What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is a coordinated attack, distributed among different computers, that aims to prevent the authorized use of one or more systems.
These web server DDoS attacks have become the weapon of choice for malicious actors to carry out cyber attacks. They are used by different types of attackers, from experienced cybercriminals to bored teens.
One of the assets most often targeted by attackers is a victim’s public web server. While these servers can (and should not) hold as much sensitive or critical information, they are a prime target because of their immediate public visibility and, therefore, the potential financial impact of an attack.
This article lists a number of protection mechanisms to defend against DDoS attacks from web servers, specifically those against Apache web servers.
Types of DDoS attacks
There are three types of DDoS attacks:
- A volumetric attack, supplemented by an overflow of the available bandwidth;
- A traffic attack, carried out by abusing available system resources;
- An application attack, executed while exhausting available system resources.
Sometimes attackers combine different types of attacks into a single campaign.
One of the most observed types of attacks is a volumetric attack, especially an amplification-based attack. In an amplification attack, packets with a spoofed source address are sent to a vulnerable service. This service will then respond with a much larger response to the spoofed address (the victim).
Motivation for the attacks
Why do people carry out DDoS attacks? This can be for a variety of reasons, but essentially anything that bothers the attacker can be enough to trigger an incident.
The motivation can be a political or ideological protest, blackmail, a smokescreen to hide other attacks, show technical skills, or maybe just because someone is bored.
Be prepared for web server DDoS attacks
There are a number of preventative steps you can take to prepare for an attack, but you should understand that there isn’t always adequate defense against some large-scale strikes. Sometimes you just have to wait for the attacker to lose interest and move on to the next target.
What can you do to prepare for a DDoS attack? It starts with some good practices:
- Understand your environment and prioritize your assets.
- Apply best practices for configuring network devices, systems, and services.
- Monitor and record your networks, systems and services.
- Have an incident response plan.
- Have a crisis communication and business continuity plan.
When designing your incident response plan, you should also consider how you should interact with your ISP, service providers, CERTs, and law enforcement in the event of an attack. Setting up these communication channels and methods of exchanging information in advance allows you to focus on the heart of the problem during an incident: incident management.
Attackers can launch a volumetric attack against a website, but can also launch an application or traffic attack. When it is a volumetric attack, mitigation is most often done at the network level, while application and traffic types have some mitigation at the web service level.
Service protection for Apache
For one of the more popular web servers, Apache, there are a few mitigation solutions available.
ModSecurity is an open source web application firewall. It enables application security monitoring and access control in real time. The different sets of protection rules allow you to inspect HTTP traffic and reliably block unwanted traffic. It allows you to troubleshoot session management issues and block SQL injection attempts. More importantly, this is an open architecture, so you can only enable the features you feel are necessary.
One of ModSecurity’s greatest strengths is the application of virtual patches. You are protected against vulnerabilities in applications for which you are not yet able to fix.
With ModSecurity, you can protect and harden your website against unwanted malicious traffic and reduce the size of the possible attack vector.
Another item you can add to your arsenal of protection is mod_evasive. This is a module for Apache that provides avoidance action in the event of an HTTP DoS or DDoS attack or a brute force attack.
The module tracks HTTP connections and checks how many requests for a page are made in a given amount of time. If the number of concurrent requests exceeds a specified threshold, the request is blocked. This blocking is done at the application level. The requester obtains a prohibited response to the request.
The setup and installation (on Ubuntu) is quite easy. The module is available as a package:
sudo apt-get install libapache2-mod-evasive
You must then create the logs directory. (Note: Make sure the directory is owned by the web user; in most cases it is www-data.)
sudo mkdir /var/log/mod_evasive
Then activate the module for the Apache web server.
sudo a2enmod evasive
The default configuration file /etc/apache2/mods-available/evasive.conf will take you very far. You may want to add your management and proxy networks to the DOSWhitelist setting so as not to block your own network. Also be sure to change DOSEmailNotify to a working email address, otherwise you will not receive notifications from mod_evasive.
If you are not sure of the correct configuration options, test your configuration with a Perl script that is part of the installed package. The script executes a number of simultaneous HTTP requests, which should trigger the module.
The third method to protect your web server is Fail2ban. Fail2ban scans log files and bans IP addresses that show malicious signs. It is most often used to block SSH typing attempts, but you can also use it to block repeated requests to your web resources.
Fail2ban uses a list of regular expressions and checks these expressions against a set of log files. If there are matches that exceed a certain threshold, then the source IP of the request is blocked. The IP address is blocked at the network level.
Similar to mod_evasive, installing on Ubuntu is easy.
sudo apt-get install fail2ban
After installing the package, you must copy the default configuration file to a working configuration file.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Add your own management and proxy networks to ignore and define a good email email address for block notifications. I also advise you to pay used to no.
Fail2ban uses prisons to describe the services that need to be protected. By default, Fail2ban enables the SSH prison. If you don’t want to, turn off SSH jail. You can then add this apache-ddos jail to contain custom configuration settings to protect your web server. Note that you can use pattern matching in the log path (for example, /var/log/apache*/*access.log).
This will start a prison with the filter apache-ddos. Filters are defined in /etc/fail2ban/filter.d/. Add file apache-ddos.conf in this location.
The above code will block IPs that make repeated requests for HEAD or IPs that make repeated POST requests to xmlrpc.php. If you are unsure of the exact configuration or regular expressions, see the examples provided (e.g. apache-badbots, apache-noscript, etc.).
The list of blocked IPs can be viewed if you list the active firewall rules (iptables -L -n). You can remove a blocked IP with:
fail2ban-client set apache-ddos unbanip 184.108.40.206
The fail2ban-client command is a command line utility useful for getting the status of current prisons, reloading the configuration, adding individual IP addresses to the prison, or stopping and restarting the service.
DDoS attacks are very difficult to fight, especially if you are facing a volumetric attack. There are a few solutions for Apache web servers that can limit the damage caused by excessive traffic and application attacks. Some of them, such as ModSecurity, will filter malicious traffic, while other solutions will block network-level (Fail2ban) or application-level (mod_evasive) traffic.
The key to all of this is having multiple lines of defense and adjusting the configuration of the different solutions to work together and provide a integrated solution.