DDoS trough a VerliHub bug, apache is dead

live_dont_exist · 03-05-2007, 03:37 AM

I'm not sure. I believe that the packets should ideally get dropped even before they are processed by the kernel itself. Even if you dont drop the packets..the kernel will eventually drop it due to too many timeouts/re-transmissions..only it wont be quick enough to stop the DOS. SO ideally I'd say whatever filtering device you use - should drop it before the Kernel processes the packet.

I'm not certain though ; if someone who knows more about this can back up what I said I'd feel more comfortable.

Cheers
Arvind

nx5000 · 03-05-2007, 03:49 AM

You should begin by the easier solutions.
I would first try to tweak some kernel options, as said by Capt_Caveman
Also he mentionned modevasive, did you try it?

Do you also have burst limit on SYN packets in iptables?

Snort is supposed to be an intrusion detection system, not a firewall. It can be very resource intensive. Running it on the same machine as apache could make things worse IMO.

ipv6waiting · 03-05-2007, 04:06 AM

Yes, we have mod_evasive
We also have SYNWatch on that interface.
Don't have syn burst limit (iptables), but we tried it days ago and was not working.
Will try the kernel mods.

Any other ideea will be great, and about snort ... yeah ... at our traffic rating
it will be a great resource consumer.

Regards,

prozac · 03-05-2007, 05:08 AM

That thread is closed and I think this is why?

Quote:

I see that you are interested in the DDOS tools. I propose you a test on this site. I ll make a port scan too,ddos start in 2 minutes !btw i m fro ro and don`t chek my ip,its a proxy.

feels like i am watching a movie.
<sorry for contributing nothing>

ipv6waiting · 03-05-2007, 11:42 AM

PHP Code:



 
03/05-19:38:39.631165 86.107.182.74:2651 -> 194.126.185.100:80 
TCP TTL:122 TOS:0x0 ID:19385 IpLen:20 DgmLen:48 DF 
******S* Seq: 0x3F19031F  Ack: 0x0  Win: 0xFFFF  TcpLen: 28 
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
 
03/05-19:38:39.631200 86.107.182.74:2652 -> 194.126.185.100:80 
TCP TTL:122 TOS:0x0 ID:19386 IpLen:20 DgmLen:48 DF 
******S* Seq: 0xFF8113B6  Ack: 0x0  Win: 0xFFFF  TcpLen: 28 
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
 
03/05-19:38:39.631235 89.33.100.137:14935 -> 194.126.185.100:80 
TCP TTL:248 TOS:0x0 ID:65259 IpLen:20 DgmLen:40 
*****R** Seq: 0x3AE5A77D  Ack: 0x55  Win: 0xFFFF  TcpLen: 20 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
 
03/05-19:38:39.631248 85.204.121.236:4920 -> 194.126.185.100:80 
TCP TTL:120 TOS:0x0 ID:34 IpLen:20 DgmLen:40 DF 
***A**** Seq: 0x9AB4BC11  Ack: 0xDE8E3589  Win: 0xFFFF  TcpLen: 20 
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 
 
03/05-19:38:39.631259 85.204.121.236:4920 -> 194.126.185.100:80 
TCP TTL:120 TOS:0x0 ID:36 IpLen:20 DgmLen:130 DF 
***AP*** Seq: 0x9AB4BC11  Ack: 0xDE8E3589  Win: 0xFFFF  TcpLen: 20 
24 4D 79 4E 69 63 6B 20 5B 52 4F 5D 43 4C 5D 63  $MyNick [RO]CL]c 
72 69 73 74 69 6E 61 7C 24 4C 6F 63 6B 20 45 58  ristina|$Lock EX 
54 45 4E 44 45 44 50 52 4F 54 4F 43 4F 4C 41 42  TENDEDPROTOCOLAB 
43 41 42 43 41 42 43 41 42 43 41 42 43 41 42 43  CABCABCABCABCABC 
20 50 6B 3D 44 43 50 4C 55 53 50 4C 55 53 30 2E   Pk=DCPLUSPLUS0. 
36 37 34 41 42 43 41 42 43 7C                    674ABCABC|

this is the output from snort .. please give us a rule to drop $MyNick .....

Capt_Caveman · 03-05-2007, 02:59 PM

If you have Snort-Inline working then you can simply use the 'drop' action. Once you are comfortable that everything is working properly you can switch to sdrop if you like (probably using a threshold limit would be better).

Code:

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
     (msg: "DCC dDoS detected"; content: "$MyNick";)

Though the string "Pk=DCPLUSPLUS" might be useful triggering as well. Also make sure to edit the config file properly so that $HTTP_SERVERS and $HTTP_PORTS variables are accurate.

If you are still working on getting Snort-Inline working you may find this helpful.

If you are concerned about the resources consumed by Snort, you can also use iptables string match. I believe it's still not part of the basic iptables installation, so you'd need to do the whole patch-o-matic and kernel recompile to use it.

ipv6waiting · 03-05-2007, 03:45 PM

a little questions .. all that $EXTERNAL_NET and so over must be replaced with my ip / port etc?

ty for help ...

Capt_Caveman · 03-05-2007, 04:26 PM

Quote:

Originally Posted by ipv6waiting

a little questions .. all that $EXTERNAL_NET and so over must be replaced with my ip / port etc?

ty for help ...

I usually define $HOME_NET with whatever IPs or IP ranges are on my network and then just set $EXTERNAL_NET as !$HOME_NET. $HTTP_SERVERS and $HTTP_PORTS are what they sound like. You can use actual IP addresses or ranges of IPs (in CIDR notation) in place of any of those variables if you like.

The Snort docs are excellent resources:
http://www.snort.org/docs/faq/1Q05/node34.html

ipv6waiting · 03-05-2007, 05:44 PM

now ... what should i say to iptables:

iptables -A INPUT -p tcp --dport 80 -j QUEUE

or

iptables -A OUTPUT -p tcp --dport 80 -j QUEUE

?

and the final rule for me is:

PHP Code:



var EXTERNAL_NET any
var HTTP_SERVERS x.x.x.x
var HTTP_PORTS 80
drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DCC dDoS detected"; content:"$MyNick"; sid:100000135;)

snort loggs a lot of data in log folder but the site is still unreachable ... any updates pls/.

Capt_Caveman · 03-05-2007, 06:23 PM

You'll want to send packets coming into the box from the internet to the QUEUE, so this will either be INPUT or FORWARD. If Apache is running on that machine then you'll send packets in INPUT to the QUEUE, if the webserver is on another machine inside the network and DNATed then you'll want to use FORWARD. You use OUTPUT for analyzing packets going outbound from the system/network to the internet (which you don't need and adds overhead).

ipv6waiting · 03-05-2007, 06:33 PM

i've done all the above but still the site can't be reached .. and in console i still see Possible SYN Flood on port 80 messages.

any other ideea or a better rule.

c00kie · 03-06-2007, 02:15 AM

Yup, me and ipv6waiting are gettin' crazy over here xD

/var/log/snort is like this:

PHP Code:



[**] [1:100000135:0] DCC dDoS detected [**]
[Priority: 0]
03/06-10:13:12.792459 86.55.93.158:2044 -> X:80
TCP TTL:121 TOS:0x0 ID:41527 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x54C21422  Ack: 0x7170AAE  Win: 0x8000  TcpLen: 20

[**] [1:100000135:0] DCC dDoS detected [**]
[Priority: 0]
03/06-10:13:12.792564 86.55.93.158:2045 -> X:80
TCP TTL:121 TOS:0x0 ID:41528 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xC541DEDC  Ack: 0x730EBFD  Win: 0x8000  TcpLen: 20

[**] [1:100000135:0] DCC dDoS detected [**]
[Priority: 0]
03/06-10:13:12.792617 86.55.93.158:2046 -> X:80
TCP TTL:121 TOS:0x0 ID:41529 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xBE7FF72  Ack: 0x717453D  Win: 0x8000  TcpLen: 20

[**] [1:100000135:0] DCC dDoS detected [**]
[Priority: 0]
03/06-10:13:12.792664 86.55.93.158:2047 -> X:80
TCP TTL:121 TOS:0x0 ID:41530 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xB69DB56D  Ack: 0x756C0BA  Win: 0x8000  TcpLen: 20

[**] [1:100000135:0] DCC dDoS detected [**]
[Priority: 0]
03/06-10:13:12.792732 86.55.93.158:2048 -> X:80
TCP TTL:121 TOS:0x0 ID:41531 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xA1AD28E3  Ack: 0x70349C5  Win: 0x8000  TcpLen: 20

But, no good

!

Capt_Caveman · 03-06-2007, 04:27 AM

You may want to change the 'drop' action to 'reject' to eliminate retries. Also, take a look in /var/log/snort and see how many unique IPs are you seeing? How many alerts per IP? What I'm getting at is that if these are coming from a limited number of IP addresses, you can block them out-right with IPtables.

If you've legitimately tried all of the above recommendations (TCP/Netfilter/Apache tuning) then you're really at the limits of what you can do by yourself to mitigate it. The next option would to be to throw several load-balancing proxy servers in front of the webserver and let them split the connection load and then only the valid HTTP requests would be proxied to the internal webserver.

I think you're also at the point where you should contact your ISP and see if they can help you mitigate the attack on their end. These are real connection attempts, not spoofed packets, so they should be able to null route much of it. So I would definitely contact them and let them know what's going on. Make sure to explain in detail the type of traffic that you are seeing (DC++ connection attempts on port 80) and why (malicious redirection of DC++ clients using the ForceMove command). Send relevant logs as well.

c00kie · 03-07-2007, 08:35 AM

All this time.. we still h ave'nt fixed this issue, if you look here :

Snort received 118092 packets
Analyzed: 13297(11.260%)
Dropped: 104585(88.562%)
Outstanding: 210(0.178%)
===============================================================================
Breakdown by protocol:
TCP: 13244 (99.601%)
UDP: 42 (0.316%)
ICMP: 6 (0.045%)
ARP: 5 (0.038%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 13297
PASSED: 0
===============================================================================
Snort exiting

I think that... we have a bunch of packets, don't we? lol. Oh.. that happened in only 5 SECONDS.

live_dont_exist · 03-07-2007, 08:44 AM

You might want to disable all your rules except the DC++ one. That will drastically reduce the number of alerts Snort is triggering and setting off.

Yeah its normal ..the number of packets you're receiving

.

Cheers
Arvind