Apache Security and Attacks

8/11/2019 Apache Security and Attacks

1/36

Fifth year

Networks Security & Disaster Recovery course

Report name:

Apache Web Server Security

& Attacks

Prepared by:


2/36


3/36

Part II

Introduction

Every web site (the collection of html/css files, data files, scripts and

other files) need a web server. A Web serveris a piece of software that

is responsible for showing you the documents you ask for when you type

Web addresses into your browser.( Examples of web servers Apache , IIS

and Netscape).The web server is used to storing the data and to responds

to requests over the Internet. Apache HTTP Server Project is a

collaborative software development effort aimed at creating a robust,

commercial-grade and freely available source code implementation of an

HTTP (Web) server. The project is jointly managed by a group of

volunteers located around the world, using the Internet and the Web to

communicate, plan, and develop the server and its related documentation.

This project is part of the Apache Software Foundation. In addition,

hundreds of users have contributed ideas, code, and documentation to the

project. This file is intended to briefly describe the history of the Apache

HTTP Server and recognize the many contributors.


4/36

Apaches main role is all about communication over networks, and it uses

the TCP/IP protocol (Transmission Control Protocol/Internet Protocol that

allows devices with IP addresses within the same network to communicate

with one another).

The Apache server offers a number of services that clients might use.

These services are offered using various protocols through different ports,

and include:

Hypertext Transfer Protocol (HTTP), simple mail transfer protocol

(SMTP), domain name service (DNS) and file transfer protocol (FTP)

uploading and downloading files.

Why choose Apache

Apache is a solid, dependable, reliable Web server, developed by talented,

dedicated developers who are deeply concerned about the quality of the

product, and the quality of the code that goes into the product. They are all

amateurs, in the original sense of that word. That is, they are not doing this

development because they are paid to do so (although some lucky guys are

actually paid to do this). They do it because they love it and want to see

something good come out of it, and see millions of people use the results of

their work.


5/36

Part III

Literature review

In this section, will present principles every security professionalshould know. These principles have evolved over time and are part of the

information security body of knowledge. Then will decrease the spot to

focus on Apache.

Common Security Vocabularies

At this point, a short vocabulary of frequently used security terms would be

useful. You may know some of these terms, but some are specific to the

security industry.

Weakness

A less-than-ideal aspect of a system, which can be used by attackers in

some way to bring them closer to achieving their goals. A weakness may beused to gain more information or as a stepping-stone to other system parts.

Vulnerability

Usually a programming error with security consequences.


6/36

Exploit

A method (but it can be a tool as well) of exploiting a vulnerability. This

can be used to break in or to increase user privileges (known asprivilege

elevation).

Attack vector

An entry point an adversary could use to attempt to break in. A popular

technique for reducing risk is to close the entry point completely for the

attacker. Apache running on port 80 is one example of an entry point.

Attack surface

The area within an entry point that can be used for an attack. This term is

usually used in discussions related to the reduction of attack surface. For

example, moving an e-commerce administration area to another IP address

where it cannot be accessed by the public reduces the part of the application

accessible by the attacker and reduces the attack surface and the risk.

Attacks (Reasons, Types & Avoid)

Table 3-1 gives a list of reasons someone may attack you.

Reason Description

To grab an

asset

Attackers often want to acquire something valuable, such as a

customer database with credit cards orsome other confidential or private information.

To steal a

serviceThis is a special form of the previous category. The servers youhave with their bandwidth, CPU, and hard

disk space are assets. Some attackers will want to use them to

send email, store pirated software, use


7/36

them as proxies and starting points for attacks on other systems,

or use them as zombies in automated

distributed denial of service attacks.

Recognition

Attacks

especially web site defacement attacks, are frequently performedto elevate ones status in the

underground.

Thrill Some people love the thrill of breaking in. For them, the more

secure a system, the bigger the thrill anddesire to break in.

MistakeWell, this is not really a reason, but attacks happen by chance,

too.

Table 3-1

Typical attacks on web systemsTable 3-2 gives a list of typical attacks on web systems and some ways to

handle them.Attack type Description Mitigation

Denial of Service Any of the network, web-server,

or application-based attacks that

result in denial of service, a

condition in which a system is

Prepare for attack

Inspect the application to

remove application-based

attack points


8/36

Table 3-2

overloaded and can no longer

respond normally.

Exploitation of

configuration

errors

These errors are our own fault.

Surprisingly,

they happen more often than

you might think.

Create a secure initial

installation Plan changes,

and assess the impact of

changes before you make

them. Implement

independent assessment

of the configuration on a

regular basis.

Exploitation of

Apache

vulnerabilities

Unpatched or unknown

problems in

the Apache web server.

Patch promptly

Exploitation of

application

vulnerabilities

Unpatched or unknown

problems in deployed web

applications.

Assess web application

security before each

application is deployed.

Attacks through

other services

This is a catch-all category

for all other unmitigated

problems on the same network

as the web server.

For example, a vulnerable

MySQL database server running

on the same

machine and open to the public.

Do not expose unneeded

services, and

compartmentalize


9/36

Denial of Service

A denial-of-service (DoS) attack is any action (initiated by a human or

otherwise) that incapacitates your hosts hardware, software, or both,

rendering your system unreachable and therefore denying service to

legitimate (or even illegitimate) users.

In a DoS attack, the attackers aim is straightforward: to knock your host(s)

off the Net. Except when security teams test consenting hosts, DoS attacks

are always malicious and unlawful.

Denial of service is a persistent problem for two reasons. First, DoS attacks

are quick, easy, and generate an immediate, noticeable result. Hence,

theyre popular amongbudding crackers, or kids with extra time on their

hands. As a Web administrator, you should expect frequent DoS attacks;

theyre undoubtedly the most commontype.

An Apache-Based Denial-of-Service Example

A serious Apache vulnerability surfaced on April 12, 2001, when

Auriemma Luigi discovered (and William A. Rowe, Jr. confirmed) that

attackers could send a custom URL via Web browser and thereby

hang Apache, or run the targets processor to 100% utilization.

Attackers could perform this DoS attack in one of three ways:

Issue a GET request consisting of 8,184/ characters

Issue a HEAD request consisting of 8,182 A characters

Issue an ACCEPT of 8,182 / characters


10/36

in both Windows 98 and Windows 2000, if an attacker sent two or more

strings from different connections, the targets would crash (and all

connections would thereafter fall idle).

The problem affected all Apache versions earlier than version 1.3.20 on the

following platforms:

Microsoft Win32

Microsoft Windows NT

Microsoft Windows 2000

OS/2

As reported by the Apache team

(http://bugs.apache.org/index.cgi/full/7522):

("In the case of an extremely long URI, a deeply embedded parser properly

discarded the request, returning the NULL pointer, and the next higher-

level parser was not prepared for that contingency. Note further that

accessing the NULL pointer created an exception caught by the OS,causing the apache process to be immediately terminated. While this

exposes a denial-of-service attack, it does not pose an opportunity for any

server exploits or data vulnerability.")

Apache patched this problem in version 1.3.20. However, as I related

earlier, Apache isnt your only concern. You must be ever diligent to

monitor security advisory lists for your operating system and any

applications or modules that run on your Web host.

Distributed denial-of-service (DDoS) attacks

In a typical DDoS attack, the attackers army consists of master zombies

and slave zombies. The attacker coordinates and orders master zombies and
http://bugs.apache.org/index.cgi/full/7522http://bugs.apache.org/index.cgi/full/7522


11/36

they, in turn, coordinate and trigger slave zombies. More specifically, the

attacker sends an attack command to the master zombies, and activates all

attack processes on those machines, which are in hibernation, waiting for

the appropriate command to wake up and start attacking.

Then the master zombies duplicate the attack commands to each of their

slave zombies, ordering them to mount a DDoS attack against the victim. In

this way, the zombie systems begin to send a large volume of packets to the

victim, flooding it with useless loads, and exhausting its resources.

Figure 3-3

n DDoS attacks, spoofed source IP addresses are used in the packets of the

attack traffic. Attackers prefer to use such counterfeit source IP addresses

for two major reasons: first, to hide the identity of the zombies, so that the


12/36

victim cannot trace the attack back to them. The second reason is to

discourage any attempt by the victim to filter out the malicious traffic.

Things Apache Cant Defend Against

Database issues

Apache may securely interface with this or that database, and thats fine.

However, if your preferred database has security issues or vulnerabilities

that have nothing to do with Apache, Apache cannot help.

Common Gateway Interface

You will doubtless include at least some CGI functionality on your site.

Apache accounts for CGI security issuesat least those that revolve

around permissions. This is great news, but by no means the end of the

story. Bad CGI is bad CGI, and if you or your developers fail to observe

CGI coding security practices, Apache wont save the day.

Environmental issues

Apaches code assumes that youve configured your underlying system

properly and securely. If you havent, Apaches raw power can then turn

against you and offer crackers innumerable possibilities.


13/36

Inside jobs

More than 60% of all intrusions today stem from insiders, disgruntled

employees, or other individuals to whom you entrust administrative

privileges. Therefore, observing standard security polices (such as locking

out fired developers) is paramount.

Third-party tools

Third-party modulessecurity related or otherwisecan sometimes harbor

hidden or latent holes. Naturally, youll want to enhance your Apache

servers functionality, but in doing so, choose modules wisely. If you

compile in, bind, or load a flawed module to Apache, Apache core and

security facilities wont save the day.

Personal diligenceCrackers are busy folks, and find holes in applications every day.

Therefore, you must constantly keep up to date on the security status of

your underlying operating system, Apache, and any third-party modules

you load. Security lists and advisories are invaluable resources in this

regard, providing that you read them

Network attacks

Apache cannot save your system from attacks that exploit

network hardware or infrastructures beyond its control.


14/36


15/36

to a system where the server is running from a jail, or to a system where

code execution in the/tmp directory is disabled (for example, by mounting

the partition with a noexec flag).

Proper firewall configuration, as discussed in Chapter 9, would stop the

worm from spreading and would prevent the attacker from going into the

server through the backdoor.

The Alan Ralsky DoS

In November 2002, Alan Ralsky, a well-known bulk-email operator, gave

an interview describing what he does and how he makes money sending

bulk email. The interview received wide publicity reaching most

technology-oriented web sites and, eventually, the very popular Slashdot

technology news site. In the interview, Alan disclosed the purchase of a

new home, and soon the address of the home found its way into a Slashdot

comment. In an apparent retribution by the readers, Alan Ralsky was

subscribed to hundreds of snail-mail mailing lists for ads, catalogues, and

magazines. Subscriptions caused huge quantities of mail to arrive on his

doorstep every day, effectively preventing Ralsky from using the address toreceive the mail he wanted.


16/36

Attack toolkits

While there are numerous scripts that are used for scanning, compromising

and infecting vulnerable machines, there are only a handful of DDoS attack

tools that have been used to carry out the actual attacks.

Trinoo

This tool uses a handler/agent architecture wherein an attacker sendscommands to the handler (the first system compromised in the series) via

TCP, and handlers and agents communicate via UDP. Both handlers and

agents are password-protected to try to prevent them from being taken over

by another attacker. Trinoo generates UDP packets of a given size to

random ports on one or multiple target addresses, during a specified attack

interval.

Tribe Flood Network (TFN)

This tool uses a different type of handler/agent architecture. Commands are

sent from the handler to all of the agents, from the command line. The

attackers do not log in to the handler as with Trinoo. This tool can

perform a UDP flood, a TCP SYN flood and Smurf attacks at specified or

random victim ports. The attackers run commands from the handler using

any of a number of connection methods (e.g., a remote shell bound to a

TCP port, and UDP-based client/server remote shells). All commands sent


17/36

from the handler to agents through ICMP packets are encoded, which

hinders detection.

)Tribe Flood Network 2000 (TFN2K

An improved version of TFN, this includes several features designed

specifically to make its traffic difficult to recognize and filter; to remotely

execute commands; to obfuscate the true source of the traffic, and to

transport TFN2K traffic over multiple transport protocols, including UDP,

TCP, and ICMP. TFN2K obfuscates the true traffic source by spoofing

source addresses.

nnon)Orbit Ion Ca-LOIC (Low

This is the chosen tool in our experiment.

LOIC is one of the first choices of attackers in the current era of DDoS 2.0.

It is an open source network-attack application written in C#, which

performs DoS/DDoS attacks on a target site by flooding the server with

TCP packets, UDP packets, or HTTP requests.

An attacker downloads the LOIC client and configures it to connect to an

IRC server. The victim server gets flooded with requests from all LOIC

clients, operating in hive mode. This is a classic Distributed Denial of

Service (DDoS) using a botnet, except that in this case, attackers volunteer

to join it.


18/36

If you are using this tool even for testing purposes, be careful, because it

does not include code for masking the originators IP address, which will

show up on the target servers logs and can easily be traced back to the

users ISP account, and eventually the local router.

Trinity

This is the first DDoS tool that is controlled via IRC. Upon compromise

and infection by Trinity, each zombie joins a specified IRC channel and

waits for commands. The use of a legitimate IRC service for

communication between attacker and zombie replaces the classic

independent handler, and elevates the level of the threat. It is also capable

of launching several types of flooding attacks on a victim site, including

UDP, an IP fragment, TCP SYN, TCP RST, TCP ACK, and other floods.

Now, due to regular security checks and patches, and signature-based

IDS/IPS (Intrusion Detection/Prevention Systems), many of these tools

have became less effective, and are not used by attackers. However, this

has led to the next era of DDoS attacks, which is referred to as DDoS 2.0.

HTTP SlowLoris

Recently, Slowloris has emerged as a perilous application DDoS attack.

It disrupts application services by exhausting Web server connections. In

the Slowloris attack, the attackers send an incomplete HTTP header, and

then periodically send header lines to keep the connection alive, but they


19/36

never send the full header. Without requiring that much bandwidth, an

attacker can open numerous connections, and overwhelm the targeted Web

server. While multiple patches have been created for Apache to mitigate

this vulnerability, it nonetheless demonstrates the power of more

sophisticated DDoS attacks.

About DDoS 2.0

DDoS attacks are traditionally carried out by computer-based bots. DDoS

2.0 is considered to be a highly amplified class of DDoS attacks. Recently,

a new breed of DDoS attacks has been uncovered that uses Web servers as

payload-carrying bots. Using a basic software program equipped with a

dashboard and control panel, attackers could configure the IP, port, and

duration of the attack. Hackers simply need to type the Website URL they

wish to attack, and they can instantly disable targeted sites.

Here are some points on why Web servers are used in DDoS 2.0:

*Servers provide a powerful DDoS attack platform, because they usually

have greater bandwidth than a simple PC.

*Servers are always online, while a typical PC might go offline. Moreover,

they are also rarely formatted.


20/36

*A Web servers outgoing traffic is usually less monitored by ISPs,

because of a common misconception that a servers outgoing traffic is not

as malicious as a PCs.

*By using Web servers as zombies, attackers are even less detectable,

because trace backs typically lead to a lone server at a random hosting

company.


21/36

Part IV

Methodology

In this part, will explain what attacks that LOIC can do and

deeper look to the tool functionality and architecture.

Low Orbit Ion Cannon (LOIC) is an open source network stress testing and

denial-of-service attack application, written in C#.

LOIC was initially developed by Praetox Technologies, but was later

released into the public domain, and now is hosted on several open source

platforms.

The software has inspired the creation of an independent JavaScript version

called JS LOIC, as well as LOIC-derived web version called Low Orbit

Web Cannon. These enable DoS from a web browser.


22/36

Figure 4-1

What it does?

There are three types of attacks, each using a different packet type:

UDP, TCP andHTTP. All attack types are similar; they open several

connections to the same target host and continuously send a pre-defined string,

set using the message parameter.

In the UDP and TCP attacks, this string is simply sent in plain-text, while in the

HTTP attack the message is included in the contents of a HTTP GET message.

When a huge amount of messages is sent, the target host becomes overloaded

and can no longer reply to requests from legitimate users.

The tool, however, does not attempt to protect the identity of the user, as the IP

address of the attacker can be seen in all packets sent during the attacks.


23/36

Internet Service Providers can resolve the IP addresses to their client names, and

therefore easily identify the attackers. Moreover, Web servers normally keep

logs of allserved requests, so that target hosts also have information about

the attackers.

The following settings are available:

* IP/URL.

* Port.

* HTTP subsite.

* Append random chars to the subsite.

* Number of simultaneous threads.

