[Wolves] DDoS Protection Software Review

roundyz at hotmail.ru roundyz at hotmail.ru
Thu Jan 21 12:00:25 UTC 2010 

Andy Jewell wrote:

>> Several months ago, I asked for opinions on DDoS protection software... and got none. :-(
>> 
>> However, someone (I forget who) said they'd be interested in a run-down after the fact.
>> 
>> So here it is.
>> 
>> I chose "DDos-Deflate", mainly because it looked easier to install and manage. I can't comment on that, as I didn't end up trying anything else. It wasn't "Love at first sight" or anythinng, but it does what it says on the tin.
>> 
>> It's easy to install, but there are a few gotchas.
>> 
>> It's basically a cron-job shell script wrapped round the following command:
>> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
>> 
>> Visit http://deflate.medialayer.com/ for full instructions for a (nearly) distro-agnostic install.
>> 
>> The default parameters are about right: The cron job runs every minute, and then anything with more than 149 active (simultaneous) connections to your box at the time, gets blocked with IPTables (ok, actually IPChains, but the command is still "iptables"). 10 minutes later, it gets automatically unblocked. 
>> 
>> You need to edit the script config file /usr/local/ddos/ddos.conf to change the alert e-mail address, if you want alerts to go out to other than root at localhost.
>> 
>> PERFORMANCE
>> 
>> 1. Tested by doing the following:
>> Setup: On the host, run in separate terminals:
>>     watch 'iptables-save; netstat -apntu|sed -e "s/^tcp[\t ]*[0-9]*[\t ]*[0-9]*[\t ]*[0-9\.\:]*[\t ]*//"|head -n50'
>>     top # to see how much load it causes
>> 1.1 Browse to a page on the server, hold down F5 key for 30+ seconds.
>> 1.2 Use netcat (nc) in a loop: 
>>     hostip=192.168.123.45 # change to address of test host
>>     for (( p=20; p<160; p=p+1 )); do echo $p; echo "GET " |nc $hostip 80 & done
>> 1.3 CPU load was minimal, but machine is quite beefy (2x quad core Xeon @ 2.8GHz)
>> 
>> 2. Real-life performance
>> 2.2 We seem to get a few "attacks" a day... mostly just people being stupid, opening up 50 tabs to various pages on the site in firefox or just sniffers looking for "valuable" info. Most of them don't come back after their 10 minute ban.
>> 
>> 
>> GOTCHAS
>> 
>> 1. The installer starts the script immediately, and there's no whitelist defined. If your machine makes a lot (150 or more) of outgoing connections to, say, a database server... IT GETS BLOCKED. 
>> 
>> Solution: Stop iptables service immediately after installing, edit the whitelist file (/usr/local/ddos/ignore.ip.list) and add the IP addresses of all local and remote machines the current host talks to, plus probably your management subnet too, so you can still ssh into the box without fear of getting firewalled out.
>> 
>> 2. Not compatible with CentOS/RedHat 5 (and possibly other distros too) because for some reason, netstat outputs addresses with IPv6 ::ffff: prefixes, even though IPv6 support is OFF. This chokes the script.
>> 
>> Solution: Edit the awk statement in the netstat ... sort -n pipe to deal with the issue. I'm not familiar with awk, so I switched it to use sed:
>> 
>> Original line: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
>> Replacement: netstat -ntu |  sed -e 's/::ffff://g;s/   */ /g;s/  +/ /g;s/:/ /g;/tcp/p;/udp/p;d'|cut -d" " -f6| sort |  uniq -c| sort -nr > $BAD_IP_LIST
>> 
>> The sed command removes all ::ffff: strings from the input, and generally cleans it up. 
>> 
>> 3. Doesn't detect mass "slow talker" type attacks - i.e. lots of connections from different addresses, where the requests are sent in one character every second or so, thus locking up the web-server.
>> 
>> Solution: Use another program.
>> 
>> CUSTOMISATIONS
>> 
>> Because it's a shell script, I was able to mod it to do things to better suit our environment. I modified the alert message, and how many hits before it sends out alerts, plus putting in a curfew so it doesn't e-mail me at 3am in the morning. I also beefed up the logging. THIS IS WHY I LOVE FREE SOFTWARE! I'm considering submitting my changes back to the author, if he wants them.
>> 
>> It's now been running on 2 live servers, for over a month,  and is doing well. I'd recommend it - it does what it sets out to do, and is easily configurable and tweakable.
>> 
>> Andy D'Arcy Jewell
>> SysMicro Linux Support
>> 
>> T:  +44 (0) 844 991 8804
>> M: +44 (0) 7961 605631
>> F:  +44 (0) 844 357 7020
>> E:  andy.jewell at sysmicro.co.uk
>> W: www.sysmicro.co.uk
>> 
>> CRN THE CHANNEL AWARDS 2009 WINNER
>> SysMicro named CRN?s Editor?s Choice for Emerging Business of the Year 2009, recognising SysMicro for our considerable growth, specifically in Enterprise Solutions.
>> ________________________________________
>> 
>> _______________________________________________
>> Wolves LUG mailing list
>> Homepage: http://www.wolveslug.org.uk/
>> Mailing list: Wolves at mailman.lug.org.uk
>> Mailing list home: https://mailman.lug.org.uk/mailman/listinfo/wolves
>> 
I thought the first D in DDOS was for distributed, as in multiple
machines, making these types of attack seem like high volume hits from
mulitple locations.

What is needed is something that not blocks on count of connections from
a source, but that checks the period of intervals that arrise between
connections of that source, that would determine if machine bahavour was
happening or human. However this assumes that the connections within
connecting software are not randomly timed.

-- 
Regards,
Roundyz

More information about the Wolves mailing list