DDos Attack Protection

In recent years, with the Trojans, the increasing spread of the virus, the Internet denial of service attack frequency and attack traffic also will be a rapid increase in attack, attack and attack resources, technology continues to mature at the same time, anti-denial of service related to hardware and software products also received considerable development. Today’s IDC market has basically to the lack of effective means of defense of denial of service attacks will not be able to conduct a stable IDC operations position.

However, denial of service a wide range of defense products, the price difference is very large, from several hundred dollars installed on the target server on a single server to tens of thousands of software firewall protection, and even more than a dozen million Fast, Gigabit hardware firewall, including the provision of new and emerging hardware firewall programs and DIY hardware firewall to help customers cost-effective alternative to programs, customers are often at a loss, especially for the DIY hardware firewall used by the relevant technical, defensive ability did not understand that it often at a loss in the choice.

The use of various denial of service attack prevention products and solutions, this paper I will present the mainstream of denial of service attack, the corresponding means of defense and the corresponding analysis of the current defense strategy to attack a variety of means of defense of the merits of the mainstream because of denial of service attack , IDC industry, the invisible barriers to entry been raised a lot. Understanding of the IDC market, investors in making investment in IDC room from time to time have to consider the corresponding denial of service attack defense strategy. The current choice of denial of service attack (DDoS) solutions, roughly divided into:

1, the software firewall solution

2, the hardware firewall solution

3, DIY hardware firewall solution

Section Cost Comparison

For the IDC operations in terms of cost and defensive characteristics of the sub-line, its advantages and disadvantages are as follows:

1, the software firewall solution because it is installed on the server being protected, their defense capabilities and defense area is limited, larger flow in the attack case, on the target server hardware resources to take up serious, and if the number of servers more room, the overall the cost is also high. But the software firewall easy installation, without moving the hardware device, the deployment of very flexible.

2, the hardware firewall is the extensive use of IDC and can play the actual effect of the defense program, the drawback is the cost of investment is too high, small and medium IDC difficult to accept the purchase cost is usually in the Fast products in the 2-4 million, Gigabit in the 6-8 million. If you need high-bandwidth defense, the cluster cost.

3, the emerging DIY hardware firewall program. And a different software firewall, DIY hardware firewall program is installed on the client by preparing their own hardware platform kernel software and hardware firewall in general the same defense capabilities and defense capabilities. As the hardware platform has user-ready, so it can use existing equipment, the total cost of ownership to a minimum. In general, Fast defense costs will be about 1,000 yuan per room per month, Gigabit defense as 1,500 yuan a month.

For the defense capability, the software firewall because of its mode of defects can not be right to establish protection of the entire cabinet or the room, filtering attack packets will also affect the system resources consumed by the normal application of the target system, so no rating here.

Hardware firewalls are all X86 architecture, popular for the hardware firewall is a computer, not specifically dedicated for the network processing chip, and DIY hardware firewall defense the same pattern all along the entire cabinet and the room for protection, and be able to cluster high-volume attack on defense, so we will be focusing our attention on the hardware firewall and DIY hardware firewall.

Defense capability and overall cost of ownership compared:

Cost of Ownership Form from the right point of view, the hardware firewall as a mainstream means of defense, its total cost of ownership is also high, as a compromise of the DIY hardware firewall, which provides a monthly charge for his services a good way to solve the IDC Daoshi facing financial pressures and investment risks and other issues.

II defense function contrast (attack articles)

On defense function, we can not fail to analyze the major domestic Internet denial of service attack tool, today the main use of the Internet means of attack are: SYN-FLOOD: Veteran DDOS attack, using TCP protocol weaknesses initiated three-way handshake attack, is characterized by attacks on the source address is a false address, is not easy to trace the attack source. Attacker in the unit time constructed TCP-SYN packet number of the more effective their attacks on the more remarkable.

A single site SYN attack: the use of three-tier defense against the current cluster switching equipment (such as the Cisco three-layer switch) for port aggregation and load balancing algorithms, when balancing the loopholes in the use of real or virtual into a single source address and the same source port attack. Such attacks in the majority of three-way switching device will be exchanged through a single line, thus weakening the effect of the cluster defense.

