Skip to main content

amazon web services - AWS DNS DDoS mitigation




I have an AWS server that is currently under DDoS via DNS amplification. I've setup CloudWatch logs for the VPC ACL and it's logging an enormous amount of rejected DNS traffic. Despite that traffic being rejected, my primary server is unreachable.



I have a secondary server on the same VPC and subnet that can be reached without any problem.



Why is it that I can access one but not the other? The ACL should be filtering the traffic at the subnet level. So if one is unreachable then they both should be unreachable, but that's not the case.



And how does one mitigate a DNS amplification attack on AWS? AWS certainly has big enough pipes. Why is the ACL not doing the job?


Answer



I ended up solving the issue.




There were a couple issues actually. I had only blocked UDP port 53 (DNS) and as it turns out there were other ports being attacked. Since my server is just a web server I was able to block all UDP traffic in the ACL. That solved one side of the attack.



They were also overloading my web server with large post requests from compromised WordPress installs. I was able to add a few lines to my Nginx configuration that dropped requests from WordPress user agents and also block large post requests.



These were the settings I used in the http section of the Nginx config



    client_max_body_size 10k;
    client_body_buffer_size 10k;
    client_header_buffer_size 1k;

    large_client_header_buffers 2 1k;
    client_body_timeout 6;
    client_header_timeout 6;
    keepalive_timeout 5;
    send_timeout 10;


Then in the server section of the Nginx config I setup a drop for WordPress and wget initiated requests



if ($http_user_agent ~* (wordpress|wget)) {

   return 403;
}


These settings made the server a lot more difficult to bring down



I also used iptables to rate limit incoming http connections



# Rate limit new connections to port 80
-A INPUT -p tcp -m recent --dport 80 -m state --state NEW --set

-A INPUT -p tcp -m recent --dport 80 -m state --state NEW --update --seconds 20 --hitcount 20 -j DROP


Then I used iptables to limit the maximum number of simultaneous connections to port 80.



# Limit concurrent connections for a class B to port 80
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 16 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT



These things together made my servers much more difficult to DDoS. I'm now using multiple front end servers to reverse proxy requests to a backend server. I setup DNS round robin to expose the multiple IP addresses. This last additional step increased the amount of total bandwidth I could handle in an attack that got past all the other defenses.



So far the remaining attacks have not been able to take down my server.


Comments

Post a Comment

Popular posts from this blog

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

linux - How can I get my mediawiki to stop thinking I have cookies disabled?

I've searched half a day for how to resolve this issue, and can't figure it out. Shortly after I made my wiki a simple private wiki according to the instructions at Mediawiki's website, it started giving me this weird login error message: Wiki uses cookies to log in users. You have cookies disabled. Please enable them and try again. If I remove those private wiki settings, the error disappears, even if I try logging in. But I need it to be a private wiki for only my team. So what do I do? Here's what I've done so far. Just to be safe, after ever change, I try rebooting Apache using: sudo /etc/init.d/apache2 restart In my php.ini file, I have the following set: session.save_path = "/var/lib/php5" session.cookie_secure = secure session.cookie_path = /tmp session.cookie_domain = my server's internal URL (should I even set this? this field was blank before, but not commented out) session.referer_check = Off I ran the following to ensure that the fold...
Post a Comment
Read more