General security

DOS Deflate: Layer 7 DOS Protection Tool

Nikhil Kumar
May 27, 2014 by
Nikhil Kumar

DOS/DDOS stands for Denial of Service/Distributed Denial of Service. DOS or DDOS is a type of attack in which a machine or a network resource is unavailable to its intended users. This is one of the most commonly known and frequently encountered attacks these days due to the availability of various tools. Through a simple Google search, anyone can get access to hundreds of DOS tools which are freely available on the Internet. It is very easy to use these tools, even for beginners. These tools perform a DOS attack by sending the UDP, TCP or HTTP requests to the victim server. We only need to know the "URL or IP" of the server, and those tools will do rest of the job. Due to all this, the use of DOS attack has increased extensively in the past few years. Therefore it is highly required to create a safeguard which can at least help to protect the servers from this risk.

According to the Wikipedia, the DOS attack is classified into three types:

  • Application Layer DDOS attack
  • Protocol DOS attack
  • Volume based DOS attack

So, in this article I am going to introduce a little script based tool "DOS Deflate" which helps to fight against Application Layer DOS. Though it does not protect us fully against large DDOS attacks, it is very helpful.

About DOS Deflate

DOS deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It basically tracks and monitors all the IP addresses making connections to the server by using the netstat command. Whenever it detects the number of connections from a single node exceeding certain pretest limits which are defined in the configuration file, the script will automatically block that IP address through the IP tables or APF according to the configuration.

Here are all the steps we need to follow to install and configure DOS Deflate on the machine.

Step 1

First of all,we have to download the installer script file, which is available on the DOS Deflate website through the wgetutility. Open the terminal and then type the following command.

wgethttp://www.inetbase.com/scripts/ddos/install.sh

Now, the Installer script file "Install.sh" has been successfully downloaded. The downloaded filescan be checked through the ls-l command.

Step 2

As can be seen, the downloaded file does not have executable permission. Now, we have to make it executable. This can be done through the following command.

chmod +x install.sh

Step 3

Now, after getting the executable permission, we have to run the install.sh file. It will install DOS Deflate in the system.

Now, DOS Deflate has been successfully installed in the system. We can check the DOS Deflate files in /var/local/ddos/ .

There are three files in the DDOS. First is the ddos. conf file in which all tool configurations will be set as per the requirement. The second file is ddos.sh, which is basically the main script file for the tool, and third is the ignore.ip.list file, which is the IP white listed file in which we can define the IP addresses which need to be excluded through this tool.

Along with the install, a Cron file is automatically created in the /etc/cron.daily folder that will run every minute, as the default configuration is 1 min. But this configuration can be changed from the ddos.conf file. This file will also check all IP connections on the server.

Step 4

First of all, we will change some commands in the main ddos.sh file to make the tool more effective. To do this, we need to open the ddos file with an editor and comment the line 118 by adding the '#' before the line and write the following command:

netstat -ntu | grep ':' | awk '{print $5}' | awk '{sub("::ffff:","");print}' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST

We can say that this command is the heart of the DOS Deflate tool. This command counts the total number of connections for every IP address connected to the server.

Step 5

After installation of the DDOS Deflate tool, we have to configure it. In order to do this, we have to open the ddos.conf file in the VI editor as mentioned below.

Vim /var/local/ddos/ddos.conf

In the above figure, I have put numbers to indicate each configuration for better understanding of the users. Each point is defined in below sections.

  1. We will start by configuring the frequency of the script. By default, the frequency is set to 1, which means that the DOS deflate script will run every minute. We can make changes to this configuration according to our requirement.

  1. After setting the frequency, we have to set a limit for the number of connections, in which we have to define the maximum number of connections for an IP address. The default number of connections is set to 150. If an IP address crosses the maximum number of connections limit, then DOS Deflate treats that IP address as a corrupt IP and blocks it.

  1. In this area, we have to define the firewall which we will use to ban the corrupt IP addresses. DOS Deflate supports two firewalls - APF firewall and IP tables. As we know, IP tables is by default installed on the Linux machine. So we will use IP tables to ban the corrupt IPs. By default it is set to 1. The value can be changed from 1 to 0.

  1. DOS Deflate runs in two modes. First is the interactive mode in which DOS Deflate will not ban the currupt IPs, It will only send an email when the maximum number of connections is reached. In the second mode it will ban the IP address according to the above settings and also send the email. So, if we want to test the tool, just run this tool in interactive mode. To set the interactive mode, we have to set the value to 0, otherwise set the value to 1. By default it is set to 1.

  1. In this area, we have to define the email address. When an IP address is banned by DOS deflate, an email will be sent to this email address. By default it is set to root. We can give any email address in place of root.

  1. When the IP Address is banned, we have to define the ban time also. The ban time should be defined in seconds as per the needs. By default it has been set to 600 seconds. It means that the corrupt IPs will be banned only for 5 minutes.

Step 5

After configuring the script. We will have to restart the DOS Deflate script.

Note: After making any changes in the configuration file, we have to restart the script.

We have successfully configured the DOS Deflate on the server machine. Now, we are going to test this tool against the most common DOS attacking tools. Some of the frequently experienced DOS attacking tools which are used to launch the DOS or DDOS attack and are easily available on the Internet are mentioned below.

  1. HOIC (High Orbit Ion Canon)
  2. LOIC ( Low Orbit Ion Canon)
  3. XOIC
  4. R-U-DEAD-Yet
  5. Pyloris
  6. OWASP DOS HTTP Post
  7. GoldenEye HTTP Denial of Service Tool
  8. Slowloris HTTP Dos

Here, we are testing DOS Deflate against HOIC. It is one of the most popular DOS attacking tools freely available on the Internet. This tool is really easy to use even for a beginner. We can download this tool from the URL mentioned below.

https://mega.co.nz/#!IMw0iCJY!Hg5oQHdQu9FLZcbCJ_HTi1X0F98djiXDLLjWs2N6SIk

After downloading the tool, we need to extract it into the folder and open it by clicking the hoic.exe file. We will get the following HOIC interface.

Now, we need to add the IP Address or the URL of the server in which we have configured the DOS Deflate.

After adding the target URL, we will the see this URL in the target section.

Then, click on the "FIRE THE LAZER" icon and it will start the DOS attack on the server. After 2 minutes we will receive an email at the email address which was mentioned in the server configuration, stating that the IP address has been banned on the server.

We can also check the banned IP address by logging in to the server and checking the IP tables. We can check the IP tables status by the following command.

iptables -L -n

It can be seen in the above screen shot that DOS Deflate has banned the IP address through the IP tables in which we had started the HOIC DOS tool.

Another commonly used DOS attacking tool is Slowloris HTTP DOS. It was developed in Python. It has some of the very good features in it. This tool is available in both Windows and Lnux platforms, but we will use the Linux flavur of this tool. We can download this Python script based tool by running the mentioned command below.

wget http://ha.ckers.org/slowloris/slowloris.pl

After downloading the tool, we will make it executable, then give the following command which will launch it on the URL.

./slowloris.py –dns <URL of the Server>

After starting the attack, we could check the email or IP table status for verifying whether it is blocked by DOS Deflate or not.

We have successfully tested DOS Deflate against all the tools which were given above in the article. Readers can try by themselves so that they can understand it better.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

References

Nikhil Kumar
Nikhil Kumar

Nikhil Kumar, a Certified Ethical Hacker, works as a Information Security Consultant. He has experience in web application pen-testing, social engineering, password cracking and android pen-testing. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.