Slowloris and You
UPDATE: 20090826 – Corrected typo in “Slowloris and You.” It used to say “Slowlaris and You.” I keep getting slowloris confused with my nickname for “Solaris.” =D
Back in July, http://ha.ckers.org/slowloris/ published an exploit against Apache and other web servers (go to the link for further) that takes advantage of multi-threaded applications. It works by tying up web server threads with partial HTTP requests, then sends TCP handshakes to keep the socket open. In general, multi-threaded web servers such as httpd, apache, and apache2 are vulnerable. IIS and most proxies are not vulnerable
CERT suggested using iptables to rate limit incoming port 80 requests. In general, this should be fine for many applications, though CERT has warned that some large clients behind NAT’s may be affected and thus the hitcount/time ratio should be adjusted according to your needs.
http://www.funtoo.org/en/security/slowloris/ offers tips on mitigating this attack by enabling delayed binding on hardware load balancers.
In short, it appears as though the consensus mitigation method involves connection restrictions in the form of iptables or apache modules (most are of limited value, frankly), or shielding the web servers behind load balancers (such as HA-Proxy).
Quick and Dirty Port Check (ch.pl v 0.1)
The core of the following script is based off work first started by my coworker Trent. The gist of the little script is to perform a quick scan of a hostname or IP by simply attempting to open a socket. I use this when I want to run a quick “is it online” scan of a server and determine if ports of interest are available to me. I added the bit that would let me open them directly from the script without having to type in an alternate command.
This is very much a poorly written hack-job script, and I very much expect that some of you will be able to identify some serious n00b mistakes (probably in that I still haven’t figured out how to properly localize variables), but hey, I don’t think this is half bad for my first PERL script. Yes, PERL. I’ve already been lectured about learning Python instead, but while that’s definitely on the to-do list, this script needed finishing, and I was already halfway through. It’s a tool that’s customized for me, so please hack away, and let me know what you do, as I may like it too!
So, I present, for your consideration and for your critique (please do), ‘ch.pl’ v 0.1.
I generally alias ch=/usr/local/bin/ch.pl for this script in Linux and MacOS, as this lets me leave the file extension the same for when I use it in Windows. To use this in Windows, you’ll need to install PERL first. I use ActivePerl. However please note, I’m still working on making this script Windows friendly.
To install in Linux/MacOS:
- download ch.pl using FTP or wget to /usr/local/bin/
- chmod +x /usr/local/bin/ch.pl
- modify your ~/.bash_aliases file (ubuntu), or your ~/.bashrc (RedHat) to include the following:
- ‘alias ch=/usr/local/bin/ch.pl’
Usage: ch [hostname or IP] [optional: port(s) to check, separated by commas]
Check Your OS’s Installation Date
Linux:
ls -alh /boot/grub #the majority of files in this folder don’t change from the time of install except for menu.lst
ls -alh /restore #BSD
Windows:
Systeminfo #from the command line
- or –
CMD /K WMIC OS GET InstallDate
You’ll see the Operating System installation date (in WMI format). The first eight characters in that output gives you the installation date.
*Windows bit stolen from http://windowsxp.mvps.org/getosdate.htm
Make a Fat32 Partition in Linux
This is handy for transferring files between Windows and Linux, as many distro’s don’t have NTFS RW support built in. This is, of course if you do not have access to the NTFS-3G driver, which does allow for RW mounts.
Overview: fdisk w/ a W95 partition table
mkdosfs
If you need the step by step, it’s below:
fdisk /dev/sd(whatever drive you want to reparition, ‘b’ in this case), then follow along:
The number of cylinders for this disk is set to 20023.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition’s system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-20023, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-20023, default 20023):
Using default value 20023
Command (m for help): t
Selected partition 1
Hex code (type L to list codes): c
Changed system type of partition 1 to c (W95 FAT32 (LBA))
Command (m for help): p
Disk /dev/sdb: 164.6 GB, 164696555520 bytes
255 heads, 63 sectors/track, 20023 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0×000f0136
Device Boot Start End Blocks Id System
/dev/sdb1 1 20023 160834716 c W95 FAT32 (LBA)
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.
root@sbrescue:/# mkdosfs /dev/sdb1
mkdosfs 3.0.1 (23 Nov 2008)
root@sbrescue:/# mount /dev/sdb1 /mnt
root@sbrescue:/# cd /mnt
root@sbrescue:/mnt# touch asdf
root@sbrescue:/mnt# ls
asdf
root@sbrescue:/mnt#
All done! =D
Dynamic iptables – “Flexible (and fun)”
Have you ever said to yourself that there should be a tool to do x, start building a tool to do it, then about halfway through your little project, somebody glances over your shoulder and says to you “hey, I use a tool like that, it’s called y, you should check it out,” so you do, and that tool is far more comprehensive and well built than the one you were working on?
Well this isn’t one of those times, because this tool hit me from left field while I was researching ways to mitigate a DDoS attack. Though there are many, many ways to do it, if all you have is a Linux box facing the world with nothing to hide its private parts except iptables, then this “flexible (and fun)” toolset is another weapon you can deploy when you get that 2:30AM call saying “our website’s down and I think it’s being DDoS’d.”
The tool is a simple set of scripts that make adding and removing specific IP’s quick and simple. The main site of the author is at http://www.ibm.com/developerworks/library/l-fw/, or is available (hosted locally) here.
Once installed, you can simply ban/unban an IP by typing ipdrop {IP ADDRESS} {on|off}
While perusing this thread at webhostingtalk.com, member dynamicnet mentioned grep-ing for ridiculous levels of SYN_RECV ‘d connections (this is indicative of a TCP SYN Flood attack) and generating ipdrop commands for quick banning of a SYN Flood-ing IP’s. Though you may accidentally drop one or two legitimate IP’s (have a rule already in place so you don’t ban yourself out of a remote box), you’ll likely get the bulk of the attacking IP’s.
Use netstat -n -p|grep SYN_REC | wc -l to count how many SYN_RECV connections you have.
Use netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}' to generate code to ban IP’s in SYN_RECV status.
Use cat /root/.dynfw-ipdrop |awk -F: '{print "ipdrop "$1" off"}' to generates code to “undrop” those IP’s.
