IP Adresse von einem DDoS Attacker finden und blockieren

Submitted by Gast (nicht überprüft) on Sa, 07/13/2013 - 11:22

Unsere Game Server bekommt DDos Attacke aus Argentinien und manchmal auch aus andere Länder. Wir haben Iptables, APF etc aber es hilft nicht. Wenn unsere Administratoren gerade online sind, machen sie es über netstat + apf/iptables übers SSH mit folgendem Schritte:


netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

Dadurch sieht man IP von Attackers.

Und dann blockiert man sie mit:

apf -d 123.456.789.112
iptables -I INPUT -s 123.456.789.123 -j DROP

Aber man kann nie 24 Stunden online sein und rumd um die Uhr alles überwachen. Dafür sollte man automatisierte Lösungen haben.

Comments

Neuen Kommentar schreiben

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Gespeichert von shadowmage (nicht überprüft) am/um Mo, 07/15/2013 - 23:41

Permanenter Link

Es ist ratsam sich die Pakete näher anzuschauen, um eigene Filter zu schreiben. Einige Sequenzen sind typisch für bestimmte DDoS Tools. Einige haben als HTTP-USER-AGENT einen bestimmten String.

Am besten mit einem Tool wie tcpdump den Netzwerkstrom aufzeichnen und später mit tcpdump oder wireshark analysieren.

Den Netzwerkstrom aufzeichenen und als "ddos.pcap" speichern.

sudo tcpdump -w ddos.pcap

Man kann auch den Traffic von eine bestimmte IP Adresse speichern.

sudo tcpdump host 192.168.1.1 -w ddos.pcap

Gespeichert von shadowmage (nicht überprüft) am/um Mo, 07/15/2013 - 23:42

Permanenter Link

wenn der Apache Server angegriffen wird, kannst du die Requests also die Anfragen an den Server mit dem Programm apachetop anzeigen lassen.

Installation:

apt-get install apachetop

apachetop benötigt als Parameter die access_log der Webseite, die man überwachen möchte.


apachetop -f /var/log/virtualmin/WEBSEITE_access_log

So sieht die Ausgabe von dem Tool ( IP Adressen wurden zensiert)

last hit: 19:02:48 atop runtime: 0 days, 00:05:13 19:02:48
All: 303 reqs ( 1.0/sec) 699.4K ( 2303.0B/sec) 2363.8B/req
2xx: 162 (53.5%) 3xx: 108 (35.6%) 4xx: 33 (10.9%) 5xx: 0 ( 0.0%)
R ( 29s): 28 reqs ( 1.0/sec) 60.1K ( 2122.4B/sec) 2198.2B/req
2xx: 17 (60.7%) 3xx: 8 (28.6%) 4xx: 3 (10.7%) 5xx: 0 ( 0.0%)

REQS REQ/S KB KB/S HOST
9 0.31 2.9 0.1*76...
4 0.15 18.9 0.7 178...
3 0.10 13.6 0.5 66...
3 0.21 10.0 0.7 95...
2 0.13 9.2 0.6 66...
2 0.08 0.5 0.0 50...
2 0.13 1.8 0.1 91...
2 0.08 2.9 0.1 93...
1 0.10 0.2 0.0 38...

Mit der Taste 'd' kann beim Anzeigen der Statistiken zwischen IP Adressen und Referrer wechseln

Gespeichert von Gast (nicht überprüft) am/um Sa, 09/14/2013 - 21:02

Permanenter Link

Öfters wird die MySQL Datenbank durch DDoS in die Knie gezwungen. Deswegen ist es sinnvoll, dass man auch die Datenbank überwacht. Dazu kann man die MySQL Konsole verwenden.

mysql -u root -p

mysql status anzeigen
mysql> show status;
+-----------------------------------+------------+
| Variable_name                     | Value      |
+-----------------------------------+------------+
| Aborted_clients                   | 1007       |
| Aborted_connects                  | 0          |
| Binlog_cache_disk_use             | 0          |
| Binlog_cache_use                  | 0          |
| Bytes_received                    | 502        |
| Bytes_sent                        | 3318       |
| Com_admin_commands                | 0          |
| Com_assign_to_keycache            | 0          |
| Com_alter_db                      | 0          |
| Com_alter_db_upgrade              | 0          |
| Com_alter_event                   | 0          |
| Com_alter_function                | 0          |
| Com_alter_procedure               | 0          |
| Com_alter_server                  | 0          |
| Com_alter_table                   | 0          |
| Com_alter_tablespace              | 0          |
| Com_analyze                       | 0          |
| Com_backup_table                  | 0          |
| Com_begin                         | 0          |
| Com_binlog                        | 0          |
| Com_call_procedure                | 0          |
| Com_change_db                     | 0          |
| Com_change_master                 | 0          |
| Com_check                         | 0          |
| Com_checksum                      | 0          |
| Com_commit                        | 0          |
| Com_create_db                     | 0          |
| Com_create_event                  | 0          |
| Com_create_function               | 0          |
| Com_create_index                  | 0          |
| Com_create_procedure              | 0          |
| Com_create_server                 | 0          |
| Com_create_table                  | 0          |
| Com_create_trigger                | 0          |
| Com_create_udf                    | 0          |
| Com_create_user                   | 0          |
| Com_create_view                   | 0          |
| Com_dealloc_sql                   | 0          |
| Com_delete                        | 0          |
| Com_delete_multi                  | 0          |
| Com_do                            | 0          |
| Com_drop_db                       | 0          |
| Com_drop_event                    | 0          |
| Com_drop_function                 | 0          |
| Com_drop_index                    | 0          |
| Com_drop_procedure                | 0          |
| Com_drop_server                   | 0          |
| Com_drop_table                    | 0          |
| Com_drop_trigger                  | 0          |
| Com_drop_user                     | 0          |
| Com_drop_view                     | 0          |
| Com_empty_query                   | 0          |
| Com_execute_sql                   | 0          |
| Com_flush                         | 0          |
| Com_grant                         | 0          |
| Com_ha_close                      | 0          |
| Com_ha_open                       | 0          |
| Com_ha_read                       | 0          |
| Com_help                          | 0          |
| Com_insert                        | 0          |
| Com_insert_select                 | 0          |
| Com_install_plugin                | 0          |
| Com_kill                          | 0          |
| Com_load                          | 0          |
| Com_load_master_data              | 0          |
| Com_load_master_table             | 0          |
| Com_lock_tables                   | 0          |
| Com_optimize                      | 0          |
| Com_preload_keys                  | 0          |
| Com_prepare_sql                   | 0          |
| Com_purge                         | 0          |
| Com_purge_before_date             | 0          |
| Com_release_savepoint             | 0          |
| Com_rename_table                  | 0          |
| Com_rename_user                   | 0          |
| Com_repair                        | 0          |
| Com_replace                       | 0          |
| Com_replace_select                | 0          |
| Com_reset                         | 0          |
| Com_restore_table                 | 0          |
| Com_revoke                        | 0          |
| Com_revoke_all                    | 0          |
| Com_rollback                      | 0          |
| Com_rollback_to_savepoint         | 0          |
| Com_savepoint                     | 0          |
| Com_select                        | 1          |
| Com_set_option                    | 0          |
| Com_show_authors                  | 0          |
| Com_show_binlog_events            | 0          |
| Com_show_binlogs                  | 0          |
| Com_show_charsets                 | 0          |
| Com_show_collations               | 0          |
| Com_show_column_types             | 0          |
| Com_show_contributors             | 0          |
| Com_show_create_db                | 0          |
| Com_show_create_event             | 0          |
| Com_show_create_func              | 0          |
| Com_show_create_proc              | 0          |
| Com_show_create_table             | 0          |
| Com_show_create_trigger           | 0          |
| Com_show_databases                | 0          |
| Com_show_engine_logs              | 0          |
| Com_show_engine_mutex             | 0          |
| Com_show_engine_status            | 0          |
| Com_show_events                   | 0          |
| Com_show_errors                   | 0          |
| Com_show_fields                   | 0          |
| Com_show_function_status          | 0          |
| Com_show_grants                   | 0          |
| Com_show_keys                     | 0          |
| Com_show_master_status            | 0          |
| Com_show_new_master               | 0          |
| Com_show_open_tables              | 0          |
| Com_show_plugins                  | 0          |
| Com_show_privileges               | 0          |
| Com_show_procedure_status         | 0          |
| Com_show_processlist              | 0          |
| Com_show_profile                  | 0          |
| Com_show_profiles                 | 0          |
| Com_show_slave_hosts              | 0          |
| Com_show_slave_status             | 0          |
| Com_show_status                   | 12         |
| Com_show_storage_engines          | 0          |
| Com_show_table_status             | 0          |
| Com_show_tables                   | 0          |
| Com_show_triggers                 | 0          |
| Com_show_variables                | 0          |
| Com_show_warnings                 | 0          |
| Com_slave_start                   | 0          |
| Com_slave_stop                    | 0          |
| Com_stmt_close                    | 0          |
| Com_stmt_execute                  | 0          |
| Com_stmt_fetch                    | 0          |
| Com_stmt_prepare                  | 0          |
| Com_stmt_reprepare                | 0          |
| Com_stmt_reset                    | 0          |
| Com_stmt_send_long_data           | 0          |
| Com_truncate                      | 0          |
| Com_uninstall_plugin              | 0          |
| Com_unlock_tables                 | 0          |
| Com_update                        | 0          |
| Com_update_multi                  | 0          |
| Com_xa_commit                     | 0          |
| Com_xa_end                        | 0          |
| Com_xa_prepare                    | 0          |
| Com_xa_recover                    | 0          |
| Com_xa_rollback                   | 0          |
| Com_xa_start                      | 0          |
| Compression                       | OFF        |
| Connections                       | 2303       |
| Created_tmp_disk_tables           | 0          |
| Created_tmp_files                 | 7          |
| Created_tmp_tables                | 0          |
| Delayed_errors                    | 0          |
| Delayed_insert_threads            | 0          |
| Delayed_writes                    | 0          |
| Flush_commands                    | 1          |
| Handler_commit                    | 0          |
| Handler_delete                    | 0          |
| Handler_discover                  | 0          |
| Handler_prepare                   | 0          |
| Handler_read_first                | 0          |
| Handler_read_key                  | 0          |
| Handler_read_next                 | 0          |
| Handler_read_prev                 | 0          |
| Handler_read_rnd                  | 0          |
| Handler_read_rnd_next             | 0          |
| Handler_rollback                  | 0          |
| Handler_savepoint                 | 0          |
| Handler_savepoint_rollback        | 0          |
| Handler_update                    | 0          |
| Handler_write                     | 0          |
| Innodb_buffer_pool_pages_data     | 125        |
| Innodb_buffer_pool_pages_dirty    | 21         |
| Innodb_buffer_pool_pages_flushed  | 11669      |
| Innodb_buffer_pool_pages_free     | 0          |
| Innodb_buffer_pool_pages_misc     | 3          |
| Innodb_buffer_pool_pages_total    | 128        |
| Innodb_buffer_pool_read_ahead_rnd | 0          |
| Innodb_buffer_pool_read_ahead_seq | 4519       |
| Innodb_buffer_pool_read_requests  | 55646996   |
| Innodb_buffer_pool_reads          | 50998      |
| Innodb_buffer_pool_wait_free      | 0          |
| Innodb_buffer_pool_write_requests | 203155     |
| Innodb_data_fsyncs                | 9419       |
| Innodb_data_pending_fsyncs        | 1          |
| Innodb_data_pending_reads         | 0          |
| Innodb_data_pending_writes        | 0          |
| Innodb_data_read                  | 1050267648 |
| Innodb_data_reads                 | 55487      |
| Innodb_data_writes                | 18346      |
| Innodb_data_written               | 396803072  |
| Innodb_dblwr_pages_written        | 11669      |
| Innodb_dblwr_writes               | 574        |
| Innodb_log_waits                  | 0          |
| Innodb_log_write_requests         | 24906      |
| Innodb_log_writes                 | 8184       |
| Innodb_os_log_fsyncs              | 8338       |
| Innodb_os_log_pending_fsyncs      | 1          |
| Innodb_os_log_pending_writes      | 0          |
| Innodb_os_log_written             | 14384128   |
| Innodb_page_size                  | 16384      |
| Innodb_pages_created              | 314        |
| Innodb_pages_read                 | 63970      |
| Innodb_pages_written              | 11669      |
| Innodb_row_lock_current_waits     | 0          |
| Innodb_row_lock_time              | 31978      |
| Innodb_row_lock_time_avg          | 1142       |
| Innodb_row_lock_time_max          | 11384      |
| Innodb_row_lock_waits             | 28         |
| Innodb_rows_deleted               | 11700      |
| Innodb_rows_inserted              | 7319       |
| Innodb_rows_read                  | 18748874   |
| Innodb_rows_updated               | 1373       |
| Key_blocks_not_flushed            | 0          |
| Key_blocks_unused                 | 13297      |
| Key_blocks_used                   | 424        |
| Key_read_requests                 | 288892     |
| Key_reads                         | 8237       |
| Key_write_requests                | 304        |
| Key_writes                        | 267        |
| Last_query_cost                   | 0.000000   |
| Max_used_connections              | 72         |
| Not_flushed_delayed_rows          | 0          |
| Open_files                        | 5          |
| Open_streams                      | 0          |
| Open_table_definitions            | 256        |
| Open_tables                       | 64         |
| Opened_files                      | 3610       |
| Opened_table_definitions          | 0          |
| Opened_tables                     | 0          |
| Prepared_stmt_count               | 0          |
| Qcache_free_blocks                | 1047       |
| Qcache_free_memory                | 2913656    |
| Qcache_hits                       | 369905     |
| Qcache_inserts                    | 14382      |
| Qcache_lowmem_prunes              | 8214       |
| Qcache_not_cached                 | 2250       |
| Qcache_queries_in_cache           | 3372       |
| Qcache_total_blocks               | 8372       |
| Queries                           | 402608     |
| Questions                         | 14         |
| Rpl_status                        | NULL       |
| Select_full_join                  | 0          |
| Select_full_range_join            | 0          |
| Select_range                      | 0          |
| Select_range_check                | 0          |
| Select_scan                       | 0          |
| Slave_open_temp_tables            | 0          |
| Slave_retried_transactions        | 0          |
| Slave_running                     | OFF        |
| Slow_launch_threads               | 0          |
| Slow_queries                      | 0          |
| Sort_merge_passes                 | 0          |
| Sort_range                        | 0          |
| Sort_rows                         | 0          |
| Sort_scan                         | 0          |
| Ssl_accept_renegotiates           | 0          |
| Ssl_accepts                       | 0          |
| Ssl_callback_cache_hits           | 0          |
| Ssl_cipher                        |            |
| Ssl_cipher_list                   |            |
| Ssl_client_connects               | 0          |
| Ssl_connect_renegotiates          | 0          |
| Ssl_ctx_verify_depth              | 0          |
| Ssl_ctx_verify_mode               | 0          |
| Ssl_default_timeout               | 0          |
| Ssl_finished_accepts              | 0          |
| Ssl_finished_connects             | 0          |
| Ssl_session_cache_hits            | 0          |
| Ssl_session_cache_misses          | 0          |
| Ssl_session_cache_mode            | NONE       |
| Ssl_session_cache_overflows       | 0          |
| Ssl_session_cache_size            | 0          |
| Ssl_session_cache_timeouts        | 0          |
| Ssl_sessions_reused               | 0          |
| Ssl_used_session_cache_entries    | 0          |
| Ssl_verify_depth                  | 0          |
| Ssl_verify_mode                   | 0          |
| Ssl_version                       |            |
| Table_locks_immediate             | 33363      |
| Table_locks_waited                | 0          |
| Tc_log_max_pages_used             | 0          |
| Tc_log_page_size                  | 0          |
| Tc_log_page_waits                 | 0          |
| Threads_cached                    | 5          |
| Threads_connected                 | 21         |
| Threads_created                   | 279        |
| Threads_running                   | 21         |
| Uptime                            | 4818       |
| Uptime_since_flush_status         | 4818       |
+-----------------------------------+------------+
291 rows in set (0.00 sec)