* Wait for reply: Determines for each thread whether to wait for a replyfrom the target before starting a new connection.

* Timeout: Max time to wait for reply.

* Attack speed.

All types provided with this tool is a denial of service attacks.

Here is a simple scenario: an attacker sends a large number of requests to a

Web serverfor example, a website that hosts HD image files at a

particular URL, say www.example.com/images/HD_images.html.


24/36

Lets also assume that this page contains about 50-60 images. Now, every

time a user reloads this page, it consumes a large portion of the Web

servers bandwidth. Now, here, an attacker could design a separate HTML

page, with an iframe embedded in it, like whats shown figure 4-3

>

/

Figure4-3

Lets suppose that instead of a single iframe, the attacker copies and pastes

the above code 1,000 times in the same page, and also adds a meta refreshtag as shown in figure 4-4.


25/36

Such a page, when loaded, will send the same request 1,000 times every 2

seconds, and will consume a lot of the Web servers bandwidth. Thus, the

target server will not be able to respond to other clients, and eventually,

legitimate clients will be denied services from the server.

Now let us assume that an attacker would like to launch a DoS attack on

example.com by bombarding it with numerous messages. Also assume that

example.com has abundant resources and considerable bandwidth (which ismost often the case). It is then difficult for the attackers to generate a

sufficient number of messages from a single machine (as in the above

scenario) to overload those resources.

However, imagine the consequences if they got 100,000 machines under

their control, in order to simultaneously generate requests to example.com.

Each of the attacking machines (compromised machines that have been

infected by malicious code) may be only moderately provisioned (have a

slow processor and be on a mere modem link), but together, they form a

formidable attack networkwhich, with proper use, could overwhelm

even a well-provisioned victim site. This is a distributed denial-of-service

(DDoS) attack, and the machines under the attackers control are termed as

zombies/agents.


26/36

What happened during every Attack mode?

TCP Mode

TCP SYN flooding attacks:DoS attacks often exploit stateful network

protocols, because these protocols consume resources to maintain state.

TCP SYN flooding is one such attack, and had a wide impact on many

systems. When a client attempts to establish a TCP connection to a server,the client first sends a SYN message to the server. The server

acknowledges this by sending a SYN-ACK message to the client. The

client completes establishing of the connection by responding with an ACK

message. The connection between the client and the server is then open,

and service-specific data can be exchanged between them.

The abuse occurs at the half-open state when the server is waiting for the

clients ACK message, after sending the SYN-ACK message to the client.

The server needs to allocate memory to store information about the half-

open connection, and this memory will not be released until the server

either receives the final ACK message, or the half-open connection expires

times out.

Attackers can easily create half-open connections by spoofing source IPs in

SYN messages, or ignoring SYN-ACKs. The consequence is that the final


27/36

ACK message will never be sent to the victim. Because the victim normally

only allocates a limited amount of space in its process table, too many half-

open connections will soon fill the space.

Even though the half-open connections will eventually expire due to their

timeout, zombies can aggressively send spoofed TCP SYN packets,

requesting connections at a much higher rate than the expiration rate.

Finally, the victim will be unable to accept any new incoming connections,

and thus cannot provide services.

UDP Mode

UDP flooding attacks:By patching or redesigning the implementation of

TCP and ICMP protocols, current networks and systems have incorporated

new security features to prevent TCP and ICMP attacks. Nevertheless,

attackers may simply send a large amount of UDP packets towards a

victim. Since an intermediate network can deliver higher volumes of traffic

than the victim network can handle, the flooding traffic can exhaust thevictims connection resources.

Pure flooding can be done with any type of packets. Attackers can also

choose to flood service requests so that the victim cannot handle all

requests with its constrained resources (i.e., service memory or CPU

cycles). UDP flooding is similar to flash crowds that occur when a large

number of users try to access the same server simultaneously.


28/36

HTTP Mode

Slowloris:A Slow HTTP Denial of Service (DoS) attack, otherwise

referred to as Slowloris HTTP DoS attack, makes use of HTTP GET

requests to occupy all available HTTP connections permitted on a web

server.

A Slow HTTP DoS Attack takes advantage of a vulnerability in thread-

based web servers which wait for entire HTTP headers to be received

before releasing the connection. While some thread-based servers such as

Apache make use of a timeout to wait for incomplete HTTP requests, the

timeout, which is set to 300 seconds by default, is re-set as soon as the

client sends additional data.

This creates a situation where a malicious user could open several

connections on a server by initiating an HTTP request but does not close it.

By keeping the HTTP request open and feeding the server bogus data

before the timeout is reached, the HTTP connection will remain open until

the attacker closes it. Naturally, if an attacker had to occupy all available

HTTP connections on a web server, legitimate users would not be able to

have their HTTP requests processed by the server, thus experiencing a

denial of service.

This enables an attacker to restrict access to a specific server with very low

utilization of bandwidth. This breed of DoS attack is starkly different from


29/36

other DoS attacks such as SYN flood attacks which misuse the TCP SYN

(synchronization) segment during a TCP three-way-handshake

To make matters worse, Intrusion Detection Systems (IDS) do not

commonly detect a Slow HTTP DoS attack since the attack does not contain

any malformed requests. The HTTP request will seem legitimate to the IDS

and will pass it onto the web server.

Deeper look in LOIC Tool functionalities

In LOIC, most of the files are for creating the interface, but three of them

are of interest: frmMain.cs, HTTPFlooder.cs and Program.cs.

The frmMain.cs file generates the main part of the user interface, and where

the user specifies the URL or IP address of the target server, the program

does a series of checks for valid addresses, port numbers, payload, etc.,

before running the DDoS code for whichever of the three methods (TCP,

UDP or HTTP) is selected.

In the hive mode, commands are sent to the LOIC client through IRC.

The IRC server, channel and port are set initially in the forms and defined

in Program.cs, which uses the C# SmartIRC4NET library. In LOICs

default mode, the user has volunteered to join the rest of the LOIC users all

over the world, thus forming a botnet, which collectively sends mass

requests to the target server.


30/36

If you face some difficulty in compiling LOIC, you can go for its binary

here.However, besides LOIC, attackers also use a variety of other tools.

The goal of a Denial of Service (DoS) attack is to disrupt some legitimateactivity, such as browsing Web pages, email functionality or the transfer of

money from your bank account. It could even shutdown the whole Web

server. This denial-of-service effect is achieved by sending messages to the

target machine such that the message interferes with its operation and

makes it hang, crash, reboot, or do useless work.

In a majority of cases, the attackers aim is to deprive clients of desired

server functionality.

One way to interfere with legitimate operations is to exploit vulnerabilities

on the target machine or application, by sending specially crafted requests

targeting the given vulnerability (usually done with tools like Metasploit).

Another way is to send a vast number of messages, which consume some

key resource of the target machine, such as bandwidth, CPU time, memory,

etc. The target application, machine, or network spends all of its critical

resources on handling the attack traffic, and cannot attend to legitimate

clients.

Of course, to generate such a vast number of requests, the attacker must

possess a very powerful machinewith a sufficiently fast processor

and a lot of available network bandwidth. For the attack to be successful, it

has to overload the targets resources. This means that an attackers

machine must be able to generate more traffic than a target, or its network

infrastructure, can handle.


31/36

Distinct characteristics:

As mentioned before Each LOIC HTTP request ends with a triple CRLF.

This is very unusual for HTTP requests, although it has been seen in

legitimate traffic as well.

Code analysis

The publicly available source code of the tool was analyzed. It wasobserved that the tool uses the Socket class, which is supplied by the C#

framework. This led to the conclusion that the TCP layer behavior of the

tool must be normal and therefore must regard TCP connection operations.

Exper iment

We ran the tool in several scenarios where we defined different actions of

connection-handling and observed different outcomes. This was done for

each of the three operating modes. Each time it identify the IP address of

web address but we didnt complete the whole attack operation to avoid

illegal risks. A papers from Radware Security site that complete an

experiment on this tool help us to go on our report.


32/36

Part V

Results & Conclusion

Countermeasures for the LOIC attack tool were highly effective in

modes of operation were TCP is used (TCP or HTTP). Apparently, these

are the most widely used operating modes in the wild. The tools UDP

mode was not affected at all by any countermeasures attempted. The

reaction of the tool to different actions depends on whether the Wait for

replyoption is enabled. If the Wait for replyoption is enabled, no

difference was observed in the tools reaction to either dropping or resetting

the connection.

