Mailinglist Archive: opensuse-security (274 mails)

[keith@xxxxxxxxxxxxxxxxxxxxxxxx]

Hi Philippe and list!


On Mon, 25 Aug 2003, Philippe Vogel wrote:

> More simple:
>
> This is a rule for input chain of your server's firewall.
>
> Analog to synflodd protection insert this in your firewallscript before you
> allow conncetion to port 80:
>
> # Set your number of max. connections here!
> CONNECTION_LIMIT="100"
>
> iptables -A INPUT -p tcp --dport 80 --syn -m limit --limit
> $CONNECTION_LIMIT/h \
>    -j LOG --log-prefix 'limit of $CONNECTION_LIMIT connections reaced'
>
> Reguards
>
> Philippe
>

Thanks for the suggestion. I understand what your saying,
and I have this in my firewall already.

What I'm looking for is a way to identify spoofed IP Syn
flood attacks. I thought this could be done by keeping a
count of each packet that is making an excessive amount of
un-ACKnowleged TCP connections to the server.


DrDOS attacks are made by sending packets with spoofed IP
source address, for the machine the attacker wishes to
target. The server will keep responding to these packets by
sending out SYN/ACK packets, and wait for an ACK reply.

So, if the source IP address is faked, the server is sending
packets to a machine that has not asked for the connection.
And the server will keep on sending out SYN/ACK packets till
it times out, which could be quite a while.

My idea was to keep a count of ALL packets coming to the
server, and if there is an excessive amount of packets that
are coming from one source IP, in a very short period of
time, then this would probably indicate a SYN flood attack.

With this information, it would then be possible to tell the
server to block ALL future packets from the identified SYN
flood source IP address, for an hour or more.

(Even though the source IP is faked, this will stop Apache
 responding with SYN/ACK packets, which could in turn foil a
 SYN flood attack on someone elses machine).

After the pre-configured time-out, connections from the
blocked IP address would be allowed again.

So you are right, this would work like the limit module in
IPTables, but will also give alot more information, which
Apache could then act upon.

The idea is to build Syn flood attack prevention into
Apache, so that the server will identify such attacks, and
automatically block them, for a certain period of time,
depending on the cofiguration directives allowed by the
modifications done to the server.

I don't mind working on this with someone else that has
experience with Apache development, and is able to make the
required modifications to the source code, etc.


I have not had a chance to check out the other suggestions
yet, but thanks to those that have made comments.

Kind Regards - Keith Roberts


PS Would anyone like a copy of httpd.conf that I have
   reworked, and divided into 4 main include files?
   If so, I will email it to you off this list.

snip->.............
# The configuration directives have been regrouped into four basic sections:
#  1. Directives that deal with dynamic loading of different Apache modules,
#     for extending the functionality of Apache web server.
#
#  2. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#
#  3. Directives that define the parameters of the 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all following virtual hosts.
#
#  4. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
snip->.............

   (a reworked copy of php.ini and chapter 3 configuring PHP is available as well, if
    anyone would like a copy)