7

I have a DigitalOcean Ubuntu 16.04 machine with Bash as main shell, Nginx, PHP-FPM, and MySQL as server environment, Certbot for TLS and WordPress for web applications.

  • I protect from MITMs with TLS.
  • I protect from SSH and application BFAs with SSHGuard and WordFence.
  • I protect from Backdoors and DB injections (like SQL injections) with various policies like minimal usage of modules, simple and unified forms (and captchas and honeypots if needed), and automatic upgrades via unattended-upgrades and WP-CLI for WordPress.
  • If I'm not wrong, WordFence also protects from one or more types of application layer DoS attacks.

Currently I see no reason why the websites I host should be attacked in a Distributed DoS (for example, I hold no organization targeted by another organization).

And yet, I do fear of DoS in general; especially of a Network-Level DoS from a single machine.

My question

What will be the best way to monitor and repel any simple (say, single machine) attack of a network-level DoS?

I would prefer not to use external tools like CloudFlare as their policies can change and they can suddenly cost money or change pricing.

Ideally I would desire to install a Linux utility that works automatically, "as is", monitoring and repelling attackers from iptables (or nftables in the future) but I get the impression such tool isn't available with current technology. UPDATE FOR THIS PASSAGE: It seems that such tool, if existed, wouldn't be enough anyway because I need a network level tool outside the operating system (a tool that DigitalOcean or any similar hosting provider should provide, in my opinion, and that would be controllable from their interface/GUI).

user9303970
  • 443
  • 1
  • 4
  • 15
  • 1
    Thanks for editing the question. I don't think that there is some simple tool which you can just use "as is" and forget. But simple DoS attempts done by just rapidly connecting to your site or SYN attacks could be handled by rate limiting new connections which can be done with iptables - see for example https://askubuntu.com/questions/240360/. But you need to fine tune this for the amount of traffic you expect. – Steffen Ullrich May 01 '18 at 05:52
  • @SteffenUllrich `rapidly connecting to your site or SYN attacks` means "Application layer or Network layer", right? – user9303970 May 01 '18 at 12:05
  • SYN attack is network layer. Once the connection is accepted by the application and it tries to serve the page with all the database lookups etc involved you have application layer. The rate limiting is done at the network layer though. – Steffen Ullrich May 01 '18 at 12:10
  • 6
    Installing something on the server to prevent network-level attacks is not the way to go. You need something in front of your server on the network level (like a CDN, load balancer, firewall, etc.). – schroeder May 07 '18 at 20:22
  • 3
    Probably the simplest answer is just cloudflare... however that is an off-the-cuff response, hence the comment and not an answer. I agree with @schroeder though - you need something in front of your server to stop network layer attacks, regardless of whether or not they are DDoS or single machine DoS – Conor Mancone May 07 '18 at 20:24
  • 1
    @user9303970 you are kind of asking how to prevent cuts on your skin by placing something *under* your skin. By the time the protection layer starts to work, the damage has been done. – schroeder May 07 '18 at 20:31
  • @schroeder given I host in DigitalOcean and it's not a dedicated machine, I don't know how I could easily or automatically monitor and repel attackers by the DigitalOcean firewall (DigitalOcean does indeed let me control their firewall for each virtual machine but I don't see any way it would be automatic in any sense or context - IINW, all my actions on that firewall, including monitoring, would have to be totally manual and damage could already be done, so I miss how using their firewall would be efficient). – user9303970 May 07 '18 at 20:34
  • @schroeder I'm sorry, I didn't mean to question to be absurd. Please feel free to edit it or to tip me on how to edit it. – user9303970 May 07 '18 at 20:35
  • What we are all saying is that what you want is not going to work. A CDN *is* the solution and it is why they exist, but you are resisting them. The most you can do is to follow Steffen's suggestion and use `iptables`. – schroeder May 07 '18 at 20:50
  • @schroeder sadly no CDN is gratis and their policies and prices change so it's not good for me. I understand that `iptables` is going to be replaced with a new firewall quite soon; not sure it's worth to learn this entire software if it's going to change soon. – user9303970 May 07 '18 at 20:57
  • 1
    Cloudflare is gratis. I use it for all my sites. You only fear the idea that it might change. Learning `iptables` is not that difficult. Where did you hear that `iptables` was going away? – schroeder May 07 '18 at 20:59
  • @schroeder AFAIU the service of blocking network-level attackers particularly is not gratis (or given up until a certain number of attacks). Regarding `iptables` I think it was `nftables` but not sure: https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/ – user9303970 May 07 '18 at 21:04
  • @user9303970 There's always something new under the sun, but that doesn't mean it'll replace what exists. iptables is massively used, well understood, and in place in millions of different sites around the world. It's highly unlikely to be replaced anytime soon, and any replacement would take many many years to diffuse into the linux ecosphere. In other words, if you go anywhere in the security world in your career using Linux, you'll have to learn it anyway. – Steve Sether May 10 '18 at 17:47
  • If you're very afraid of a network-level DoS coming from a single machine, patch your software, or don't expose DoS-vulnerable services to the external network/interface - expose only on the loopback interface. Tell them only that the Lich King is dead and Bolvar Fordragon died with him. – Mark Buffalo May 10 '18 at 21:47
  • @MarkBuffalo `expose only on the loopback interface`? I don't think any comment or answer mentioned it. I hope you'd have spare time to write an answer on it. – user9303970 May 10 '18 at 23:18

3 Answers3

5

A DoS is different from the other concerns you mention.

With MiTM, zero is the only acceptable number of successful attacks. Zero is the only acceptable number of successful SQL injections. Zero is the only acceptable number of brute forced passwords- and why even subject yourself to password brute forcing, disallow passwords altogether and whitelist IPs.

With DoS...if you are infrastructure supporting commercial customers, then, sure, transient request lossage directly costs money. That's a metric that one can care about.

If the service is best effort, there is probably a level of "successful" DoS that you can ignore. There is a gradation of acceptability for the risk.

To have some insurance, you can apply per-IP rate limits at the network level, e.g. https://making.pusher.com/per-ip-rate-limiting-with-iptables/, and you can apply per-IP rate limits at the application level in nginx, e.g. https://www.nginx.com/blog/rate-limiting-nginx/ or with any rate limit plugin for Wordpress.

But because it's amorphous, distill the concern into a metric that accurately expresses the distinction between caring and not caring for you. This measurement may just be a report from a web ping service giving you an availability score.

Jonah Benton
  • 3,359
  • 12
  • 20
5

There is no reason to believe DDoS won't happen & only DoS would. A single attacker, possessing a botnet is enough. Or search engines such as Shodan will help a single infuriated attacker compromise remote machines to launch DDoS.

If you aren't clear about this, Google "DDoS using Memcached servers". You will perhaps get to read about Massive DDoS attacks happened some weeks ago on websites such as Github.

Coming to the solution:

  • As it is already suggested, imposing a per IP limit is a must. For example, if you perform numerous Google Searches in a short period of time, Google will ask to solve the ReCaptcha challenge.

  • I am not sure how Cloudflare DDoS protection works. But oftentimes I have seen it redirecting to site after 5 seconds. It might be possible to prevent DDoS by terminating connections which send arbitrarily large amounts of data. [like in the case of Memcached servers].

  • Assessing your protection measures with all available tools. At least with open source tools such as OWASP ZAP, w3af etc., sometimes a non-distributed simple DoS script such as hulk.py (there is also a modified version on Sourceforge) may be able to break comprehensive security measures.

However, I think while setting a per-IP limit is inevitable to avoid script kiddies etc., it alone can't provide sufficient protection since IP address spoofing is not a very big job, and the probability of DDoS can't be neglected.

schroeder
  • 123,438
  • 55
  • 284
  • 319
4

First of all, user9600383 is right: DDoS is cheap and easy to perform, and you are wrong to discount it.

By network-level attack, I assume you mean an attack at Layer 3 or lower rather than something that targets your site/application directly.

If it is from a single IP address that does not saturate your network path, you could setup Fail2Ban and rate limits. Fail2Ban will take care of protocol abuse (like excessive SSL attempts, which can waste bandwidth and CPU), and rate limits will reduce raw IP traffic.

However, you have a much bigger problem if the attacker is capable of saturating your network connection. The only way to provide reliable service is to have your network provider block the packets on their end.

There is no standard solution for this, and you would have to work with your network provider to determine if an automated solution is even possible. The answer is often "No" based on my experience, but perhaps they offer better support these days. It's been a few years since I worked directly with them.

For a competent DoS/DDoS attacker, most sites are easy targets. The inability of a typical web host to respond meaningfully at the network level gives them a very simple and reliable method of attack.

CloudFlare exists because they can automatically detect an attack and execute countermeasures that are not available to the administrator of a single server. Their bread-and-butter is something that you simply cannot duplicate.

I suggest Fail2Ban and/or rate limits as your best standalone solutions, but they will be inadequate against any halfway decent attacker.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
  • From your answer it sounds I must use either CloudFlare, or leave my VPS into a shared server plan that provides defense from these attacks. – user9303970 May 08 '18 at 14:40
  • It is an unfortunate fact of modern netops. Home internet connections are usually fast enough to exhaust a resource that you have no control over. The only solution is to have a third party provide resilience or failover. Most network providers offer very little in practice, so CloudFlare, Incapsula, etc sprouted up. – DoubleD May 08 '18 at 14:48
  • I'm not sure that fail2ban will work on DoS. It would have to find the IPs in the iptables log and then edit iptables to ban the IP. That sounds like a cascading failure to me if the SYN flood is strong from a single IP. – schroeder May 10 '18 at 20:27
  • @schoeder Rate limits would handle that case. As I said at the end, however, even the combination of Fail2Ban and rate limits will be ineffective against a decent attacker. Plus, DDoS rather than single-point DoS is the norm anyway. Still, both Fail2Ban and rate limits are worthwhile on their own merits. I don't really like the goal of the question, and I believe CloudFlare or equivalent is necessary on today's internet unless you're willing to go dark if you piss someone off. – DoubleD May 11 '18 at 14:52
  • @DoubleD `go dark and piss someone off`? I don't understand. – user9303970 May 11 '18 at 17:47
  • If you make someone angry on the internet, that person could DDoS you in retaliation. Your site will be unavailable (dark) unless you can withstand the attack. Some fairly large or respected sites have been knocked offline by DDoS attacks. Due to the ease of DDoS attacks, any business-critical web site should look into protection from companies like Akamai, CloudFlare, or Incapsula. – DoubleD May 11 '18 at 18:04
  • Dear @DoubleD thanks for the help. I also want to add I didn't understand why you clue on working with my current Internet Service Provider (ISP). My current ISP is an Israeli company that doesn't do anything with either my websites or DigitalOcean, so I swear it is unclear to me why you reminded the term ISP, or you meant something else, I assume you mean to DigitalOcean by that which I see as a Web Hosting Company (WHC) and not an ISP. Thanks. – user9303970 May 11 '18 at 23:37
  • @DoubleD you might want to answer here as well: https://security.stackexchange.com/questions/185702/how-does-lbaas-dbaas-or-auto-scaling-help-protect-from-dos – user9303970 May 13 '18 at 21:15
  • I mean the internet provider for the asset you are trying to protect, i.e., your web server. In a cloud environment like Digital Ocean, they are the internet provider for your VMs. – DoubleD May 15 '18 at 16:50