Management Portal

2014 in DDoS Attacks: Part 2, Mitigating Attacks

ddos-part-2-feat

2014 in DDoS Attacks: Part 2, Mitigating Attacks

Behind-the-scenes networking witchcraft that keeps your systems safe from massive floods is all fine and good, but when those measures aren’t successful and an attack reaches your servers, what’s a vigilant sysadmin to do? Fortunately, we’ve put together some tips and tricks that you can employ in order to keep your systems protected from certain types of attacks.

Preventing NTP Attacks

The latest NTP vulnerability exploits the default configuration of the service by requesting specific information (quite a large amount of data) and then spoofs the return address, so your server unwittingly becomes an accomplice in a large attack. Systems administrators can prevent their servers from being exploited by ensuring the following four lines are uncommented (have no # sign in front) in /etc/ntp.conf (or by adding them if they don’t already exist), and then restarting the ntpd service (service ntpd restart in CentOS). These configuration options are also helpful in preventing other types of attacks against an NTP server:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

As the internet more widely adopts virtualization, however, we realize that many of our clients are going to be hosting their clients on virtual machines. QuadraNet has developed a command specifically designed for this purpose – since you may not have access to your clients’ machines to help them prevent these attacks, you can instate the following rules on your host/router’s firewall, which will block the attacks before they reach your virtual machines:

iptables -t mangle -I PREROUTING -p udp -m udp –dport 123 -m string –hex-string ‘|14|’ –algo bm –from 31 –to 32 -j DROP
iptables -t mangle -I PREROUTING -p udp -m udp –dport 123 -m string –hex-string ‘|2a|’ –algo bm –from 31 –to 32 -j DROP

These two rules will block both of the exploitable request packets from entering or leaving your clients’ virtual machines. It is still highly advisable to upgrade to the latest version of ntpd as soon as possible, but this rule will ensure that your uplinks don’t suddenly get saturated from a large inbound+outbound NTP attack.

Preventing DNS Attacks

The DNS amplification attack is caused by a server leaving recursion open to the public. Often, as we mentioned in Part 1, recursion is left open intentionally as a public service. However, if this configuration wasn’t intentional and the systems administrator isn’t prepared to deal with the implications of running an open resolver, this can result in their server unwittingly being involved in massive DDoS attacks. The easiest way to prevent this vulnerability is by adding the following line to named.conf (usually in /etc/ or /etc/namedb/):

allow-recursion { localhost; };

This line restricts recursion to only the local machine, so the public is no longer able to perform look-ups on the server.

allow-recursion

Firewalls

Firewalls, despite their usefulness in strengthening an infrastructure’s security, are not designed to deal with DDoS attacks in the same “purpose-built” way that actual DDoS mitigation devices are. Depending on an infrastructure’s size and activity, firewalls can be useful in filtering out or blocking specific types of low-level attacks before they can reach critical infrastructure gear (for instance, a firewall may prevent a brute force SSH attack before it reaches a webserver). Firewalls, like the Cisco ASA, are also often used to modify or redirect packets (NAT, or “network address translation”), but they aren’t, in general, designed to filter large-scale DDoS attacks. Many security analysts and IT specialists agree that DDoS mitigation requires a much more holistic approach to preparing for an attack, in the sense that DDoS prevention should be designed to cater to each individual network or infrastructure. Firewalls will continue to play important roles in keeping out unwanted intruders on a small scale, but it’s also extremely important to remain vigilant as a systems administrator; small things like keeping your system’s services up to date cannot be undervalued in the role they play in keeping not only your server, but the internet at large, safe.

This is part 2 of a 3-part series on DDoS attacks in 2014 and how you can help prevent them.

Part 3: 2014 In DDoS Attacks: Part 3, The Future of Internet Attacks