mysql> show status like '%threads%';#
+------------------------+-------+
| Variable_name          | Value |
+------------------------+-------+
| Delayed_insert_threads | 0     |
| Slow_launch_threads    | 0     |
| Threads_cached         | 3     |
| Threads_connected      | 29    |
| Threads_created        | 227   |
| Threads_running        | 29    |
+------------------------+-------+
6 rows in set (0.00 sec)

Laufende MySQL Prozesse anzeigen
mysql> show processlist;
+------+-------+-----------+----------+---------+------+----------------------+------------------------------------------------------------------------------------------------------+
| Id   | User  | Host      | db       | Command | Time | State                | Info                                                                                                 |
+------+-------+-----------+----------+---------+------+----------------------+------------------------------------------------------------------------------------------------------+
|  196 | kpost | localhost | NULL     | Query   |    0 | NULL                 | show processlist                                                                                     |
| 2329 | kpost | localhost | mysite | Query   |    2 | freeing items        | INSERT INTO captcha_sessions (uid, sid, ip_address, timestamp, form_id, solution, status, attempts)  |
| 2332 | kpost | localhost | mysite | Query   |    2 | update               | INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, ti |
| 2333 | kpost | localhost | mysite | Query   |    2 | NULL                 | commit                                                                                               |
| 2334 | kpost | localhost | mysite | Query   |    2 | statistics           | SELECT status FROM captcha_sessions WHERE csid = '3544143'                                           |
| 2337 | kpost | localhost | mysite | Query   |   10 | Sending data         | SELECT source, alias FROM url_alias WHERE source IN ('node/3618', 'taxonomy/term/58', 'taxonomy/term |
| 2338 | kpost | localhost | mysite | Query   |    2 | statistics           | SELECT cid, data, created, expire, serialized FROM cache_menu WHERE cid IN ('links:user-menu:page:ta |
| 2339 | kpost | localhost | mysite | Query   |    2 | statistics           | SELECT cid, data, created, expire, serialized FROM cache_field WHERE cid IN ('field:node:2842')      |
| 2340 | kpost | localhost | mysite | Query   |    2 | Copying to tmp table | SELECT node.title AS node_title, node.nid AS nid, node.language AS node_language, node_counter.total |
| 2341 | kpost | localhost | mysite | Query   |    2 | Copying to tmp table | SELECT node.title AS node_title, node.nid AS nid, node.language AS node_language, node_counter.total |
| 2342 | kpost | localhost | mysite | Query   |    2 | freeing items        | INSERT INTO captcha_sessions (uid, sid, ip_address, timestamp, form_id, solution, status, attempts)  |
| 2343 | kpost | localhost | mysite | Query   |    2 | Sending data         | SELECT ml.*, m.*, ml.weight AS link_weight
FROM
menu_links ml
LEFT OUTER JOIN menu_router m ON m.pa |
| 2344 | kpost | localhost | mysite | Query   |    2 | Sorting result       | SELECT source FROM url_alias WHERE alias = 'comment/11745' AND language IN ('de', 'und') ORDER BY la |
| 2345 | kpost | localhost | mysite | Query   |    2 | statistics           | SELECT cid, data, created, expire, serialized FROM cache_path WHERE cid IN ('node/3654')             |
+------+-------+-----------+----------+---------+------+----------------------+------------------------------------------------------------------------------------------------------+

Gespeichert von Gast (nicht überprüft) am/um Sa, 09/14/2013 - 21:06

Permanenter Link

Mit TCPDump kann man auch die Pakete analysieren.

Aufzeichnen
tcpdump -v -n -w angreifer.pcap dst port 80 -c 2500

auswerten:

:~# tcpdump -nr angreifer.pcap | awk '{print $3}' |grep -oE '[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}\.[0-9]{1,}' |sort | uniq -c |sort -rn
reading from file angreifer.pcap, link-type LINUX_SLL (Linux cooked)
    724 x.105.77.138
    539 x.161.43.197
    174 x.227.140.114
    135 x.97.154.31
    116 x.55.32.57
    114 x.161.51.149
    104 x.131.184.85
     96 x.183.161.20
     48 x.55.32.142

Gespeichert von Gast (nicht überprüft) am/um Mo, 09/16/2013 - 17:07

Permanenter Link

Letztens war meine Webseite sehr sehr langsam und ein Request hat bis zu 10 Sekunden gedauert. Nach stundenlanger Recherche habe ich den fehler gefunden. Vielleicht hat der eine oder andere auch das Problem gehabt.
[Mon Sep 16 13:12:46 2013] [error] server reached MaxClients setting, consider raising the MaxClients setting

Das Problem war, dass die MaxClients Anzahl überschritten war und somit keine weitere Verbindungen erstellt werden konnten.
Habe unter /etc/apache2/apache2.conf den Anzahl verdoppelt und die aktuelle Konfiguartion mit /etc/init.d/apache2 reload geladen.

Gespeichert von Gast (nicht überprüft) am/um Di, 10/08/2013 - 21:47

Permanenter Link

Man kann auch mit iptables Syn Flood verhindern

iptables -N syn-flood
iptables -A syn-flood -m limit --limit 12/second --limit-burst 60 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP

Pro Sekunde dürfen nur 12 Verbindungen aufgebaut werden, sobald diese über 60 sind wird die IP Adresse blockiert.

Gespeichert von Gast (nicht überprüft) am/um Di, 10/08/2013 - 22:02

Permanenter Link

Mit dem Befehl soll man die parallele Verbindungen auf HTTP limitieren, hat Jemand Erfahrung damit? Kann ich auch damit Google Bots blockieren?

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

Nach 200 aufgebauten Verbindungen dürfen nur noch 50 paralelle Verbindungen existieren, sonst wird die IP Adresse blockiert. Habe ich es richtig verstanden?

Netzwerktechnik ist nicht mein Schwerpunkt. Ist überhaupt sinnvoll einzele IPs zu blockieren, um DDOS-Angriff zu verhindern?

Soweit ich weiß, nutzen Hacker für DDOS-Attacken sehr viele PCs mit unterschiedlichen IP, die sich nach Sekunden ändern. Was bringt denn da, einzelne IPs zu blockieren?