Real-situ SYN attack: for some of the software firewall and hardware firewall’s defense theory, specifically addressing the reverse firewall defense style of the attack was launched. The network the last two years the establishment of a puppet machine value chain, enabling real-SYN attack site on the Internet is now becoming more of a attack, an attacker by controlling the puppet of the many machines to send attack packets.

SYN big pack attacks: SYN attacks and general different, SYN packet attack is large by constructing a very large TCP data packets, causing network congestion have been targeted attacks on the way to achieve results, and general SYN is different from attacks initiated by the same flow rate, sending large data packet sender occupy less system resources.

UDP big pack attack: relative to the TCP protocol data packets, the attacking side less system resources need only be able to build a UDP packet, which also vigorously for an attacker to send a UDP packet to provide the conditions for the attack, UDP attacks generally through Large data packets clogging network bandwidth to achieve.

Agent CC attacks: the initial attack by the Chinese to attack the software off the Internet triggered a large number of agents CC attack. Appeared on the Internet through the collection of a large number of free and open proxy server, through the submission of a large number of targeted attacks on these servers destination address of the access request by the proxy server transit attacks. CC to launch attacks on their client agent requires only a common broadband lines, its attack is the real address of address (the proxy server address), once led a number of network operators suffer.

SYN-ACK, PSH-ACK, etc.: for TCP connections initiated by a variety of weaknesses in attack.

Legend DB Attack: Legend of the database-specific attack, but also by the Chinese to attack the first customer to write exploits, the attack is to simulate the legendary customer segment Create account movements, making the legendary server to its knees.

Legends Brush villain attacks: the last off the assembly line through the non-stop and simulated landing, making the legendary server crashes

Tags: attacks, DDoS, DDOS attack, Firewall, Internet, NAT
Posted in DDOS defense | No Comments »

just reconfigured my webserver runing on localhost why?
read under ….
1. what is best practice to have good performance ? – CACHE ! which means if your webserver know where is file(image,song, swf .. etc) located on hard drive and already opened it ones with another customer, why it must be opened second time ? with webserver ? it will make a good lick on performace site if youre runing heavy site with lot of pictures.
2. what is the best program for working on many simple GET/POST/CONNECT requests ? – Squid – caching proxy server runing under Linux and using all power of linux fs for making cache and make it fast
i just made a hibrid combination on my squid ( runing on 80 port) and apache (runing on 127.0.0.1:80).
here is simple config of my squid
http_port 62.75.250.93:80 transparent

icp_port 0

htcp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_swap_low 64

cache_swap_high 128

maximum_object_size 2048 KB

cache_replacement_policy heap LFUDA

memory_replacement_policy heap GDSF

fqdncache_size 2048

cache_dir ufs /tmp/squid 2000 11 11

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /dev/null

hosts_file /etc/hosts

dns_nameservers 127.0.0.1

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

peer_connect_timeout 30 seconds

acl all src 0.0.0.0/0.0.0.0

acl site dst 127.0.0.1/32

acl max_con maxconn 20

http_access deny max_con all

forwarded_for off

http_access deny all !site

http_reply_access deny all !site

icp_access deny all !site

miss_access deny all !site

cache_effective_user proxy

cache_effective_group proxy

visible_hostname Wishmaster

cache_mgr moushegh@nazaretyan.com

always_direct allow all

never_direct deny all
on apache you just need to change Virtual host and LISTEN to 127.0.0.1 (remeber to add your host under localhost at /etc/hosts)
max_con – is a acl that will not allow more then 20 concurrent connections from 1 IP – good method for protecting from http get and syn flood attacks
any questions ? ready to answer on comments or via skype

Tags: attacks, DDoS, DNS, NAT
Posted in DDoS | No Comments »

If you have been trying to deliver many email messages or support your own email domain, you know how hard and costly it can become.

