Monday, June 14, 2010

Istqb Foundation Level Material

Prevent DOS attacks by limiting the PING response

Do you ever use the PING command? when your server there is no response or die and you want to check how the condition of your server response, then the ping command is a very simple command to mengetah ui if your server alive or dead.

this ping command if done in bulk to a specific IP sehingg SYN cookies can lead to conditions then your server will be at a loss to respond to this ping attack. On one side there are advantages in one of the other side, it can undermine the ping services that exist on your server.

How penaganannya? Not too hard and not too easy. Provided you read this and then look at Google's uncle, then will you find answer.

On this occasion, I want to give you a little trick how to deal with DOS attacks carried out by PING. Software that is needed is iptables. Suppose you have a script like this, you run on your server to complete the security on your server.

#! / Bin / sh
trusthost = '192 .168.10.100 '
myhost = '192 .168.20.200'
any = '0 .0.0.0 / 0 '
########### # # #
# Flush & Reset
##############

iptables-F iptables-X
##############
#Deafult Rule
##############
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#########
#loopback
#########
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#######################
#ICMP trusthost->myhost
#######################
iptables -A INPUT -p icmp --icmp-type echo-request -s $trusthost -d $myhost -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -s $myhost -d $trusthost -j ACCEPT
#######################
#ICMP myhost->trusthost
#######################
iptables -A OUTPUT -p icmp --icmp-type echo-request -s $myhost -d $trusthost -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -s $trusthost -d $myhost -j ACCEPT
#######################
#ssh trusthost-> myhost
#######################
iptables -A INPUT -p tcp -s $trusthost -d $myhost --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $myhost --sport 22 -d $trusthost -j ACCEPT
#########
#logging
#########
iptables -N LOGGING
iptables -A LOGGING -j LOG --log-level warning --log-prefix "DROP:" -m limit
iptables -A LOGGING -j DROP
iptables -A INPUT -j LOGGING
iptables -A OUTPUT-j LOGGING

To reject a DOS attack via PING add the following policy in iptables like this,
# iptables-A INPUT-p icmp - icmp-type echo-request-s $ trusthost-d $ myhost - m limit - limit 1 / m - limit-burst 10-j ACCEPT

From the above settings within 1 minute ping response is allowed only 10 times.
Is this enough? the answer is not.

We must also set its kernel. Perform these settings so that SYN Cookies are not applicable in your server.
# echo '1 '> / proc/sys/net/ipv4/tcp_syncookies

or do with printah like the following,
# sysctl-w net.ipv4.tcp_syncookies = 1

Check the file / etc / sysctl.conf, if there is value net.ipv4.tcp_syncookies = 1 there.

There DOS named Smurf who also performed via ICMP ping alias as well.
For this setting your server just like the following,
# echo '1 '> / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

or with the sysctl command like the following,
# sysctl-w net.ipv4. icmp_echo_ignore_broadcasts = 1

Check the file / etc / sysctl.conf is there any setting like this?
net.ipv4.icmp_echo_ignore_broadcasts = 1

If there is, it means you now have secure server from a DOS attack via PING.


0 comments:

Post a Comment