[AusNOG] DDOS mitigation

Tim March march.tim at gmail.com
Sun May 12 23:23:30 EST 2013


I do a lot of work with hosting companies that operate the sort of 
shared environments you're discussing here. They're invariably littered 
with old Joomla and WordPress installs that are regularly compromised. 
The biggest concern you have here is limiting how exposed both the 
server itself and the other sites it hosts are to these attacks.

Firstly, with regards to Joomla and WP there are two pretty reasonable 
scanners under active development that can pick up known-bad plugins and 
detect a number of known-bad configurations...

	http://sourceforge.net/projects/joomscan/

	http://wpscan.org/

... If you're operating these CMS' they're a really good first-place to 
start to get some baseline security info. I use them both regularly on 
pentest and va jobs.

Secondly, if you're running cPanel (yea, yeah, everyone screams about it 
being a POS but it's the defacto standard and actually works really 
well...) there are a couple of really useful software packages that 
provide GUI-fied security configuration of the host...


	http://configserver.com/cp/csf.html

	http://configserver.com/cp/cxs.html

The first provides easy access to a bunch of host based security 
configuration like resource limits, more advanced brute-force 
protection, firewall config, active email alerts etc.

It has a 'quick security scan' feature that checks about 130 baseline 
security metrics and provides advice on locking the host down. This is 
not absolute and there's a bunch of other stuff you should be looking at 
to reach a baseline but it's great start.

The second is a host based IDS (of sorts...) that uses signatures to 
detect malicious code running in client sites. It's great for 
automagically picking up shells like C99/R57 etc. that are uploaded as 
part of an intrusion. It has really configurable quarantine options and 
will scan for symlinks etc. where open_basedir protection has been broken.

As I said, there is a bunch of other stuff (moving PHP session dirs, 
basedir patching apache, disabling potentially malicious php functions, 
running suhosin yadda yadda yadda...) that should be done here - BUT - 
In 100% of the cases where we implement these packages on hosts they 
pick up loads of compromised accounts/code that wasn't detected 
previously. They're a good start.




T.

On 12/05/13 9:34 PM, James Braunegg wrote:
> Dear All
>
> I find for compromised website servers etc you can assist by using QOS to rate limit say based on matching UDP, ICMP and TCP traffic along with packet storm control to limit the number of packets coming from a particular server at the switch port level (assuming you have full layer 3 functions on your top of rack switch) allowing you to isolate the script without causing a lot of damage to your network.
>
> I fully agree however it's always CMS type web sites which always are compromised.. we see this day in day out .. then the website owners say aren't your server secure.... !
>
> Kindest Regards
>
> James Braunegg
> W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
> E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666
>
>
>
> This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Palmer
> Sent: Sunday, May 12, 2013 7:36 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] DDOS mitigation
>
> On Sun, May 12, 2013 at 03:24:20AM +0000, Dobbins, Roland wrote:
>> On May 12, 2013, at 10:13 AM, Zone Networks - Joel wrote:
>>> Its all those damn Joomla/Wordpress websites that have been compromised
>>> and I don't see it stopping either, since they are millions of these
>>> websites that wont get patched/upgraded until its exploited.
>>
>> My hope is to utilize the aforementioned insurance scheme to induce IDC
>> operators to perform ongoing proactive vulnerability scanning of
>> hosted/co-located/virtual servers located on their access networks, and to
>> shut down end-customers who are not fully patched until they remediate
>> their boxen.
>
> It's a nice idea to be sure, but a provider with a bunch of compromised
> wordpress instances is unlikely to be impacted sufficiently to need to claim
> on their insurance scheme.  It's rather a lot like BCP38 -- they're a minor
> annoyance to the source, because there's only a (relatively) few of them per
> misbehaving ISP, but multiply that by the number of misbehaving ISPs, and
> they're a damned nuisance to the destination.
>
> - Matt
>



More information about the AusNOG mailing list