Web services is major use applications in our life. In this report we will focus on the famous web server which is apache trying to make a brief study on its major vulnera- bilities and attacks. Focusing on the most widely known attacks and how prevent against. How those attacks works to exploit Apache. Finally will try to implement one of those attacks DoS (denial of service ) on Apache web server to help us to study a practical case of widely happened attack.
*************** Part II Introduction
Every web site (the collection of html/css files, data files, scripts and other files) need a web server. A Web server is a piece of software that is responsible for showing you the documents you ask for when you type Web addresses into your browser.( Examples of web servers Apache , IIS and Netscape ). The web server is used to storing the data and to responds to requests over the Internet. Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade and freely available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.
Apaches main role is all about communication over networks, and it uses the TCP/IP protocol (Transmission Control Protocol/Internet Protocol that allows devices with IP addresses within the same network to communicate with one another). The Apache server offers a number of services that clients might use. These services are offered using various protocols through different ports, and include: Hypertext Transfer Protocol (HTTP), simple mail transfer protocol (SMTP), domain name service (DNS) and file transfer protocol (FTP) uploading and downloading files.
Why choose Apache Apache is a solid, dependable, reliable Web server, developed by talented, dedicated developers who are deeply concerned about the quality of the product, and the quality of the code that goes into the product. They are all amateurs, in the original sense of that word. That is, they are not doing this development because they are paid to do so (although some lucky guys are actually paid to do this). They do it because they love it and want to see something good come out of it, and see millions of people use the results of their work.
Part III Literature review
In this section, will present principles every security professional should know. These principles have evolved over time and are part of the information security body of knowledge. Then will decrease the spot to focus on Apache.
Common Security Vocabularies
At this point, a short vocabulary of frequently used security terms would be useful. You may know some of these terms, but some are specific to the security industry.
Weakness
A less-than-ideal aspect of a system, which can be used by attackers in some way to bring them closer to achieving their goals. A weakness may be used to gain more information or as a stepping-stone to other system parts.
Vulnerability
Usually a programming error with security consequences.
Exploit
A method (but it can be a tool as well) of exploiting a vulnerability. This can be used to break in or to increase user privileges (known as privilege elevation).
Attack vector
An entry point an adversary could use to attempt to break in. A popular technique for reducing risk is to close the entry point completely for the attacker. Apache running on port 80 is one example of an entry point.
Attack surface
The area within an entry point that can be used for an attack. This term is usually used in discussions related to the reduction of attack surface. For example, moving an e-commerce administration area to another IP address where it cannot be accessed by the public reduces the part of the application accessible by the attacker and reduces the attack surface and the risk.
Attacks (Reasons, Types & Avoid)
Table 3-1 gives a list of reasons someone may attack you.
Reason Description To grab an asset Attackers often want to acquire something valuable, such as a customer database with credit cards or some other confidential or private information.
To steal a service
This is a special form of the previous category. The servers you have with their bandwidth, CPU, and hard disk space are assets. Some attackers will want to use them to send email, store pirated software, use them as proxies and starting points for attacks on other systems, or use them as zombies in automated distributed denial of service attacks.
Recognition Attacks especially web site defacement attacks, are frequently performed to elevate ones status in the underground. Thrill Some people love the thrill of breaking in. For them, the more secure a system, the bigger the thrill and desire to break in.
Mistake Well, this is not really a reason, but attacks happen by chance, too.
Table 3-1
Typical attacks on web systems Table 3-2 gives a list of typical attacks on web systems and some ways to handle them.
Attack type
Description
Mitigation Denial of Service Any of the network, web-server, or application-based attacks that result in denial of service, a condition in which a system is Prepare for attack Inspect the application to remove application-based attack points Table 3-2 overloaded and can no longer respond normally. Exploitation of configuration errors
These errors are our own fault. Surprisingly, they happen more often than you might think. Create a secure initial installation Plan changes, and assess the impact of changes before you make them. Implement independent assessment of the configuration on a regular basis.
Exploitation of Apache vulnerabilities Unpatched or unknown problems in the Apache web server.
