Monday, December 21, 2009

Dealing with a simple DOS attack

It's been an interesting past few days. Sometimes I feel like I'm living in a Rube Goldberg contraption! One of our servers got hit with a DOS attack last Friday night. It wasn't too bad and I was able to use several commands to figure out what was happening and deal with it. I thought I'd share them with you:

  • I first used "netstat -lan grep -c :80" to check the number of connections to port 80. It was about three times normal.
  • I then used "netstat -atun awk '{print $5}' cut -d: -f1 sed -e '/^$/d' sort uniq -c sort -n" to identify which IP addresses had the most connections open. I found a large number of connections from three unique IP addresses.
  • I then created static blackhole routes for those three IP addresses to block the source of the attack and my server was back up. Here's the command: "ip route add blackhole w.x.y.z/32" (where w.x.y.z is the address I wanted to block and /32 is the mask)

I'm not including explanations of all the options here. Use man, info, or Google to look 'em up.
This is not a permanent solution and it won't work for a Distributed DOS attack, but it did allow my server to begin answering HTTP requests again. A more permanent solution (perhaps it would be better described as a "less temporary" solution, since there probably is no permanent solution other than disconnecting from the Internet) will be to create a set of firewall rules to identify an attack (say, an accelerated number of connection requests within a set time frame) and drop the packets from that source. There is a fair amount of complexity involved in getting it right, but I'll blog on it and let you know what I find.

No comments: