DOS Prevention – Step by step guide

DOS is the most common attacks which is used by many attackers. DOS (Denial of Service) attacks which flows the bandwidth (data packets), to interrupt the services of victim IP address or URLs. Ethical Hacking researchers of International Institute of Cyber Security stimulated the DOS attack and demonstrated on how to block IP address if there is any DOS attack is occurring.

Fail2Ban is used to block suspicious IP address which are sending multiple requests on Server IP address. Fail2ban scans the logs file & blocks IP addresses which has make too many login attempts. Fail2ban updates the firewall policy to deny new connection from suspicious IP addresses.

Kali Linux – 192.168.1.9
Ubuntu – 192.168.1.8

DOS Attack From Ubuntu OS

  • Here we will run DOS attack using slowloris. Slowloris is very common tool used in DOS attacks.
  • Open terminal on Ubuntu machine (Attacker)
    • Type sudo apt-get update
    • Type sudo apt-get install python3
    • Type sudo apt-get install python3-pip
  • Type pip3 –version
root@ubuntu:/home/iicybersecurity# pip3 --version
 pip 9.0.1 from /usr/lib/python3/dist-packages (python 3.6)
  • Type pip3 install slowloris
root@ubuntu:/home/iicybersecurity# pip3 install slowloris
 Collecting slowloris
   Downloading https://files.pythonhosted.org/packages/a6/37/5ae3d027727122039f52a22d278f1d73f564e03e5fdb93f10e3a2f26aa06/Slowloris-0.2.0.tar.gz
 Building wheels for collected packages: slowloris
   Running setup.py bdist_wheel for slowloris … done
   Stored in directory: /root/.cache/pip/wheels/bd/a1/f1/35dd5184db4e890b6ff5c992ff1f7a1b8b30e9bcd89aa6f7ba
 Successfully built slowloris
 Installing collected packages: slowloris
 Successfully installed slowloris-0.2.0
  • Type slowloris –help
root@ubuntu:/home/iicybersecurity# slowloris --help
 usage: slowloris [-h] [-p PORT] [-s SOCKETS] [-v] [-ua] [-x]
                  [--proxy-host PROXY_HOST] [--proxy-port PROXY_PORT] [--https]
                  [--sleeptime SLEEPTIME]
                  [host]
 Slowloris, low bandwidth stress test tool for websites
 positional arguments:
   host                  Host to perform stress test on
 optional arguments:
   -h, --help            show this help message and exit
   -p PORT, --port PORT  Port of webserver, usually 80
   -s SOCKETS, --sockets SOCKETS
                         Number of sockets to use in the test
   -v, --verbose         Increases logging
   -ua, --randuseragents
                         Randomizes user-agents with each request
   -x, --useproxy        Use a SOCKS5 proxy for connecting
   --proxy-host PROXY_HOST
                         SOCKS5 proxy host
   --proxy-port PROXY_PORT
                         SOCKS5 proxy port
   --https               Use HTTPS for the requests
   --sleeptime SLEEPTIME
                         Time to sleep between each header sent.
  • Type slowloris 192.168.1.9 this command will start normal dos attack to victim machine (Kali machine).
Wireshark Screenshot From Victim Machine – 192.168.1.9
  • Above screenshot of wireshark shows the receiving of TCP packets. As victim is running with apache2 service. By default slowloris send multiple data packets on port 80.
  • Above shows very simple scenario that how dos attack is stimulated. For defending such dos attacks. we will use fail2ban.

Victim/ Defender Machine – Kali OS

Fail2Ban Installation

  • We will testing on Linux Distros. On attacking we will use Ubuntu 18.04 & on victim-defend we will use Kali Linux on.
  • Kali Linux (Victim & Defender) – 192.168.1.9
  • Ubuntu (Attacker) – 192.168.1.8
  • For Installation on Kali Linux. Open terminal
    • Type sudo apt-get update
    • Type sudo apt-get install fail2ban
  • Type sudo service apache2 start
  • Type sudo systemctl status apache2
root@kali:/etc/fail2ban# sudo systemctl status apache2
 ● apache2.service - The Apache HTTP Server
    Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
    Active: active (running) since Tue 2019-11-05 02:09:37 EST; 2h 47min ago
   Process: 4749 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
  Main PID: 4753 (/usr/sbin/apach)
     Tasks: 152 (limit: 4662)
    Memory: 91.3M
    CGroup: /system.slice/apache2.service
            ├─4753 /usr/sbin/apache2 -k start
            ├─4754 /usr/sbin/apache2 -k start
            ├─6073 /usr/sbin/apache2 -k start
            ├─6074 /usr/sbin/apache2 -k start
            ├─6075 /usr/sbin/apache2 -k start
            ├─6077 /usr/sbin/apache2 -k start
            ├─6079 /usr/sbin/apache2 -k start
            ├─6080 /usr/sbin/apache2 -k start
            ├─6081 /usr/sbin/apache2 -k start
            ├─6083 /usr/sbin/apache2 -k start
            ├─6084 /usr/sbin/apache2 -k start
            ├─6085 /usr/sbin/apache2 -k start
            ├─6086 /usr/sbin/apache2 -k start
            ├─6087 /usr/sbin/apache2 -k start
            ├─6088 /usr/sbin/apache2 -k start
            ├─6089 /usr/sbin/apache2 -k start
            ├─6090 /usr/sbin/apache2 -k start
            ├─6091 /usr/sbin/apache2 -k start
            ├─6092 /usr/sbin/apache2 -k start
            ├─6093 /usr/sbin/apache2 -k start
            ├─6094 /usr/sbin/apache2 -k start
  • Press Ctrl+c
  • Before starting fail2ban service. We have to configure it. For that
    • Type cd /etc/fail2ban.
    • Type nano jail.conf
  • Here change
    • bantime = 30
    • findtime = 50
    • maxretry = 10
  • Then enter enabled = true after [apache-auth], [apache-badbots], [apache-noscript] & [apache-overflows] as shown below.
ignorecommand = /path/to/command 
 ignorecommand =
 "bantime" is the number of seconds that a host is banned.
 bantime  = 30
 A host is banned if it has generated "maxretry" during the last "findtime"
 seconds.
 findtime  = 50
 "maxretry" is the number of failures before a host get banned.
 maxretry = 10