Patch promptly
Exploitation of application vulnerabilities Unpatched or unknown problems in deployed web applications. Assess web application security before each application is deployed.
Attacks through other services This is a catch-all category for all other unmitigated problems on the same network as the web server. For example, a vulnerable MySQL database server running on the same machine and open to the public. Do not expose unneeded services, and compartmentalize Denial of Service A denial-of-service (DoS) attack is any action (initiated by a human or otherwise) that incapacitates your hosts hardware, software, or both, rendering your system unreachable and therefore denying service to legitimate (or even illegitimate) users. In a DoS attack, the attackers aim is straightforward: to knock your host(s) off the Net. Except when security teams test consenting hosts, DoS attacks are always malicious and unlawful. Denial of service is a persistent problem for two reasons. First, DoS attacks are quick, easy, and generate an immediate, noticeable result. Hence, theyre popular among budding crackers, or kids with extra time on their hands. As a Web administrator, you should expect frequent DoS attacks; theyre undoubtedly the most common type.
An Apache-Based Denial-of-Service Example A serious Apache vulnerability surfaced on April 12, 2001, when Auriemma Luigi discovered (and William A. Rowe, Jr. confirmed) that attackers could send a custom URL via Web browser and thereby hang Apache, or run the targets processor to 100% utilization. Attackers could perform this DoS attack in one of three ways: Issue a GET request consisting of 8,184 / characters Issue a HEAD request consisting of 8,182 A characters Issue an ACCEPT of 8,182 / characters in both Windows 98 and Windows 2000, if an attacker sent two or more strings from different connections, the targets would crash (and all connections would thereafter fall idle). The problem affected all Apache versions earlier than version 1.3.20 on the following platforms: Microsoft Win32 Microsoft Windows NT Microsoft Windows 2000 OS/2 As reported by the Apache team (http://bugs.apache.org/index.cgi/full/7522):
("In the case of an extremely long URI, a deeply embedded parser properly discarded the request, returning the NULL pointer, and the next higher- level parser was not prepared for that contingency. Note further that accessing the NULL pointer created an exception caught by the OS, causing the apache process to be immediately terminated. While this exposes a denial-of-service attack, it does not pose an opportunity for any server exploits or data vulnerability.")
Apache patched this problem in version 1.3.20. However, as I related earlier, Apache isnt your only concern. You must be ever diligent to monitor security advisory lists for your operating system and any applications or modules that run on your Web host.
Distributed denial-of-service (DDoS) attacks In a typical DDoS attack, the attackers army consists of master zombies and slave zombies. The attacker coordinates and orders master zombies and they, in turn, coordinate and trigger slave zombies. More specifically, the attacker sends an attack command to the master zombies, and activates all attack processes on those machines, which are in hibernation, waiting for the appropriate command to wake up and start attacking. Then the master zombies duplicate the attack commands to each of their slave zombies, ordering them to mount a DDoS attack against the victim. In this way, the zombie systems begin to send a large volume of packets to the victim, flooding it with useless loads, and exhausting its resources.
Figure 3-3
n DDoS attacks, spoofed source IP addresses are used in the packets of the attack traffic. Attackers prefer to use such counterfeit source IP addresses for two major reasons: first, to hide the identity of the zombies, so that the victim cannot trace the attack back to them. The second reason is to discourage any attempt by the victim to filter out the malicious traffic.
Things Apache Cant Defend Against
Database issues Apache may securely interface with this or that database, and thats fine. However, if your preferred database has security issues or vulnerabilities that have nothing to do with Apache, Apache cannot help.
Common Gateway Interface You will doubtless include at least some CGI functionality on your site. Apache accounts for CGI security issuesat least those that revolve around permissions. This is great news, but by no means the end of the story. Bad CGI is bad CGI, and if you or your developers fail to observe CGI coding security practices, Apache wont save the day.
Environmental issues Apaches code assumes that youve configured your underlying system properly and securely. If you havent, Apaches raw power can then turn against you and offer crackers innumerable possibilities.
Inside jobs More than 60% of all intrusions today stem from insiders, disgruntled employees, or other individuals to whom you entrust administrative privileges. Therefore, observing standard security polices (such as locking out fired developers) is paramount.
Third-party tools Third-party modulessecurity related or otherwisecan sometimes harbor hidden or latent holes. Naturally, youll want to enhance your Apache servers functionality, but in doing so, choose modules wisely. If you compile in, bind, or load a flawed module to Apache, Apache core and security facilities wont save the day.
Personal diligence Crackers are busy folks, and find holes in applications every day. Therefore, you must constantly keep up to date on the security status of your underlying operating system, Apache, and any third-party modules you load. Security lists and advisories are invaluable resources in this regard, providing that you read them
Network attacks Apache cannot save your system from attacks that exploit network hardware or infrastructures beyond its control.
Examples of other Apache attacks
THE APACHE SLAPPER WORM Everyone should be familiar with the Slapper worm, which surfaced in September 2002. A lot of people think its not really about Apache, its about OpenSSL. Since the worm exploits Apache through an issue in OpenSSL and since it is the most recent serious issue. It proceeds to infect other systems and calls back home to become a part of a distributed denial of service (DDoS) network. Some variants install a backdoor, listening on a TCP/IP port. The worm only works on Linux systems running on the Intel architecture. The behavior of this worm serves as an excellent case study and a good example of how some of the techniques we used to secure Apache help in real life.
The worm uses a probing request to determine the web server make and version from the Server response header and attacks the servers it knows are vulnerable. A fake server signature would, therefore, protect from this worm. Subsequent worm mutations stopped using the probing request, but the initial version did and this still serves as an important point.
If a vulnerable system is found, the worm source code is uploaded (to /tmp) and compiled. The worm would not spread to a system without a compiler, to a system where the server is running from a jail, or to a system where code execution in the /tmp directory is disabled (for example, by mounting the partition with a noexec flag).
Proper firewall configuration, as discussed in Chapter 9, would stop the worm from spreading and would prevent the attacker from going into the server through the backdoor.
The Alan Ralsky DoS In November 2002, Alan Ralsky, a well-known bulk-email operator, gave an interview describing what he does and how he makes money sending bulk email. The interview received wide publicity reaching most technology-oriented web sites and, eventually, the very popular Slashdot technology news site. In the interview, Alan disclosed the purchase of a new home, and soon the address of the home found its way into a Slashdot comment. In an apparent retribution by the readers, Alan Ralsky was subscribed to hundreds of snail-mail mailing lists for ads, catalogues, and magazines. Subscriptions caused huge quantities of mail to arrive on his doorstep every day, effectively preventing Ralsky from using the address to receive the mail he wanted.
Attack toolkits While there are numerous scripts that are used for scanning, compromising and infecting vulnerable machines, there are only a handful of DDoS attack tools that have been used to carry out the actual attacks.
Trinoo This tool uses a handler/agent architecture wherein an attacker sends commands to the handler (the first system compromised in the series) via TCP, and handlers and agents communicate via UDP. Both handlers and agents are password-protected to try to prevent them from being taken over by another attacker. Trinoo generates UDP packets of a given size to random ports on one or multiple target addresses, during a specified attack interval.
Tribe Flood Network (TFN) This tool uses a different type of handler/agent architecture. Commands are sent from the handler to all of the agents, from the command line. The attackers do not log in to the handler as with Trinoo. This tool can perform a UDP flood, a TCP SYN flood and Smurf attacks at specified or random victim ports. The attackers run commands from the handler using any of a number of connection methods (e.g., a remote shell bound to a TCP port, and UDP-based client/server remote shells). All commands sent from the handler to agents through ICMP packets are encoded, which hinders detection.
) Tribe Flood Network 2000 (TFN2K An improved version of TFN, this includes several features designed specifically to make its traffic difficult to recognize and filter; to remotely execute commands; to obfuscate the true source of the traffic, and to transport TFN2K traffic over multiple transport protocols, including UDP, TCP, and ICMP. TFN2K obfuscates the true traffic source by spoofing source addresses.
nnon) Orbit Ion Ca - LOIC (Low This is the chosen tool in our experiment. LOIC is one of the first choices of attackers in the current era of DDoS 2.0. It is an open source network-attack application written in C#, which performs DoS/DDoS attacks on a target site by flooding the server with TCP packets, UDP packets, or HTTP requests. An attacker downloads the LOIC client and configures it to connect to an IRC server. The victim server gets flooded with requests from all LOIC clients, operating in hive mode. This is a classic Distributed Denial of Service (DDoS) using a botnet, except that in this case, attackers volunteer to join it. If you are using this tool even for testing purposes, be careful, because it does not include code for masking the originators IP address, which will show up on the target servers logs and can easily be traced back to the users ISP account, and eventually the local router.
Trinity This is the first DDoS tool that is controlled via IRC. Upon compromise and infection by Trinity, each zombie joins a specified IRC channel and waits for commands. The use of a legitimate IRC service for communication between attacker and zombie replaces the classic independent handler, and elevates the level of the threat. It is also capable of launching several types of flooding attacks on a victim site, including UDP, an IP fragment, TCP SYN, TCP RST, TCP ACK, and other floods. Now, due to regular security checks and patches, and signature-based IDS/IPS (Intrusion Detection/Prevention Systems), many of these tools have became less effective, and are not used by attackers. However, this has led to the next era of DDoS attacks, which is referred to as DDoS 2.0.
HTTP SlowLoris Recently, Slowloris has emerged as a perilous application DDoS attack. It disrupts application services by exhausting Web server connections. In the Slowloris attack, the attackers send an incomplete HTTP header, and then periodically send header lines to keep the connection alive, but they never send the full header. Without requiring that much bandwidth, an attacker can open numerous connections, and overwhelm the targeted Web server. While multiple patches have been created for Apache to mitigate this vulnerability, it nonetheless demonstrates the power of more sophisticated DDoS attacks.
About DDoS 2.0 DDoS attacks are traditionally carried out by computer-based bots. DDoS 2.0 is considered to be a highly amplified class of DDoS attacks. Recently, a new breed of DDoS attacks has been uncovered that uses Web servers as payload-carrying bots. Using a basic software program equipped with a dashboard and control panel, attackers could configure the IP, port, and duration of the attack. Hackers simply need to type the Website URL they wish to attack, and they can instantly disable targeted sites.
Here are some points on why Web servers are used in DDoS 2.0: * Servers provide a powerful DDoS attack platform, because they usually have greater bandwidth than a simple PC. *Servers are always online, while a typical PC might go offline. Moreover, they are also rarely formatted. *A Web servers outgoing traffic is usually less monitored by ISPs, because of a common misconception that a servers outgoing traffic is not as malicious as a PCs. *By using Web servers as zombies, attackers are even less detectable, because trace backs typically lead to a lone server at a random hosting company.
Part IV Methodology
In this part, will explain what attacks that LOIC can do and deeper look to the tool functionality and architecture.
Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#.
LOIC was initially developed by Praetox Technologies, but was later released into the public domain, and now is hosted on several open source platforms.
The software has inspired the creation of an independent JavaScript version called JS LOIC, as well as LOIC-derived web version called Low Orbit Web Cannon. These enable DoS from a web browser.
Figure 4-1
What it does? There are three types of attacks, each using a different packet type: UDP, TCP and HTTP. All attack types are similar; they open several connections to the same target host and continuously send a pre-defined string, set using the message parameter. In the UDP and TCP attacks, this string is simply sent in plain-text, while in the HTTP attack the message is included in the contents of a HTTP GET message. When a huge amount of messages is sent, the target host becomes overloaded and can no longer reply to requests from legitimate users. The tool, however, does not attempt to protect the identity of the user, as the IP address of the attacker can be seen in all packets sent during the attacks.
Internet Service Providers can resolve the IP addresses to their client names, and therefore easily identify the attackers. Moreover, Web servers normally keep logs of all served requests, so that target hosts also have information about the attackers.
The following settings are available: * IP/URL. * Port. * HTTP subsite. * Append random chars to the subsite. * Number of simultaneous threads. * Wait for reply: Determines for each thread whether to wait for a reply from the target before starting a new connection. * Timeout: Max time to wait for reply. * Attack speed.
All types provided with this tool is a denial of service attacks.
Here is a simple scenario: an attacker sends a large number of requests to a Web server for example, a website that hosts HD image files at a particular URL, say www.example.com/images/HD_images.html. Lets also assume that this page contains about 50-60 images. Now, every time a user reloads this page, it consumes a large portion of the Web servers bandwidth. Now, here, an attacker could design a separate HTML page, with an iframe embedded in it, like whats shown figure 4-3
< html > < iframe src=http://www.example.com/images/HD_images.html width=2 height=2></iframe> > /< html >
Figure4-3
Lets suppose that instead of a single iframe, the attacker copies and pastes the above code 1,000 times in the same page, and also adds a meta refresh tag as shown in figure 4-4.
< html > < head > < meta http-equiv="refresh" content="2 >" /< head > < iframe src=http://www.example.com/images/HD_images.html width=2 height=2></iframe > < iframe src=http://www.example.com/images/HD_images.html width=2 height=2></iframe > : ( 1000 times ) /< html >
Figure 4-4 Such a page, when loaded, will send the same request 1,000 times every 2 seconds, and will consume a lot of the Web servers bandwidth. Thus, the target server will not be able to respond to other clients, and eventually, legitimate clients will be denied services from the server.
Now let us assume that an attacker would like to launch a DoS attack on example.com by bombarding it with numerous messages. Also assume that example.com has abundant resources and considerable bandwidth (which is most often the case). It is then difficult for the attackers to generate a sufficient number of messages from a single machine (as in the above scenario) to overload those resources.
However, imagine the consequences if they got 100,000 machines under their control, in order to simultaneously generate requests to example.com. Each of the attacking machines (compromised machines that have been infected by malicious code) may be only moderately provisioned (have a slow processor and be on a mere modem link), but together, they form a formidable attack network which, with proper use, could overwhelm even a well-provisioned victim site. This is a distributed denial-of-service (DDoS) attack, and the machines under the attackers control are termed as zombies/agents.
What happened during every Attack mode?
TCP Mode TCP SYN flooding attacks: DoS attacks often exploit stateful network protocols, because these protocols consume resources to maintain state. TCP SYN flooding is one such attack, and had a wide impact on many systems. When a client attempts to establish a TCP connection to a server, the client first sends a SYN message to the server. The server acknowledges this by sending a SYN-ACK message to the client. The client completes establishing of the connection by responding with an ACK message. The connection between the client and the server is then open, and service-specific data can be exchanged between them.
The abuse occurs at the half-open state when the server is waiting for the clients ACK message, after sending the SYN-ACK message to the client. The server needs to allocate memory to store information about the half- open connection, and this memory will not be released until the server either receives the final ACK message, or the half-open connection expires times out.
Attackers can easily create half-open connections by spoofing source IPs in SYN messages, or ignoring SYN-ACKs. The consequence is that the final ACK message will never be sent to the victim. Because the victim normally only allocates a limited amount of space in its process table, too many half- open connections will soon fill the space.
Even though the half-open connections will eventually expire due to their timeout, zombies can aggressively send spoofed TCP SYN packets, requesting connections at a much higher rate than the expiration rate. Finally, the victim will be unable to accept any new incoming connections, and thus cannot provide services.
UDP Mode UDP flooding attacks: By patching or redesigning the implementation of TCP and ICMP protocols, current networks and systems have incorporated new security features to prevent TCP and ICMP attacks. Nevertheless, attackers may simply send a large amount of UDP packets towards a victim. Since an intermediate network can deliver higher volumes of traffic than the victim network can handle, the flooding traffic can exhaust the victims connection resources. Pure flooding can be done with any type of packets. Attackers can also choose to flood service requests so that the victim cannot handle all requests with its constrained resources (i.e., service memory or CPU cycles). UDP flooding is similar to flash crowds that occur when a large number of users try to access the same server simultaneously.
HTTP Mode Slowloris: A Slow HTTP Denial of Service (DoS) attack, otherwise referred to as Slowloris HTTP DoS attack, makes use of HTTP GET requests to occupy all available HTTP connections permitted on a web server. A Slow HTTP DoS Attack takes advantage of a vulnerability in thread- based web servers which wait for entire HTTP headers to be received before releasing the connection. While some thread-based servers such as Apache make use of a timeout to wait for incomplete HTTP requests, the timeout, which is set to 300 seconds by default, is re-set as soon as the client sends additional data. This creates a situation where a malicious user could open several connections on a server by initiating an HTTP request but does not close it. By keeping the HTTP request open and feeding the server bogus data before the timeout is reached, the HTTP connection will remain open until the attacker closes it. Naturally, if an attacker had to occupy all available HTTP connections on a web server, legitimate users would not be able to have their HTTP requests processed by the server, thus experiencing a denial of service. This enables an attacker to restrict access to a specific server with very low utilization of bandwidth. This breed of DoS attack is starkly different from other DoS attacks such as SYN flood attacks which misuse the TCP SYN (synchronization) segment during a TCP three-way-handshake
To make matters worse, Intrusion Detection Systems (IDS) do not commonly detect a Slow HTTP DoS attack since the attack does not contain any malformed requests. The HTTP request will seem legitimate to the IDS and will pass it onto the web server.
Deeper look in LOIC Tool functionalities In LOIC, most of the files are for creating the interface, but three of them are of interest: frmMain.cs, HTTPFlooder.cs and Program.cs. The frmMain.cs file generates the main part of the user interface, and where the user specifies the URL or IP address of the target server, the program does a series of checks for valid addresses, port numbers, payload, etc., before running the DDoS code for whichever of the three methods (TCP, UDP or HTTP) is selected. In the hive mode, commands are sent to the LOIC client through IRC. The IRC server, channel and port are set initially in the forms and defined in Program.cs, which uses the C# SmartIRC4NET library. In LOICs default mode, the user has volunteered to join the rest of the LOIC users all over the world, thus forming a botnet, which collectively sends mass requests to the target server. If you face some difficulty in compiling LOIC, you can go for its binary here.However, besides LOIC, attackers also use a variety of other tools. The goal of a Denial of Service (DoS) attack is to disrupt some legitimate activity, such as browsing Web pages, email functionality or the transfer of money from your bank account. It could even shutdown the whole Web server. This denial-of-service effect is achieved by sending messages to the target machine such that the message interferes with its operation and makes it hang, crash, reboot, or do useless work. In a majority of cases, the attackers aim is to deprive clients of desired server functionality. One way to interfere with legitimate operations is to exploit vulnerabilities on the target machine or application, by sending specially crafted requests targeting the given vulnerability (usually done with tools like Metasploit). Another way is to send a vast number of messages, which consume some key resource of the target machine, such as bandwidth, CPU time, memory, etc. The target application, machine, or network spends all of its critical resources on handling the attack traffic, and cannot attend to legitimate clients. Of course, to generate such a vast number of requests, the attacker must possess a very powerful machine with a sufficiently fast processor and a lot of available network bandwidth. For the attack to be successful, it has to overload the targets resources. This means that an attackers machine must be able to generate more traffic than a target, or its network infrastructure, can handle.
Distinct characteristics: As mentioned before Each LOIC HTTP request ends with a triple CRLF. This is very unusual for HTTP requests, although it has been seen in legitimate traffic as well.
Code analysis The publicly available source code of the tool was analyzed. It was observed that the tool uses the Socket class, which is supplied by the C# framework. This led to the conclusion that the TCP layer behavior of the tool must be normal and therefore must regard TCP connection operations.
Experiment We ran the tool in several scenarios where we defined different actions of connection-handling and observed different outcomes. This was done for each of the three operating modes. Each time it identify the IP address of web address but we didnt complete the whole attack operation to avoid illegal risks. A papers from Radware Security site that complete an experiment on this tool help us to go on our report.
Part V Results & Conclusion
Countermeasures for the LOIC attack tool were highly effective in modes of operation were TCP is used (TCP or HTTP). Apparently, these are the most widely used operating modes in the wild. The tools UDP mode was not affected at all by any countermeasures attempted. The reaction of the tool to different actions depends on whether the Wait for reply option is enabled. If the Wait for reply option is enabled, no difference was observed in the tools reaction to either dropping or resetting the connection.
Sometimes the attack traffic drops in relatively the same way whether the attack traffic is dropped or the connection is reset. However, when the Wait for reply option is not enabled, the tool continues to initiate new connections if the attacking traffic is dropped but the tool will stop initiating new connections if connections are reset. If hackters use this tool directly from their own computers, instead of via Anonymized networks such as Tor, the real Internet address of the attacker is included in every Internet message being transmitted, therefore making it easy to be traced back. We also found that these tools do not employ sophisticated techniques, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems. The current attack technique can therefore be compared to overwhelming someone with letters, but putting your real home address at the back of the envelop.
CONCLUSIONS Anonymous attacked big companies like MasterCard, Visa and PayPal in 2010, and was even able to take some of their websites down. This suggests that the tool used by the group (LOIC) is powerful. Therefore, a deeper understanding of the tool and the available defenses is necessary. This research aimed at evaluating some defense methods against DDoS attacks executed using LOIC, pointing out which one is the most effective.
After analyzing the interface, output and source code of LOIC, we can conclude that the tool does not implement any of the most common DDoS attacks, but its own rather weak and buggy attack, which has only some few similarities with typical bandwidth-exhaustion attacks. In special, we observed in our experiments that the tool uses a single thread to send traffic (regardless of setup parameters from the interface), and that sometimes it completely stops sending traffic to the victim. is currently one of the most used network intrusion detection systems, has already rule sets available to protect against DDoS attacks executed using LOIC. Securing Apache from DDoS The limit on the number of simultaneous requests that will be served by Apache is decided by the MaxClients directive, and is set to 256, by default. Any connection attempts over this limit will normally be queued, up to a number based on the ListenBacklog directive, which is 511, by default. However, it is best to increase this, to prevent TCP SYN flood attacks. Using traffic-shaping modules: Traffic shaping is a technique that establishes control over Web server traffic. Many Apache modules perform traffic shaping, and their goal is usually to slow down a (client) IP address, or to control the bandwidth consumption on the per-virtual-host level. On the positive side, these can also be used to prevent DDoS attacks. The following are some popular traffic shaping modules: mod_limitipconn limits the number of simultaneous downloads permitted from a single IP address. Mod_throttle is intended to reduce the load on your server, and the data transfer generated by popular virtual hosts, directories, locations, or users.
Mod_bwshare accepts or rejects HTTP requests from each client IP address, based on past downloads by that client IP address. Apart from the above, one module that is designed specifically as a remedy for Apache DoS attacks is mod_dosevasive (Download link). This module will allow you to specify a maximum number of requests executed by the same IP address. If the threshold is reached, the IP address is blacklisted for the time period you specify. The only problem with this module is that users, in general, do not have unique IP addresses. Many users browse through proxies, or are hidden behind a NAT (network address translation) system. Blacklisting a proxy will cause all users behind it to be blacklisted. Hence, it is recommended to keep traffic shaping modules higher in your priority list.
References -Maximum-Apache-Security by anonymous -Apache Security by Ivan Ristic OReilly -O'Reilly - Apache Cookbook by By Rich Bowen, Ken Coar -Web Hacking: Attacks and Defense By Stuart McClure, Saumil Shah, Shreeraj Shah
-Web Security Testing Cookbook, 1st Edition by Paco Hope; Ben Walther
-Wikipedia
-Apache.org
Devided Works Mohammed Al Hadi Astract &Introduction / part of literature Review.
Hatim Khalafallah Part of literature review / Methodology & Conclusion.