Welcome to AppFail
You last visited: never

Welcome to AppFail

Posted on 2010-04-02

Infrastructure Post

Crawling twitter earlier I came across a website that was offline due to a denial of service attack, and the owner was not sure when or if it would be back online. This piqued my interest and made me wonder what type of attack the site was suffering from, as some types can be successfully mitigated by experienced administrators. With this article I'll explain some of the different types of attack and mitigation techniques.

Resource Exhaustion is one of the more insidious types of attack, it denies regular visitors the ability to load your site by holding down all of the resources with seemingly legitimate requests. Each web server has a limit to the number of requests it can service at once, and if you exhaust that, then new requests have to be turned away. Slowloris is a specific type of this attack that takes advantage of the keepalive and pipelining features of HTTP to use the least possible resources on the attacker side to the greatest possible effect on the target side. By using these features that are designed to allow a client to keep an open connection in order to make additional requests more quickly, the slowloris attack keeps the connection open and near the maximum keep alive time, it makes another request to reset the timeout and keep the connection open again. This technique allows the attacker to do a very low bandwidth attack that none the less ties down all of the resources of the server and prevents any new users from connecting. Mitigating this attack is a matter of adjusting the keepalive timeout, limiting concurrent connections per IP, and using a faster web server daemon, a reverse proxy or a load balancer that can hold the open connections but free up the back end web server.

SYN flooding is another popular type of denial of service attack. When you make a TCP/IP connection there is a three way handshake that happens between the client and the server. A SYN flood attack does the initial part of this three way handshake and leaves the server waiting for the last part and when the SYN queue is full, then no new connections can be made. FreeBSD and some more advanced server operating systems support a mitigation method called SYN Cookies. This works by strategically picking the sequence number and other flags of the package and deleting the SYN request from the queue. Then if and only if the user actually replies, and finishes the three way handshake, the operating system and reconstruct the original SYN entry and complete the connection.

The least elegant type of attack is the generic saturation flood. Usually a distributed attack (multiple sources) it attempts to overwhelm the connection of the target so it can't receive or respond to legitimate requests. ICMP and UDP are both popular for this type of attack because they do not have any kind of flow control or require the cooperation of the target. ICMP flooding attacks can be additionally effective because it can elicit a response from the target, saturating their connection in both directions. UDP can also evoke a response from the target in the form of an ICMP message notify the source that the UDP port they are attempting to communicate with is not open. To mitigate the outbound part of these attacks, you can limit the number of ICMP response packets your OS will send per second (net.inet.icmp.icmplim on FreeBSD) and prevent port unreachable error by adjusting the net.inet.udp.blackhole setting.

The final type is the permanent denial of service attack, one that exploits a weakness or flaw in the operating system or software on the target to crash or otherwise render it inoperable. These attacks include teardrop, ping of death, and buffer overflows. Mitigating these attacks is a matter of making sure you have all of the latest patches applied and possibly placing a special firewall in front of a vulnerable device to intercept and eliminate illegitimate traffic.

Although it is never good to be on the receiving end of a Denial of Service attack, there are some things that can be done to mitigate the effects and allow your site to remain up even in the face of a determined attacker.

Get your site protected today by switching your hosting to ScaleEngine.com. Customized high availability hosting ensures optimal performance and continuous operation.


blog comments powered by Disqus

Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare - Any man can make a mistake; only a fool keeps making the same one.

Digg Proof Hosting
The key to surviving Digg and Slashdot is Infrastructure. You can't get it from a regular web host, it requires experience. The High Load Hosting Experts at ScaleEngine can make your site thrive, and avoid having your site featured on AppFail.

Cyber Security Alerts

Page Generated in 10ms