HTTP servers
 #
 [apache-auth]
 enabled  = true
 port     = http,https
 logpath  = %(apache_error_log)s

 [apache-badbots]
 Ban hosts which agent identifies spammer robots crawling the web
 for email addresses. The mail outputs are buffered.
 enabled  = true
 port     = http,https
 logpath  = %(apache_access_log)s
 bantime  = 48h
 maxretry = 1

[apache-noscript]
 enabled  = true
 port     = http,https
 logpath  = %(apache_error_log)s

 [apache-overflows]
 enabled  = true
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2
  • Type sudo nano /etc/fail2ban/jail.local & copy the below text. You can also change maxretry, findtime under [apache] section.
 [apache]
enabled  = true 
port     = http,https 
filter   = apache-auth 
logpath  = /var/log/apache2/*error.log 
maxretry = 2
findtime = 50
ignoreip =  
  • Type sudo /etc/init.d/fail2ban start
root@kali:/etc/fail2ban# sudo /etc/init.d/fail2ban start
 [ ok ] Starting fail2ban (via systemctl): fail2ban.service.
 root@kali:/etc/fail2ban#
  • Save the file & type sudo systemctl status fail2ban.service
root@kali:/etc/fail2ban# sudo systemctl status fail2ban.service
 ● fail2ban.service - Fail2Ban Service
    Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
    Active: active (running) since Tue 2019-11-05 05:02:20 EST; 3s ago
      Docs: man:fail2ban(1)
   Process: 6475 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
  Main PID: 6476 (fail2ban-server)
     Tasks: 13 (limit: 4662)
    Memory: 17.9M
    CGroup: /system.slice/fail2ban.service
            └─6476 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
 Nov 05 05:02:20 kali systemd[1]: Starting Fail2Ban Service…
 Nov 05 05:02:20 kali systemd[1]: Started Fail2Ban Service.
 Nov 05 05:02:21 kali fail2ban-server[6476]: Server ready

Attacker Machine – Ubuntu OS

  • Type slowloris 192.168.1.9 -p 80 & slowloris will start sending packets to target IP address.
  • 192.168.1.9 is the target IP address
  • -p to mention port no. Using port 80 it will generate the traffic.
root@ubuntu:/home/iicybersecurity# slowloris 192.168.1.9 -p 80
 [05-11-2019 02:08:59] Attacking 192.168.1.9 with 150 sockets.
 [05-11-2019 02:08:59] Creating sockets…
 [05-11-2019 02:08:59] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:14] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:29] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:44] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:59] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:10:14] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:10:29] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:10:44] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:00] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:15] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:30] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:45] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:12:00] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:12:15] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:12:30] Sending keep-alive headers… Socket count: 150


Victim/ Defender Machine

  • Now go to victim machine Kali Linux. In the Wireshark, you will notice DOS from attacker machine to target IP address.
  • Type sudo fail2ban-client set apache banip 192.168.1.8
  • This command will block the target IP address. Below screenshot shows that 192.168.1.8 has blocked.
Wireshark after attacker IP was blocked using fail2ban
  • Above screenshot shows that none of the packets are receiving from target machine.
  • Now if you check fail2ban status. You will notice that attacker IP has been blocked because attacker was sending multiple packets.
  • For checking status open another terminal type sudo fail2ban-client status apache
root@kali:/var/log/apache2# sudo fail2ban-client status apache
 Status for the jail: apache
 |- Filter
 |  |- Currently failed: 0
 |  |- Total failed:     1
 |  - File list:        /var/log/apache2/error.log - Actions
    |- Currently banned: 1
    |- Total banned:     1
    `- Banned IP list:   192.168.1.8
  • Above status that attacker machine (Ubuntu) 192.168.1.8 is now blocked.