Thursday, May 11, 2006

The Art Of Defensive

Firewalling used to be very versatile and effective in defending and guarding your network. However it is only useful in the situation where it can block most of the network traffics with malicious packet header.

However one weaknest point about Firewall should be its lacking of capability to throttle the already initiated and established connections. Hence the hackers used to take advantage of this especially when they are performing DDOS.

A single host connecting to web services with multiple threads enough to consume http resources easily to reach the max client limit and render your web services down. Especially if the malicious host connecting with validate tcp 3 way handshake where we can't just block by the packet header. In OpenBSD PF, you can add the malicious hosts IP to the table to drop it's connection, however that's not enough to kill massive DDOSING since you have to define the malicious hosts and adding them to the table. Furthermore, you can't drop the already established connection and this is totally causing havoc where the services hardly offer it's resources to the legitimate connection from your web client. This problem not only bounced to web services but any services that utilizing TCP such as dns, smtp as well.

However I will concentrate on web services here. HTTP is stateless, though it is carried over TCP, however the connection itself shouldn't be sticky. Thus we know that if same IP appears in the netstat output multiple times which connecting to port 80.

This shouldn't be right. Thus we need to find a way to throttle/kill the connections from this particular IP which should be malicious before adding it to either iptables chain or PF table. With that we will be able to kill the already established connections from the malicious IP and blocking it's further connections.

There are 4 tools that allows you to kill TCP connections easily -

Flowgrep - http://monkey.org/~jose/software/flowgrep/

Cutter - http://www.lowth.com/cutter/

TCPkill - http://monkey.org/~dugsong/dsniff/

TCPdrop - OpenBSD Native tool

I have mentioned flowgrep for couple of times and just save my words for other tool here. To kill the connections, what you need to do is specify the IP that you want to kill or you can be more specific by killing hosts that initiated connected connection with certain port.

Cutter is useful if you install in the Firewall Device, it can't do much when you are trying to kill the connection to the host with cutter installed but only good in killing connections that going through the Firewall Device with cutter installed. Cutter installation is straight forward, just gcc -o cutter cutter.c will do. The cutter syntax is pretty straight forward which is - cutter DST IP DST PORT SRC IP SRC PORT. For example if you want to kill the connection from 1.2.3.4,

shell>cutter 1.2.3.4

Or if you want to kill all http connections from 1.2.3.4

shel>cutter 1.2.3.4 80

That's pretty self-explanatory. The other useful tool should be TCPkill which is actually come together with dsniff-suite. TCPkill is used to kill the connection as well, however it is more powerful than cutter since you can use it to kill any TCP connection to your host instead of relying on border router ACL or Firewalling. For example to kill the connection from 3.4.5.6, just run

shell>tcpkill -i eth0 host 3.4.5.6

TCPkill is powerful as it supports bpf filter. You can kill multiple hosts at once with

shell>tcpkill -i eth0 host 3.4.5.6 or host 4.5.6.7 or host 5.6.7.8

The last one I would like to mentionned is TCPdrop that actually installed by default in OpenBSD base system. Not much people know about it and it should be used to throttle malicious network traffic without relying third party tools. To drop the connections from 6.7.8.9, just run

shell>tcpdrop 6.7.8.9

The syntax is kind of similar to cutter and you can kill by specifying port as well.

Now we have all the alternative tool, how can we make use of it in DDOS situation, we should drop those connections that already initiated and established by malicious host and adding those IP to either IPtables or PF. In PF, you can use source tracking to disallow certain IP to exceed the state or if you are on Linux, you can make a counter on netstat output and if a single IP exceed the counter, just add it to iptables with -I on the fly. This may insert it into the rules and blocking further connections from that particular IP. I won't show the full script here that doing everything where it kills the non-legitimate connections add to the IPtables of PF. But here's the simple tip to check on it, I have tried this on CentOS and having very good result defending DDOS. To make a counter per IP, just run -

shell>netstat -plan|grep :80|awk {'print $5'}| \
cut -d: -f 1|sort|uniq -c|sort -nk 1 | \
awk '{if ($1 > 10 && $2 != 0.0.0.0) print $2 }'

With the command above, you maybe able to get all the hosts with more than 10 connections to the same port(80) in netstat result. Once you have those IPs, you can throttle them with the tools mentioned above and add them to firewall rules on the fly. This will be really helpful. In order to automate it, you may need to write your own script to do it all for you but I think that's not too hard, right! And if you don't want to block the IPs forever, just make use of expiretable that I have mentioned here.

Have fun, cheers (:])

No comments: