Howto block DDOS attacks on Ubuntu

Posted Thu, 02/26/2009 - 18:38 by ma

I will show you howto install PSAD on Ubuntu 8.04 LTS server to block DDOS attacks (distributed denial of service) and port scan.

PSAD scan iptables log file to generate the attack block. The problem is that when you log ALL packets as shown in other PSAD tutorials, it will slow down considerably your server if it's busy and generate huge huge log files (growing at a rate of 1meg per second or more). With simple iptables rules, we will only log traffic that look suspicious (5 new connection in 5 second for example).

Updated version here http://blogama.org/node/137

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

re : DDoS and nothing detected

by ma - 04/24/2009 - 17:50

Hi Chris, I've seen problems with PSAD (or iptables log) over time.

It works for some time (24h) and the stops.

When I will have a few hours I will look for the problem.

Marc

Hi Marc, thanks for your

by Christopher - 04/27/2009 - 11:36

Hi Marc,
thanks for your quick answer. I've had some time to look into the problem found on the mailinglists of psad this post:
http://sourceforge.net/mailarchive/forum.php?thread_name=306345.65711.qm...

It indicates that there is a problem of psad version 2.1 which is the stable on Ubuntu 8.04 LTS (which I am using).

A post in this message:
http://sourceforge.net/mailarchive/forum.php?thread_name=4126b3450811021...
describes how to get and compile the latest version of psad for Ubuntu.

Since I did not want to dig that deep into the matter I did not try that but chose to combine mod_evasive with fail2ban which works in a way I find much more intuitive.

The actual problem I've posted might have more to do with a wrong iptables rule since the syslog did not even contain entries of the IPs that did the DoS attack. My guess would be that they did not create "NEW" connections but used only one to request all those pages... I don't actually want to set MaxRequestsPerClient to 1 in my Apache config...

Anyway, I hope the mod_evasive - fail2ban combo does the trick for us.

Still, I'd be interested if you get psad working in a stable manner.

Cheers,
Christopher

Re : Problems

by ma - 05/03/2009 - 03:03

Hi, it seems that with the latest PSAD (2.1.5) it works perfectly now, doesnt stop to work after some time.

I updated the howto

Marc

DDoS and nothing detected

by Christopher - 04/24/2009 - 04:29

Hi, and thanks for the nice howto.

I have a problem though... We've set up psad using your shell script with this iptables LOG rule :
state NEW recent: UPDATE seconds: 5 hit_count: 15 name: DEFAULT side: source LOG level warning

When we had a DDoS attack this morning, however, not one of the IP addresses was detected. And, in fact, none of them even showed up in the syslog...

I've checked that the system basically works with issueing many requests with another server which successfully was being detected and banned quite fast, but this actual attack slipped through the logging rules.

The Apache access log is full of requests like this:

xxx.47.51.85 - - [24/Apr/2009:10:27:49 +0200] "GET / HTTP/1.1" 403 18 "-" "-"
xxx.47.51.85 - - [24/Apr/2009:10:27:49 +0200] "GET / HTTP/1.1" 403 18 "-" "-"
xxx.47.51.85 - - [24/Apr/2009:10:27:49 +0200] "GET / HTTP/1.1" 403 18 "-" "-"
xxx.47.51.85 - - [24/Apr/2009:10:27:49 +0200] "GET / HTTP/1.1" 403 18 "-" "-"
xxx.47.51.85 - - [24/Apr/2009:10:27:49 +0200] "GET / HTTP/1.1" 403 18 "-" "-"
xxx.47.51.85 - - [24/Apr/2009:10:27:49 +0200] "GET / HTTP/1.1" 403 18 "-" "-"

(The apache response code 403 was generated by mod_evasive which detects many subsequent loads from the same IP and returns an apache error instead of generating the correct page. Result is that server does not get overloaded and collaps but only the max connections of Apache fill up...)

This particular machine in the log issued more than 120 requests a second and more than 33,000 requests in total. How can it be that it did not even appear in the syslog?

Any hints are highly appreciated.

Regards,
Christopher

What happened?

by strick242 - 03/10/2009 - 23:02

I got this in my email:
You may just need to add a default logging rule to the INPUT chain on
"mydomain.com". For more information, see the file "FW_HELP" in
the psad sources directory or visit:
http://www.cipherdyne.org/psad/docs/fwconfig.html

What did I do wrong?

default logging rule

by ma - 03/11/2009 - 10:03

Hi, I've seen that email before. I think it's because you dont have the "standard" iptables log rules but it will work anyways. Try to send multiple request to your server and see if PSAD block the IP (carefull of not blocking yourself!). To test you can use a port scanner or apache AB (eg : ab -c 5 -n 2000 http://www.yourdomain.com/)

Marc

thanks, does this work in

by d4v1dv00 - 02/27/2009 - 07:28

thanks, does this work in ubuntu 8.10?

Ubuntu 8.10

by ma - 02/27/2009 - 11:14

The PSAD package is available on 8.10, it should work no problem.

Marc