Saturday, September 3, 2011

How to prevent from DDOS

How to prevent from DDoS Attacks:-
Implement security features in your server like:
1) DDOS protection using CSF through “SYNFLOOD”.
2) Install apache modules like mod_dosevasive and mod_security in your server.
3) The best,free & open sources solution to protect from DDOs :-
4) Configure APF and IPTABLES to reduce the DDOS.
Description here :-
1.) DDOS protection using CSF through “SYNFLOOD”. & Connection tracking :- Please modify these option through CSF

# Enable SYN Flood Protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct –limit rate syntax
SYNFLOOD = Default: 0
# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 300.
# To disable this feature, set this to 0
CT_LIMIT = Default: 50 (means 50 connections per ip address)
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = Default: 30
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = Default: 1
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = Default: 0
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = Default: 1800
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1″
CT_SKIP_TIME_WAIT = Default: 0
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
# Leave this option empty to count all states against CT_LIMIT
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443″
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = 80,443
2) Install apache modules like mod_dosevasive and mod_security in your server= :-
mod_evasive and mod_security modules are used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall.
The mod_evasive authoring site ( states that mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera..
*Note: mod_evasive module has been known to cause problems with frontpage server extensions. If you use frontpage server extension, you should thoroughly test your mod_evasive installation before deploying a production server.
# wget
#tar -xvzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# /usr/local/apache/bin/apxs -cia mod_evasive.c
# mv mod_evasive.loT mod_evasive.lo
# /usr/local/apache/bin/apxs -cia mod_evasive.c
# httpd -M|grep evasiv
# vi /etc/httpd/conf/httpd.conf (edit httpd.conf with the following details)

DOSHashTableSize   3097
DOSPageCount   2
DOSSiteCount   50
DOSPageInterval   1
DOSSiteInterval   1
DOSBlockingPeriod   600

# cd /usr/local/apache/modules/
Then download through web and place it in modules directory and change the permission with 755.
# /etc/init.d/httpd restart
3) The best,free & open sources solution to protect from DDOs :- :-
(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features :-
* It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
* Simple configuration file: /usr/local/ddos/ddos.conf
* IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
* The script can run at a chosen frequency via the configuration file (default: 1 minute)
* You can receive email alerts when IP addresses are blocked.
Installation :-
chmod 0700
Uninstallation :-
chmod 0700 uninstall.ddos
4) Configure APF and IPTABLES to reduce the DDOS. :-
Ans :- Please install APF/CSF or iptables to reduce the DDOS ,also an hardware firewall (cisco guard ) also help to mitigate DDOS attacks.