Denial of Service

We are continually bombarded with outside attempts to connect to our systems, to break in. It's mostly `ssh` attempts to login to well known userids (e.g. "root") and try common passwords. It sometimes causes serious performance degradation. On Linux based systems, a practical approach to handle a specific attack is to add the offending IP address to /etc/hosts.deny. One catch is that a range of addresses could be attacking. Another catch is that choosing a simple prefix of the address can block much more than is intended.

So, our procedure, when attacked from a range of addresses, is to block at most from the ISP supporting the addresses. The relevant address range can be determined using the `whois` command, applied to various area servers. E.g. given an address like 103.41.124.10 one can try:

% for server in \
>  whois.apnic.net \
>  whois.ripe.net \
>  whois.afrinic.net \
>  whois.arin.net \
>  whois.lacnic.net \
>  whois.nic.or.kr \
>; do
>  whois -h $server 103.41.124.10 | egrep '^(OrgName|descr|CIDR|inetnum):'
>done
inetnum:        103.41.124.0 - 103.41.124.255
descr:          HEETHAI LIMITED
inetnum:        103.0.0.0 - 103.255.255.255
descr:          IPv4 address block not managed by the RIPE NCC
inetnum:        0.0.0.0 - 255.255.255.255
descr:          The whole IPv4 address space
CIDR:           103.0.0.0/8
OrgName:        Asia Pacific Network Information Centre
inetnum:        103.41.124.0 - 103.41.124.255
descr:          HEETHAI LIMITED
inetnum:        103.41.124.0 - 103.41.124.255
descr:          HEETHAI LIMITED
inetnum:        103.41.124.0 - 103.41.124.255
descr:          HEETHAI LIMITED
to discover the answer (103.41.124.0/24). Some whois servers will refer to the right server if they don't know the answer.

Once the address range that contains the offending addresses is discovered, the /etc/hosts.deny file can be updated. We should keep it the same for all machines that allow `ssh` in, i.e. the linux.cs and linux.student.cs systems.

`man hosts.deny` says:

  • An expression of the form `n.n.n.n/m.m.m.m´ is interpreted as a `net/mask´ pair. An IPv4 host address is matched if `net´ is equal to the bitwise AND of the address and the `mask´. For example, the net/mask pattern `131.155.72.0/255.255.254.0´ matches every address in the range `131.155.72.0´ through `131.155.73.255´. `255.255.255.255´ is not a valid mask value, so a single host can be matched just by its IP.

  • An expression of the form `n.n.n.n/mm' is interpreted as a `net/masklength' pair, where `mm' is the number of consecutive `1' bits in the netmask applied to the `n.n.n.n' address.

so a CIDR or netmask ought to make this practical. Although a search finds some claims that only the netmask will work.

Note that a better approach to the problem is Fail2ban. However until we have that, we're stuck with the /etc/deny.hosts approach.

Topic revision: r2 - 2015-06-02 - BillInce
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback