請修改/usr/local/ddos/ddos.sh
#!/bin/sh
改為
#!/bin/bash

How to install APF Firewall:

wget http://www.r-fx.ca/downloads/apf-current.tar.gz
gzip -d apf-current.tar.gz
tar -xf apf-current.tar
cd apf-9.7-2

./install.sh


Installing APF 9.7.2: Completed.
    Installation Details:
    Install path: /etc/apf/
    Config path: /etc/apf/conf.apf
    Executable path: /usr/local/sbin/apf
    AntiDos install path: /etc/apf/ad/
    AntiDos config path: /etc/apf/ad/conf.antidos
    DShield Client Parser: /etc/apf/extras/dshield/
    Other Details:
    Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306
    Listening UDP ports: 53
    Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

/etc/apf/conf.apf

There would be a default configuration already set, you will need to go over it at least once and carefully open the ports that you need your server to have.


# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,587,783,993,995,2812,9876,10024,12525,60000"
# Common inbound (ingress) UDP ports

IG_UDP_CPORTS="20,21,53"

Restart APF to test the configuration:

/etc/apf/apf -r

If everything is alright, open the configuration file once more and change the bellow setting

DEVEL_MODE = 1

to

DEVEL_MODE = 0

And run the restart command once again.

Useful commands:



tail -10 /var/log/apf_log # last 10 lines from log
apf -d 1.2.3.4 RESON # blocking the IP 1.2.3.4
apf -u 1.2.3.4 # unblocking the IP 1.2.3.4
/etc/apf/apf -r # restarting the firewall







測試被攻擊上述防禦工事:


  1. HOIC (High Orbit Ion Canon)
  2. LOIC ( Low Orbit Ion Canon)
  3. XOIC
  4. R-U-DEAD-Yet
  5. Pyloris
  6. OWASP DOS HTTP Post
  7. GoldenEye HTTP Denial of Service Tool
  8. Slowloris HTTP Dos
Here, we are testing DOS Deflate against HOIC. It is one of the most popular DOS attacking tools freely available on the Internet. This tool is really easy to use even for a beginner. We can download this tool from the URL mentioned below.
https://mega.co.nz/#!IMw0iCJY!Hg5oQHdQu9FLZcbCJ_HTi1X0F98djiXDLLjWs2N6SIk
After downloading the tool, we need to extract it into the folder and open it by clicking the hoic.exe file. We will get the following HOIC interface.

Now, we need to add the IP Address or the URL of the server in which we have configured the DOS Deflate.
After adding the target URL, we will the see this URL in the target section.

Then, click on the “FIRE THE LAZER” icon and it will start the DOS attack on the server. After 2 minutes we will receive an email at the email address which was mentioned in the server configuration, stating that the IP address has been banned on the server.

We can also check the banned IP address by logging in to the server and checking the IP tables. We can check the IP tables status by the following command.
iptables -L -n

It can be seen in the above screen shot that DOS Deflate has banned the IP address through the IP tables in which we had started the HOIC DOS tool.
Another commonly used DOS attacking tool is Slowloris HTTP DOS. It was developed in Python. It has some of the very good features in it. This tool is available in both Windows and Lnux platforms, but we will use the Linux flavur of this tool. We can download this Python script based tool by running the mentioned command below.

After downloading the tool, we will make it executable,

  1. == How to install Slowloris on Linux ==
  2. Install perl from your packages, you should find it easily. Note that you need ithreads to be enabled (it should be enabled in most the distributions by default; on gentoo you should add the ithreads USE-flag before (re)installing perl).
  3. Then, you need IO/Socket/SSL, that you should find in your packages or searching on the web. In ubuntu, the package is libio-socket-ssl-perl; on gentoo, it's dev-perl/IO-Socket-SSL.
  4. Then, open a terminal/console and type (or copy-paste):
  5. wget http://ha.ckers.org/slowloris/slowloris.pl
  6. chmod +x slowloris (chmod 前面不需加入sudo)
  7. ./slowloris.pl -dns xxxxx.com -port 80 -timeout 2000 -num 500 -tcpto 5
  8.  (例如:./slowloris.pl -dns xxx.xx.xx.xxx) 記得反斜前有個 . 
  9. You can replace gerbad.ir with the host you want to attack. You can also replace values for timeout and number of sockets (just by changing the last line), but these options should do it. If you want to run Slowloris again, once it has been installed, just run the last line.
  10. Have fun!

then give the following command which will launch it on the URL.
./slowloris.py –dns <URL of the Server>

After starting the attack, we could check the email or IP table status for verifying whether it is blocked by DOS Deflate or not.

We have successfully tested DOS Deflate against all the tools which were given above in the article. Readers can try by themselves so that they can understand it better.

引言:圖文 http://resources.infosecinstitute.com/dos-deflate-layer-7-dos-protection-tool/

COMMENTS HAVE BEEN DISABLED FOR THIS POST [文章的評論已被禁用]

Ratings and Recommendations by outbrain