DOS Deflate: Layer 7 DOS Protection Tool
DOS/DDOS stands for Denial of Service/Distributed Denial of Service. DOS or DDOS is a type of attack in which a machine or a network resource is unavailable to its intended users. This is one of the most commonly known and frequently encountered attacks these days due to the availability of various tools. Through a simple Google search, anyone can get access to hundreds of DOS tools which are freely available on the Internet. It is very easy to use these tools, even for beginners. These tools perform a DOS attack by sending the UDP, TCP or HTTP requests to the victim server. We only need to know the "URL or IP" of the server, and those tools will do rest of the job. Due to all this, the use of DOS attack has increased extensively in the past few years. Therefore it is highly required to create a safeguard which can at least help to protect the servers from this risk.
According to the Wikipedia, the DOS attack is classified into three types:
What should you learn next?
-
Application Layer DDOS attack
-
Protocol DOS attack
-
Volume based DOS attack
So, in this article I am going to introduce a little script based tool "DOS Deflate" which helps to fight against Application Layer DOS. Though it does not protect us fully against large DDOS attacks, it is very helpful.
About DOS Deflate
DOS deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It basically tracks and monitors all the IP addresses making connections to the server by using the netstat command. Whenever it detects the number of connections from a single node exceeding certain pretest limits which are defined in the configuration file, the script will automatically block that IP address through the IP tables or APF according to the configuration.
Here are all the steps we need to follow to install and configure DOS Deflate on the machine.
Step 1
First of all,we have to download the installer script file, which is available on the DOS Deflate website through the wgetutility. Open the terminal and then type the following command.
wgethttp://www.inetbase.com/scripts/ddos/install.sh
Now, the Installer script file "Install.sh" has been successfully downloaded. The downloaded filescan be checked through the ls-l command.
Step 2
As can be seen, the downloaded file does not have executable permission. Now, we have to make it executable. This can be done through the following command.
chmod +x install.sh
Step 3
Now, after getting the executable permission, we have to run the install.sh file. It will install DOS Deflate in the system.
Now, DOS Deflate has been successfully installed in the system. We can check the DOS Deflate files in /var/local/ddos/ .
There are three files in the DDOS. First is the ddos. conf file in which all tool configurations will be set as per the requirement. The second file is ddos.sh, which is basically the main script file for the tool, and third is the ignore.ip.list file, which is the IP white listed file in which we can define the IP addresses which need to be excluded through this tool.
Along with the install, a Cron file is automatically created in the /etc/cron.daily folder that will run every minute, as the default configuration is 1 min. But this configuration can be changed from the ddos.conf file. This file will also check all IP connections on the server.
Step 4
First of all, we will change some commands in the main ddos.sh file to make the tool more effective. To do this, we need to open the ddos file with an editor and comment the line 118 by adding the '#' before the line and write the following command:
netstat -ntu | grep ':' | awk '{print $5}' | awk '{sub("::ffff:","");print}' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST
We can say that this command is the heart of the DOS Deflate tool. This command counts the total number of connections for every IP address connected to the server.
Step 5
After installation of the DDOS Deflate tool, we have to configure it. In order to do this, we have to open the ddos.conf file in the VI editor as mentioned below.
Vim /var/local/ddos/ddos.conf
In the above figure, I have put numbers to indicate each configuration for better understanding of the users. Each point is defined in below sections.
-
We will start by configuring the frequency of the script. By default, the frequency is set to 1, which means that the DOS deflate script will run every minute. We can make changes to this configuration according to our requirement.
-
After setting the frequency, we have to set a limit for the number of connections, in which we have to define the maximum number of connections for an IP address. The default number of connections is set to 150. If an IP address crosses the maximum number of connections limit, then DOS Deflate treats that IP address as a corrupt IP and blocks it.
-
In this area, we have to define the firewall which we will use to ban the corrupt IP addresses. DOS Deflate supports two firewalls - APF firewall and IP tables. As we know, IP tables is by default installed on the Linux machine. So we will use IP tables to ban the corrupt IPs. By default it is set to 1. The value can be changed from 1 to 0.
-
DOS Deflate runs in two modes. First is the interactive mode in which DOS Deflate will not ban the currupt IPs, It will only send an email when the maximum number of connections is reached. In the second mode it will ban the IP address according to the above settings and also send the email. So, if we want to test the tool, just run this tool in interactive mode. To set the interactive mode, we have to set the value to 0, otherwise set the value to 1. By default it is set to 1.
-
In this area, we have to define the email address. When an IP address is banned by DOS deflate, an email will be sent to this email address. By default it is set to root. We can give any email address in place of root.
-
When the IP Address is banned, we have to define the ban time also. The ban time should be defined in seconds as per the needs. By default it has been set to 600 seconds. It means that the corrupt IPs will be banned only for 5 minutes.
Step 5
After configuring the script. We will have to restart the DOS Deflate script.
Note: After making any changes in the configuration file, we have to restart the script.
We have successfully configured the DOS Deflate on the server machine. Now, we are going to test this tool against the most common DOS attacking tools. Some of the frequently experienced DOS attacking tools which are used to launch the DOS or DDOS attack and are easily available on the Internet are mentioned below.
- HOIC (High Orbit Ion Canon)
- LOIC ( Low Orbit Ion Canon)
- XOIC
- R-U-DEAD-Yet
- Pyloris
- OWASP DOS HTTP Post
- GoldenEye HTTP Denial of Service Tool
- Slowloris HTTP Dos
Here, we are testing DOS Deflate against HOIC. It is one of the most popular DOS attacking tools freely available on the Internet. This tool is really easy to use even for a beginner. We can download this tool from the URL mentioned below.
https://mega.co.nz/#!IMw0iCJY!Hg5oQHdQu9FLZcbCJ_HTi1X0F98djiXDLLjWs2N6SIk
After downloading the tool, we need to extract it into the folder and open it by clicking the hoic.exe file. We will get the following HOIC interface.
Now, we need to add the IP Address or the URL of the server in which we have configured the DOS Deflate.
After adding the target URL, we will the see this URL in the target section.
Then, click on the "FIRE THE LAZER" icon and it will start the DOS attack on the server. After 2 minutes we will receive an email at the email address which was mentioned in the server configuration, stating that the IP address has been banned on the server.
We can also check the banned IP address by logging in to the server and checking the IP tables. We can check the IP tables status by the following command.
iptables -L -n
It can be seen in the above screen shot that DOS Deflate has banned the IP address through the IP tables in which we had started the HOIC DOS tool.
Another commonly used DOS attacking tool is Slowloris HTTP DOS. It was developed in Python. It has some of the very good features in it. This tool is available in both Windows and Lnux platforms, but we will use the Linux flavur of this tool. We can download this Python script based tool by running the mentioned command below.
wget http://ha.ckers.org/slowloris/slowloris.pl
After downloading the tool, we will make it executable, then give the following command which will launch it on the URL.
./slowloris.py –dns <URL of the Server>
After starting the attack, we could check the email or IP table status for verifying whether it is blocked by DOS Deflate or not.
We have successfully tested DOS Deflate against all the tools which were given above in the article. Readers can try by themselves so that they can understand it better.
FREE role-guided training plans
References
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- DOS Deflate: Layer 7 DOS Protection Tool
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security