[AusNOG] DDOS mitigation

James Braunegg james.braunegg at micron21.com
Sun May 12 23:54:33 EST 2013


+1 for both of these !

http://configserver.com/cp/csf.html

http://configserver.com/cp/cxs.html

Kindest Regards

James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666   



This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Tim March
Sent: Sunday, May 12, 2013 11:24 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DDOS mitigation


I do a lot of work with hosting companies that operate the sort of shared environments you're discussing here. They're invariably littered with old Joomla and WordPress installs that are regularly compromised. 
The biggest concern you have here is limiting how exposed both the server itself and the other sites it hosts are to these attacks.

Firstly, with regards to Joomla and WP there are two pretty reasonable scanners under active development that can pick up known-bad plugins and detect a number of known-bad configurations...

	http://sourceforge.net/projects/joomscan/

	http://wpscan.org/

... If you're operating these CMS' they're a really good first-place to start to get some baseline security info. I use them both regularly on pentest and va jobs.

Secondly, if you're running cPanel (yea, yeah, everyone screams about it being a POS but it's the defacto standard and actually works really
well...) there are a couple of really useful software packages that provide GUI-fied security configuration of the host...


	http://configserver.com/cp/csf.html

	http://configserver.com/cp/cxs.html

The first provides easy access to a bunch of host based security configuration like resource limits, more advanced brute-force protection, firewall config, active email alerts etc.

It has a 'quick security scan' feature that checks about 130 baseline security metrics and provides advice on locking the host down. This is not absolute and there's a bunch of other stuff you should be looking at to reach a baseline but it's great start.


The second is a host based IDS (of sorts...) that uses signatures to detect malicious code running in client sites. It's great for automagically picking up shells like C99/R57 etc. that are uploaded as part of an intrusion. It has really configurable quarantine options and will scan for symlinks etc. where open_basedir protection has been broken.

As I said, there is a bunch of other stuff (moving PHP session dirs, basedir patching apache, disabling potentially malicious php functions, running suhosin yadda yadda yadda...) that should be done here - BUT - In 100% of the cases where we implement these packages on hosts they pick up loads of compromised accounts/code that wasn't detected previously. They're a good start.




T.

On 12/05/13 9:34 PM, James Braunegg wrote:
> Dear All
>
> I find for compromised website servers etc you can assist by using QOS to rate limit say based on matching UDP, ICMP and TCP traffic along with packet storm control to limit the number of packets coming from a particular server at the switch port level (assuming you have full layer 3 functions on your top of rack switch) allowing you to isolate the script without causing a lot of damage to your network.
>
> I fully agree however it's always CMS type web sites which always are compromised.. we see this day in day out .. then the website owners say aren't your server secure.... !
>
> Kindest Regards
>
> James Braunegg
> W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
> E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666
>
>
>
> This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net 
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Palmer
> Sent: Sunday, May 12, 2013 7:36 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] DDOS mitigation
>
> On Sun, May 12, 2013 at 03:24:20AM +0000, Dobbins, Roland wrote:
>> On May 12, 2013, at 10:13 AM, Zone Networks - Joel wrote:
>>> Its all those damn Joomla/Wordpress websites that have been 
>>> compromised and I don't see it stopping either, since they are 
>>> millions of these websites that wont get patched/upgraded until its exploited.
>>
>> My hope is to utilize the aforementioned insurance scheme to induce 
>> IDC operators to perform ongoing proactive vulnerability scanning of 
>> hosted/co-located/virtual servers located on their access networks, 
>> and to shut down end-customers who are not fully patched until they 
>> remediate their boxen.
>
> It's a nice idea to be sure, but a provider with a bunch of 
> compromised wordpress instances is unlikely to be impacted 
> sufficiently to need to claim on their insurance scheme.  It's rather 
> a lot like BCP38 -- they're a minor annoyance to the source, because 
> there's only a (relatively) few of them per misbehaving ISP, but 
> multiply that by the number of misbehaving ISPs, and they're a damned nuisance to the destination.
>
> - Matt
>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list