Sending emails in large quantities is not easy. In addition to managing your subscribers lists correctly, you need to make sure that most of your emails reach their destination.

If you are working with a shared email server, you can easily be banned for somebody else’s mistake, because an entire IP or an IP range is banned taking everybody who uses this IP with it.

If you have your own email server to send your email, it is private to you and nobody else. Our SMTP server has tons of built in features to deliver email and protect you from spammers.

We support multiple RBL servers to filter out those spammers and we can white list or black list entire IP ranges with sophisticated checking, so that only those who are authorized to relay messages will be able to do so.

Email Delivery Server is an easy-to-use yet pwoerful utility that integrates everything you need for mass miling. It featuresparametrized mailing lists, where you can import very large list of your subscribers, even with all their additional fields such as Name, address and so on and then write one email message with parameters.

Our server substitutes all parameters with correct values on the fly. That is not all, our server is a complete sending and receiving solution, so in addition to being able to relay messages, it is also able to receive them for any number of domains and any number of users that you manage.

We have built in POP3 protocol and allow all our users to get their email from our server directly. Each user’s settings are configurable and you can even set each user’s mailbox size and other parameters individually.

Here are some key features of “Email Delivery Server”:

independence from email service providers (ESP);
support of SMTP and POP3 protocols;
message queue and mailbox encryption;
incoming SPAM filtering and sender blocking;
SSL/TLS encryption for SMTP and POP3;
DDoS attack prevention and firewall features;
email message box limiting on a per-user basis;
e-campaign testing mode and final message preview;
large volume handling by using scalability features;
parametrized distribution and mailing list support.

What’s New in This Release: [ read full changelog ]

Activation bug is now fixed.

Tags: DDoS, DDOS attack, Firewall, NAT, Spam, spammer
Posted in Email Delivery | No Comments »

CYBERJAYA: The International Multilateral Partnership Against Cyber Threats (Impact) believes that what the world needs now is more cybersecurity experts.

Although it may sound less whimsical than the famous song, in reality, Impact said cyberspace is ever changing and the number of threats is growing everyday.

Threats are also getting more sophisticated and targeted compared to 10 years ago, said Philip Victor, Impact centre for policy and international cooperation, head of communications and outreach.

Aside from attackers being driven by financial gains from attacking global systems, Philip said that terrorists are also turning to the Internet to launch their attacks or execute their plans.

One of the more popular example of the realities of a cyberattack is the 2007 cyberwar in Estonia where attackers launched distributed denial of service (DDoS) attacks on Estonian websites including the Estonian parliament, banks, ministries and newspapers, he said.

Although the attacks may seem low-tech, a DDoS attack can disrupt everyday activities that require Internet connectivity.

“Unfortunately, there’s a lack of global cooperation to fight this due to the shortage of information security professionals,” Philip said.

In Malaysia, he said the information security professional to population ratio is 1:20,000.

“We believe the number of security professionals is growing but as the Internet population increases, we will need more,” he said.

Working towards this effort, Impact has alligned with information security certification company ISC2 to provide information security training to Impact partner countries.

“This is in line with our mandate of operationalising the Global Cybersecurity Agenda (GCA)in escalating cybersecurity capabilities to better defend againts cyberthreats,” said Datuk Mohd Noor Amin, chairman of the Impact management board.

The GCA is the United Nation’s International Telecommunication Union’s framework to enhance confidence and cybersecurity in the information society.

Through this agreement, ISC2’s certification courses such as the Certified Information Systems Security Professional, Systems Security Certified Practitioner and the Certified Secure Software Lifecycle professional will be offered in Impact’s partner countries to enhance the organisation’s position in providing a holistic approach to public sector cybersecurity.

Impact will kick off the first course, the Systems Security Certified course, in Africa in the first quarter of next year.

“Africa is a continent with growing Internet users so its logical to train security profesionals there to ensure its cyberspace is safe,” Philip said.

Impact and ISC2 are expecting 100,000 security professionals to be trained through this partnership.

