Skip to content

Instantly share code, notes, and snippets.

@bom-d-van
Created February 12, 2017 11:46
Show Gist options
  • Star 43 You must be signed in to star a gist
  • Fork 17 You must be signed in to fork a gist
  • Save bom-d-van/6627b721cbad08eb27a01048716a941b to your computer and use it in GitHub Desktop.
Save bom-d-van/6627b721cbad08eb27a01048716a941b to your computer and use it in GitHub Desktop.
Detecting and Mitigating DDOS Attacks
Detecting and Mitigating DDOS Attacks
#List all Finish (FIN) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 1 != 0'
#List all SYN and SYN-ACK packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 2 != 0'
#List all Reset (RST) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 4 != 0'
#List all Push (PSH) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 8 != 0'
#List all acknowledge (ACK) packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 16 != 0'
#List all null packets
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] & 0xff = 0'
OR
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[13] = 0'
#List all packets for your destination port 80 (assuming you are on destination host)
machine1 : sudo /usr/sbin/tcpdump -Nnn -i any -s0 'tcp[2:2] = 80'
#List count of TCP connections by IP address
machine1 : netstat -npt | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
554 X.175.191.23
5 Y.49.92.30
3 Z.225.121.76
2 A.219.69.149
2 B.152.24.254
#List count of TCP connections by IP address on specific service port
machine1 : netstat -npt | grep <port> | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
554 X.175.191.23
5 Y.49.92.30
3 Z.225.121.76
2 A.219.69.149
2 B.152.24.254
#List count of Established TCP connections by IP address on specific service port and are in ESTABLISHED state
machine1 : netstat -npt | grep <port> | grep ESTABLISHED | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
413 X.175.191.23
2 Y.49.92.30
2 Z.225.121.76
2 A.219.69.149
2 B.152.24.254
#List count of connections by state
machine1 : netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
1749 ESTABLISHED
118 TIME_WAIT
6 LAST_ACK
5 SYN_RECV
4 FIN_WAIT2
1 Foreign
1 FIN_WAIT1
1 CLOSE_WAIT
SYN flood attacks & mitigations
1)Detect if you are having SYN flood:
SYN_RECV state it means your server has received the initial SYN packet, it has sent it's own SYN+ACK packet and is waiting on the ACK from the external machine to complete the TCP handshake.
machine1 : netstat -npt | awk '{print $6}' | sort | uniq -c | sort -nr | head
1749 SYN_RECV
18 ESTABLISHED
6 LAST_ACK
Command clearly shows you have lot many connections in SYN_RECV state and possible SYN flood attack.
2)Detect if its from single IP(DOS attack) or multiple IPs(DDOS attack):
Single IP attack:
machine1 : netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
413 X.175.191.23
2 Y.49.92.30
2 Z.225.121.76
2 A.219.69.149
2 B.152.24.254
Now you know the culprit IP, you could just block the IP. There are various ways you could block the IP.
Common and quick ways are:
a)Drop packets using ip command:
machine1: ip route add blackhole X.175.191.23/32
b)Drop packets using iptables command:
iptables -A INPUT -s X.175.191.23 -j DROP
Is ip or iptables command better to use? Hard to say since both works at layer 3/4 of OSI model. You need to check how large is your routing table or iptables. The one to traverse fast should be used.
Multiple IP attack (common subnet):
machine1 : netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
345 X.175.191.13
243 X.175.190.27
34 X.175.181.33
78 X.175.41.24
2 Y.42.91.30
2 Z.125.121.76
Common and quick ways are:
a)Drop subnet using ip command:
machine1: ip route add blackhole X.175.0.0/16
b)Drop subnet using iptables command:
iptables -A INPUT -s X.175.0.0/16 -j DROP
Its pretty common to have SYN flood attacks from multiple IPs by spoofing source IP address in packets. This way its becomes hard to distinguish sometimes which are real IPs and which are fake.
Multiple IP attack (different subnet):
machine1 : netstat -npt | grep SYN_RECV | awk '{print $5}' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
3 X.175.191.23
2 Y.42.91.30
2 Z.125.121.76
2 A.219.69.149
2 B.152.24.254
2 C.142.44.254
2 D.52.54.214
1 E.15.27.250
SYN cookies dramatically reduces your CPU and memory usage durin SYN flood attack and helps to keep machine a bit happy.When SYN Cookie is enabled on JUNOS software with enhanced services and becomes the TCP-negotiating proxy for the destination server, it replies to each incoming SYN segment with a SYN/ACK containing an encrypted cookie as its Initial Sequence Number (ISN). The cookie is an MD5 hash of the original source address and port number, destination address and port number, and ISN from the original SYN packet. After sending the cookie, JUNOS software with enhanced services drops the original SYN packet and deletes the calculated cookie from memory. If there is no response to the packet containing the cookie, the attack is noted as an active SYN attack and is effectively stopped.If the initiating host responds with a TCP packet containing the cookie +1 in the TCP ACK field, JUNOS software with enhanced services extracts the cookie, subtracts 1 from the value, and recomputes the cookie to validate that it is a legitimate ACK. If it is legitimate, JUNOS software with enhanced services starts the TCP proxy process by setting up a session and sending a SYN to the server containing the source information from the original SYN. When JUNOS software with enhanced services receives a SYN/ACK from the server, it sends ACKs to the server and to the initiation host. At this point the connection is established and the host and server are able to communicate directly.
Syn Cookies
#Check if SYN cookie is enabled or not:
machine1 : sysctl -a | grep tcp_syncookies
net.ipv4.tcp_syncookies = 0
#Enable it:
machine1 : sysctl -w net.ipv4.tcp_syncookies=1
IPTABLES
#Custom SYN-ATTACK chain
:SYN-ATTACK - [0:0]
#Rule
-A INPUT -i <your interface> -m -p tcp --syn -j SYN-ATTACK
-A SYN-ATTACK -m limit --limit 100/second --limit-burst 100 -j RETURN
-A SYN-ATTACK -m limit --limit 10/h --limit-burst 10 -j LOG --log-prefix "SYN-ATTACK Attack:"
-A SYN-ATTACK -j DROP
@bom-d-van
Copy link
Author

@tcpdump-examples
Copy link

tcpdump-examples commented Mar 2, 2021

We can use the following commands to filter tcp flag packets with tcpdump. It is much easier to understand.
tcpdump -i utun1 tcp[tcpflags] == 'tcp-syn'
tcpdump -i utun1 tcp[tcpflags] == 'tcp-syn' or tcp[tcpflags] == 'tcp-ack'

@bloodberrys
Copy link

thanks, this is very useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment