Since denial of service attack tool defect of flooding, and the protocol layer for the short-term it can not change the fact that denial of service attacks has become widely circulated, very difficult to guard against an attack mode. Although so far, there is no absolute way to stop such attacks; but for different attacks, there are some solutions. In this paper, RedHat Linux 9.0, for example, describes how to classify prevent DoS.
Two kinds of Linux server daemon
stand-alone mode is the traditional Unix C / S mode access mode. Server is listening (Listen) In a feature of the port waiting for clients online. If the client generates a connection request, the daemon is created (Fork) a sub-server response this connection, while the main server continues to listen, to maintain the plurality of sub-server pool waiting for the next client request. Stand-alone mode works shown in Figure 1.
Work in stand-alone mode network service has a route, gated. I am more familiar with the Apache Web server and mail server Sendmail. In such a load on the great Apache server, pre-invasive sub-server speed can improve customer service.
In the Linux system, the symbolic link by stand-alone mode to start services from the following /etc/rc.d/ corresponding run level among the start.
From the concept of daemons, each service for the system to be adopted must be running a listening port to connect to a daemon that occur, it usually means a waste of resources. To solve this problem, Linux to introduce the concept of "network daemon service program" in.
Redhat Linux 9.0 network daemons are using xinetd (eXtended InterNET daemon). And stand-alone mode, compared, xinetd mode also known as Internet Super-Server (super server). xinetd can simultaneously monitor multiple ports specified in the acceptance of user requests according to different ports can ask the user to start the process of different network services to handle these user requests. We can start xinetd as a management service management server, it decided to request a client to which the processing program, and then start the appropriate daemon. Xinetd mode works shown in Figure 2.
And stand-alone mode, compared, the system does not want to process each network service ports are listening their services, you can run a single xinetd simultaneously monitor all service ports, thus reducing the overhead to protect system resources. But for access to large, often concurrent access, xinetd want to frequently start the process of the corresponding network services, it will cause system performance degradation.
Look at the system to provide services for Linux which mode method using pstree command in the Linux command line, you can see two different ways to start network services. Generally some of the high load system services, such as Sendmail, Apache service is started separately, while other types of service can use xinetd super-server management, system default to xinetd services can be divided into the following categories: standard Internet services: telnet , ftp
Information services: finger, netstat, systat
RPC services: rquotad, rstatd, rusersd, sprayd, walld
BSD service: comsat, exec, login, ntalk, shell, talk
Internal Services: chargen, daytime, echo, servers, services time
Security Services: irc
Other services: name, tftp, uucp
Tip: From the principle Apache, sendmail can also use xinetd mode is activated, but you need a very high grade server hardware.
DoS prevention xinetd mode for
xinetd provides functionality similar to inetd + tcp_wrapper, but more powerful and safe, can effectively prevent DoS:
Process 1. Limit the number of simultaneously running
By setting the option to set the number of concurrent process instances running simultaneously. E.g:
instances = 20
Description: When the process server is requesting a connection reached 20, xinetd will stop accepting connection requests more parts until the request until the connection count below the set value.
2. Restrict an IP address of the maximum number of connections
By limiting the maximum number of connections a host to prevent a service exclusive to a host. E.g:
per_source = 5
Explanation: The number of connections a single IP address is 5.
3. Limit log file size to prevent disk space is filled
Many attackers know that most services require written to the log. Intruder can construct a lot of wrong information is sent out, the server records these errors are likely to result in a very large log file, even filled the hard drive. Administrators faced with a large number of logs, it is difficult to find the real intruder invasion pathways. Therefore, the log file size limit is one way to prevent the DoS. E.g:
log_type FILE.1 /var/log/myservice.log 8388608 15728640
Explanation: The log file is set here FILE.1 critical value 8MB, reached this syslog file warning appears when values reach 15 trillion, the system will stop all services using the log system.
4. The limit load
xinetd can also use the limit load method to prevent DoS. with a float as the load factor, when the load reaches this number, the service will pause processing subsequent connection. E.g:
max_load = 2.8
Description: When a system load of 2.8, all services will be temporarily terminated until the system load drops below the set value.
Of course, to use this option, to join -with-loadavg compile time, xinetd will handle max-load configuration options to shut down some services when the system is heavily loaded process to achieve certain denial of service attacks.
5. Restrict the number of all (connection speed) server
xinetd can use the option to set the connection speed cps. E.g:
cps = 25 60
Description: The first parameter indicates the number of connections per second that can be processed, if more than this number of connections into the connection will be temporarily stopped processing; second argument to continue processing connection previously on hold after stopping treatment the number of seconds. That is up to the server to start 25 connections, if the number of stops to achieve this new service starts 60 seconds. During this period we do not accept any request.
6. Restrictions on the use of hardware resources
By rlimit_as and rlimit_cpu two options can effectively restrict a service to the memory, CPU resource usage. For example: rlimit_as = 8M
rlimit_cpu = 20
Description: This setting limits on the server hardware resources, occupation, up to available memory to 8M, CPU 20 processes per second.
Summary: An important feature of xinetd is its ability to control the amount of resources dependent services can be utilized by the above settings can achieve this goal, to help prevent a xinetd service-intensive system, resulting in a "denial of service" condition.
For stand-alone prevention of DoS
Under Linux servers running in stand-alone mode is mainly Apache, Sendmail.
1.Apache server against DoS measures
Apache server to reject attacks defense mainly through software Apache DoS Evasive Maneuvers Module. http://ubuntuone.cn It is a mod_access alternative software that can fight against DoS attacks. The software can be quickly rejected repeated requests from the same address for the same URL, which is an internal process of the sub-hash-table queries to achieve. Software download link: http: //online.securityfocus.com/data/tools/dospatch.tar.gz, software installation configuration can view the page.
In addition, the Apache configuration file, some security-related commands can be used. . Http://httpd.apache.org/docs/mod/directives.html Use the following instructions can help you reduce the threat of DoS: LimitRequestBody: digital parameters control the size of HTTP requests.
LimitRequestFields: digital parameters control the number of request header.
KeepAlive: set the lifetime of the connection.
KeepAliveTimeout: limit the time waiting for the request.
Use the following instructions can help you reduce the risk of buffer overflow:
LimitRequestFieldSize: limit the size of each request header.
LimitRequestLine: limit the size of each request line.
In addition, Apache server administrators should always go http://www.apache.org/dist/httpd/ view, download the patch, in order to ensure the security of Web server.
2.Sendmail server against DoS measures
An attacker due to the nature of e-mail, a mail server to attack can easily use the mail to flooding the server, leading to DoS. By setting limits /etc/mail/sendmail.mc the following directory, the effectiveness of such attacks will greatly restricted.
confCONNECTION_RATE_THROTTLE: number of connections per second the server can accept. By default, Sendmail does not limit the number of connections. If the number of connections reaches the limit, subsequent connections will be delayed. Recommended value: 40.
confMAX_DAEMON_CHILDREN: The maximum number of child server to Fork out the process. By default, Sendmail does not limit the number of child processes. If the limit is set, the connection after the limit is reached will be delayed. Recommended settings depending on memory capacity: 128M RAM recommended value is 40.
confMIN_FREE_BLOCKS: Minimum number of free blocks in the queue file system for receiving standard SMTP (Simple Mail Transfer Protocol) mail, the smaller and more vulnerable to fatal attacks. The default is 100, recommended value is 4000 or greater.
confMAX_HEADERS_LENGTH: the maximum acceptable message header (in bytes). The default is no restrictions, recommended value is 64.
confMAX_MESSAGE_SIZE: the size of the maximum acceptable single message (in bytes). Bigger and more likely to be fatal attack. The default is no restrictions, recommended value 5242880.
Also, do not put the mail spool directory / var / spool / mail / share files on NFS volumes. Because NFS user ID no control group, several UID the same user can receive and read each other's mail.
Occupancy limit overall resources
You can also make restrictions on system resources, making the system capacity to enhance anti-DoS.
Edit /etchttp://security.chinaitlab.com/limits.conf file, add the following lines: * hard core 0
* Hard rss 10000
* Hard nproc 30
Description: "core 0" indicates prevent the creation of core files: "nproc 30" to limit the maximum number of processes to 30: "rss 10000" means that in addition root, other users can only use up to 10MB of memory. "*" Indicates that all users logged on to the system.
The above is valid for these users to log in to the system. With these restrictions, we can better control the system user process, core file and memory usage. Last edited "/etc/pam.d/login" file, the file is added at the end: session required /libhttp://security.chinaitlab.com/pam_limits.so