“We will be working with governments to realise this goal in order to provide enough security professionals for the world,” Philip said.

W. Hord Tipton, executive director for ISC2 said the organisation is happy to work with Impact.

“We jointly believe that only by professional development can we enable the community to protect against cyberthreats and we look forward to educating more individuals,” he said.

Tags: attacks, DDoS, DDOS attack, Internet, NAT, Security
Posted in security experts | No Comments »

I’ve just attended a one day “seminar” with folks at Arbor Networks and it has been insightful.

It seems people are still pretty ignorant about DDoS attacks. Unlike the 1999 CIH virus that was programmed to take out a computer by corrupting it’s BIOS EEPROM, most of the viruses, worms, malwares and whatnots on the Internet today are around for one simple reason – money. Obviously if you’re good enough to write worms, you’d think “why write a worm for fun, when I can make money?” These worms infect computers to build Botnets, and Botnets are sold for real money on the black market to take down sites (via a DDoS), send spam, and all sorts of other things.

There was one point in particular though that caught my attention, and it was that firewalls (or in fact any type of inline device such as load balancers) are potentially targets for DDoS attacks. To make matters worse, the higher the OSI layer the firewall capability goes, the worse it gets in terms of performance and reliability.

Believe it or not, firewalls are vulnerable to serious security issues like buffer overflows just like any other server or appliance with an IP address. So it turns out that firewalls are the biggest marketing scam in the history of IT security because companies have spent millions and millions of dollars on these stuff that don’t offer much protection than say, iptables.

Just about a month ago, I spoke to one of our customers who experienced a DDoS attack launched towards their co-location in the USA. The DDoS traffic was approximately 500Mbps and it completely took out the firewall. This site provided online payment services to customers and was up and down for days. Their firewall was tiny in comparison to the DDoS they got – on paper specs states performance capabilities of 90Mbps or 30Kpps at 2.8K sessions/sec with a max of 8K sessions at any time. Of course, these are lab specifications and real world traffic wouldn’t be as forgiving.

A simple DDoS attack that’s merely 10Mbps in traffic volume would have generated millions of packets per second with a 1-byte  UDP or ICMP packet. Taking down such a firewall would be a breeze. In fact, a single modern day computer on a broadband connection could probably do the job.

If it was a TCP SYN flood, it would have been way easier. Sending 2K TCP SYN packets per second is child’s play, so filling the firewall’s state table really takes no more than 10 seconds.

I had a chat with my wife who audits financial institutions (FIs) based on the PCI-DSS standard. Most FIs providing payment card services will have to conform to this standard. This standard, however, mandates that a firewall is required to comply. Unfortunately, most FIs have a pretty average Internet connectivity pipe – somewhat in the range of 20Mbps to 100Mbps. They scale their firewalls to their connectivity, so what they have, well, closely resembles the one I described earlier.

So why were firewalls invented?

Early operating systems didn’t provide packet filtering capabilities, so the early firewalls were really just stateless packet filters that basically routed (not NAT’ed) traffic and dropped unwanted requests based on simple IP, protocol and port numbers to services that weren’t supposed to be public. Then the idea of NAT came about (remember the days of WinRoute) to allow multiple computers on a LAN to share a single IP address on a WAN link. Some smart guy then figured, “oh well, let’s put servers on a private subnet and use the NAT technology to map public and private address spaces. This way, we’re safer!” Agreeably, that was the dumbest idea ever and is a PITA to manage, but millions of servers are configured this way today. Over time, these features were slowly incorporated into the all-in-one junkbox we now call the Firewall. Sweet.

Personally, I don’t have a firewall sitting in front of my servers. All my servers are individually configured to run iptables (or ipfilter on Solaris, etc.). I am going to test the Linux TCP stack with Apache from a default CentOS install to see how much SYN flood it can hold up before giving up and maybe post some results here, including what I tweaked in the kernel.

Tags: Arbor Networks, Botnet, CIH, DDoS, Firewall, iptables, NAT, PCI-DSS, Spam
Posted in Firewalls Suck | No Comments »