In this article, I would like to share some information about the DDoS attack or Distributed denial of service. It is a situation where a service ( like web service or mail service etc ) is not available for its legitimate users. There is a different type of DoS attack is happening but the most destructive one is DNS – based or DDoS attack by an open DNS resolver.
DDoS attack by open DNS resolver:
Open DNS resolver is a DNS name resolver that allows queries from all IP addresses or anyone can use your server to resolve the hostname. Attackers mainly target this type of DNS resolver to conduct denial of service attacks. The attackers send a spoofed DNS query to the open DNS resolver. The open DNS resolver will not check the source of the IP address of the query, so it accepts the query and perform a recursive DNS lookup. This recursive DNS lookup, in turn, utilizes your server bandwidth, CPU and memory resulting in your server become slow or unresponsive.
How to prevent DDoS attacks by open DNS resolver?
First, you need to confirm that your server is not open DNS resolver, you can check this with the help of the following command
dig +short test.openresolver.com TXT @22.33.44.44 ( replace 22.33.44.44 with your server IP address )
or you can check it with the http://openresolver.com/ site.
If your server is an open DNS resolver then the above command will return a value like the following.
[~]# dig +short test.openresolver.com TXT @22.33.34.44
“open-resolver-detected”
If you find your server is an open DNS resolver then you can disable it by the following method
[ This method is for BIND DNS server ]
open your named.conf file and set recursion to no.
view “external” {
/* This view will contain zones you want to serve only to “external” clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
recursion no;
// you’d probably want to deny recursion to external clients, so you don’t
// end up providing free DNS service to all takers
Then save and restart named service.
SYNflood attack:
SYNflood attack is another form of Denial of Service attack. Before going to explain about SYNflood attack I would like to share about the three-way handshaking protocol.TCP three-way handshake is the protocol used to create a TCP socket connection. It works as follows.
- The client sends an SYN ( synchronize ) data packet over a network to a server. The purpose of this packet is to ask a server for a new connection.
- The server must have an open port to accept and initiate a new connection. The server acknowledges this request by sending SYN-ACK back to the client
- The client receives the acknowledge ACK data pack and establish a connection.
Now come back to the SYNflood, here the client sends an SYN packet to the server but not respond back to the server with the expected ACK packet. The attacker simply not send the expected ACK, but the server waits for some time to get the SYN packet. The attacker will continue this process and it causes a lot of half-open connection in the server, it then leads to high server resource utilization such as bandwidth and CPU + memory.
You can mitigate the SYNflood attack by checking active connections established in your server.
netstat -n | grep :80 | grep SYN |wc -l
The above command shows the number of SYN connections established in the server. If you found any IP as suspicious then you can block it in the server level with the help of iptables or csf
by iptable rule: iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
by CSF: CSF -an IP address
after that kill all the HTTP connection and restart httpd service