Sometimes the attack traffic drops in relatively the same way whether the

attack traffic is dropped or the connection is reset. However, when the Waitfor reply option is not enabled, the tool continues to initiate new

connections if the attacking traffic is dropped but the tool will stop

initiating new connections if connections are reset.

If hackters use this tool directly from their own computers, instead of via

Anonymized networks such as Tor, the real Internet address of the attacker is


33/36

included in every Internet message being transmitted, therefore making it easy to

be traced back. We also found that these tools do not employ sophisticated

techniques, such as IP-spoofing, in which the source address of others is used, or

reflected attacks, in which attacks go via third party systems. The current attack

technique can therefore be compared to overwhelming someone with letters, but

putting your real home address at the back of the envelop.

CONCLUSIONS

Anonymous attacked big companies like MasterCard, Visa and PayPal in

2010, and was even able to take some of their websites down. This suggests

that the tool used by the group (LOIC) is powerful. Therefore, a deeper

understanding of the tool and the available defenses is necessary. This

research aimed at evaluating some defense methods against DDoS attacks

executed using LOIC, pointing out which one is the most effective.

After analyzing the interface, output and source code of LOIC, we can

conclude that the tool does not implement any of the most common DDoS

attacks, but its own rather weak and buggy attack, which has only some few

similarities with typical bandwidth-exhaustion attacks. In special, we

observed in our experiments that the tool uses a single thread to send traffic

(regardless of setup parameters from the interface), and that sometimes it

completely stops sending traffic to the victim.

is currently one of the most used network intrusion detection systems, has

already rule sets available to protect against DDoS attacks executed using

LOIC.


34/36

Securing Apache from DDoS

The limit on the number of simultaneous requests that will be served by

Apache is decided by the MaxClients directive, and is set to 256, by

default. Any connection attempts over this limit will normally be queued,

up to a number based on the ListenBacklog directive, which is 511, by

default. However, it is best to increase this, to prevent TCP SYN flood

attacks.

Using traffic-shaping modules: Traffic shaping is a technique that

establishes control over Web server traffic. Many Apache modules perform

traffic shaping, and their goal is usually to slow down a (client) IP address,

or to control the bandwidth consumption on the per-virtual-host level.

On the positive side, these can also be used to prevent DDoS attacks. The

following are some popular traffic shaping modules:

mod_limitipconnlimits the number of simultaneous downloads permitted

from a single IP address.

Mod_throttleis intended to reduce the load on your server, and the data

transfer generated by popular virtual hosts, directories, locations, or users.

Mod_bwshare accepts or rejects HTTP requests from each client IP

address, based on past downloads by that client IP address.

Apart from the above, one module that is designed specifically as a remedy

for Apache DoS attacks is mod_dosevasive (Download link). This module

will allow you to specify a maximum number of requests executed by the


35/36

same IP address. If the threshold is reached, the IP address is blacklisted for

the time period you specify. The only problem with this module is that

users, in general, do not have unique IP addresses. Many users browse

through proxies, or are hidden behind a NAT (network address translation)

system. Blacklisting a proxy will cause all users behind it to be blacklisted.

Hence, it is recommended to keep traffic shaping modules higher in your

priority list.


36/36

References

-Maximum-Apache-Security by anonymous

-Apache Security by Ivan RisticOReilly

-O'Reilly - Apache Cookbook by By Rich Bowen, Ken Coar

-Web Hacking: Attacks and Defense

ByStuart McClure, Saumil Shah, Shreeraj Shah

-Web Security Testing Cookbook, 1st Edition

by Paco Hope; Ben Walther

-Wikipedia

-Apache.org

Devided Works

Mohammed Al Hadi

Astract &Introduction / part of literature

Review.

Hatim Khalafallah

Part of literature review / Methodology &

Conclusion.
http://www.informit.com/safari/author_bio.asp?ISBN=0201761769http://www.informit.com/safari/author_bio.asp?ISBN=0201761769http://www.informit.com/safari/author_bio.asp?ISBN=0201761769http://www.informit.com/safari/author_bio.asp?ISBN=0201761769

Documents

Apache Security and Attacks