DOS Prevention — Step by step guide

DOS is the most common attacks which is used by many attackers. (Denial of Service) attacks which flows the bandwidth (data packets), to interrupt the services of victim IP address or URLs. Ethical Hacking researchers of International Institute of Cyber Security stimulated the DOS attack and demonstrated on how to block IP address if there is any DOS attack is occurring.

Fail2Ban is used to block suspicious IP address which are sending multiple requests on Server IP address. Fail2ban scans the logs file & blocks IP addresses which has make too many login attempts. Fail2ban updates the firewall policy to deny new connection from suspicious IP addresses.

DOS Attack From Ubuntu OS

• Here we will run DOS attack using slowloris. Slowloris is very common tool used in DOS attacks.
• Open terminal on Ubuntu machine (Attacker)
• Type sudo apt-get update
• Type sudo apt-get install python3
• Type sudo apt-get install python3-pip
• Type pip3 -version

root@ubuntu:/home/iicybersecurity#pip3 --version pip 9.0.1 from /usr/lib/python3/dist-packages (python 3.6)
root@ubuntu:/home/iicybersecurity#pip3 install slowloris Collecting slowloris Downloading https://files.pythonhosted.org/packages/a6/37/5ae3d027727122039f52a22d278f1d73f564e03e5fdb93f10e3a2f26aa06/Slowloris-0.2.0.tar.gz Building wheels for collected packages: slowloris Running setup.py bdist_wheel for slowloris ... done Stored in directory: /root/.cache/pip/wheels/bd/a1/f1/35dd5184db4e890b6ff5c992ff1f7a1b8b30e9bcd89aa6f7ba Successfully built slowloris Installing collected packages: slowloris Successfully installed slowloris-0.2.0
root@ubuntu:/home/iicybersecurity#slowloris --help usage: slowloris [-h] [-p PORT] [-s SOCKETS] [-v] [-ua] [-x] [--proxy-host PROXY_HOST] [--proxy-port PROXY_PORT] [--https] [--sleeptime SLEEPTIME] [host] Slowloris, low bandwidth stress test tool for websites positional arguments: host Host to perform stress test on optional arguments: -h, --help show this help message and exit -p PORT, --port PORT Port of webserver, usually 80 -s SOCKETS, --sockets SOCKETS Number of sockets to use in the test -v, --verbose Increases logging -ua, --randuseragents Randomizes user-agents with each request -x, --useproxy Use a SOCKS5 proxy for connecting --proxy-host PROXY_HOST SOCKS5 proxy host --proxy-port PROXY_PORT SOCKS5 proxy port --https Use HTTPS for the requests --sleeptime SLEEPTIME Time to sleep between each header sent.

• Above screenshot of wireshark shows the receiving of TCP packets. As victim is running with apache2 service. By default slowloris send multiple data packets on port 80.
• Above shows very simple scenario that how dos attack is stimulated. For defending such dos attacks. we will use fail2ban.

Victim/ Defender Machine — Kali OS

Fail2Ban Installation

• We will testing on Linux Distros. On attacking we will use Ubuntu 18.04 & on victim-defend we will use Kali Linux on.
• Kali Linux (Victim & Defender) — 192.168.1.9
• Ubuntu (Attacker) — 192.168.1.8
• For Installation on Kali Linux. Open terminal
• Type sudo apt-get update
• Type sudo apt-get install fail2ban
• Type sudo service apache2 start
• Type sudo systemctl status apache2

root@kali:/etc/fail2ban#sudo systemctl status apache2 ● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2019-11-05 02:09:37 EST; 2h 47min ago Process: 4749 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS) Main PID: 4753 (/usr/sbin/apach) Tasks: 152 (limit: 4662) Memory: 91.3M CGroup: /system.slice/apache2.service ├─4753 /usr/sbin/apache2 -k start ├─4754 /usr/sbin/apache2 -k start ├─6073 /usr/sbin/apache2 -k start ├─6074 /usr/sbin/apache2 -k start ├─6075 /usr/sbin/apache2 -k start ├─6077 /usr/sbin/apache2 -k start ├─6079 /usr/sbin/apache2 -k start ├─6080 /usr/sbin/apache2 -k start ├─6081 /usr/sbin/apache2 -k start ├─6083 /usr/sbin/apache2 -k start ├─6084 /usr/sbin/apache2 -k start ├─6085 /usr/sbin/apache2 -k start ├─6086 /usr/sbin/apache2 -k start ├─6087 /usr/sbin/apache2 -k start ├─6088 /usr/sbin/apache2 -k start ├─6089 /usr/sbin/apache2 -k start ├─6090 /usr/sbin/apache2 -k start ├─6091 /usr/sbin/apache2 -k start ├─6092 /usr/sbin/apache2 -k start ├─6093 /usr/sbin/apache2 -k start ├─6094 /usr/sbin/apache2 -k start

• Press Ctrl+c
• Before starting fail2ban service. We have to configure it. For that
• Then enter enabled = true after [apache-auth], [apache-badbots], [apache-noscript] & [apache-overflows] as shown below.

ignorecommand = /path/to/command ignorecommand = "bantime" is the number of seconds that a host is banned. bantime =30 A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime =50 "maxretry" is the number of failures before a host get banned. maxretry =10 HTTP servers # [apache-auth]enabled = true port = http,https logpath = %(apache_error_log)s [apache-badbots] Ban hosts which agent identifies spammer robots crawling the web for email addresses. The mail outputs are buffered.enabled = true port = http,https logpath = %(apache_access_log)s bantime = 48h maxretry = 1 [apache-noscript]enabled = true port = http,https logpath = %(apache_error_log)s [apache-overflows]enabled = true port = http,https logpath = %(apache_error_log)s maxretry = 2
[apache] enabled =true port = http,https filter = apache-auth logpath =/var/log/apache2/*error.log maxretry =2 findtime =50 ignoreip =
root@kali:/etc/fail2ban#sudo /etc/init.d/fail2ban start [ ok ] Starting fail2ban (via systemctl): fail2ban.service. root@kali:/etc/fail2ban#
root@kali:/etc/fail2ban#sudo systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2019-11-05 05:02:20 EST; 3s ago Docs: man:fail2ban(1) Process: 6475 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 6476 (fail2ban-server) Tasks: 13 (limit: 4662) Memory: 17.9M CGroup: /system.slice/fail2ban.service └─6476 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Nov 05 05:02:20 kali systemd[1]: Starting Fail2Ban Service... Nov 05 05:02:20 kali systemd[1]: Started Fail2Ban Service. Nov 05 05:02:21 kali fail2ban-server[6476]: Server ready

Attacker Machine — Ubuntu OS

• Type slowloris 192.168.1.9 -p 80 & slowloris will start sending packets to target IP address.
• 192.168.1.9 is the target IP address
• -p to mention port no. Using port 80 it will generate the traffic.

root@ubuntu:/home/iicybersecurity#slowloris 192.168.1.9 -p 80 [05-11-2019 02:08:59] Attacking 192.168.1.9 with 150 sockets. [05-11-2019 02:08:59] Creating sockets... [05-11-2019 02:08:59] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:14] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:29] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:44] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:09:59] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:10:14] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:10:29] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:10:44] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:00] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:15] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:30] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:11:45] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:12:00] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:12:15] Sending keep-alive headers... Socket count: 150 [05-11-2019 02:12:30] Sending keep-alive headers... Socket count: 150

Victim/ Defender Machine

• Now go to victim machine Kali Linux. In the Wireshark, you will notice DOS from attacker machine to target IP address.
• Type sudo fail2ban-client set apache banip 192.168.1.8
• This command will block the target IP address. Below screenshot shows that 192.168.1.8 has blocked.

• Above screenshot shows that none of the packets are receiving from target machine.
• Now if you check fail2ban status. You will notice that attacker IP has been blocked because attacker was sending multiple packets.
• For checking status open another terminal type sudo fail2ban-client status apache

root@kali:/var/log/apache2#sudo fail2ban-client status apache Status for the jail: apache |- Filter | |- Currently failed: 0 | |- Total failed: 1 |- File list: /var/log/apache2/error.log - Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.1.8

Originally published at https://www.securitynewspaper.com on November 14, 2019.