Recipe 3.16 Preventing Denial of Service Attacks

Previous page
Table of content
Next page

3.16.1 Problem

You want to prevent denial of service (DOS) attacks against a network service.

3.16.2 Solution

For xinetd , use the cps, instances, max_load, and per_source keywords.

/etc/xinetd.conf or /etc/xinetd.d/myservice: service myservice {       ...       cps = 10 30     Limit to 10 connections per second.                       If the limit is exceeded, sleep for 30 seconds.       instances = 4   Limit to 4 concurrent instances of myservice.       per_source = 2  Limit  to 2 simultaneous sessions per source IP address.                       Specify UNLIMITED for no limit, the default.       max_load = 3.0  Reject new requests if the one-minute system load average exceeds 3.0. }

For inetd, use the inetd -R option to specify the maximum number of times a service may be invoked per minute. The default is 256.

3.16.3 Discussion

These keywords can be used individually or in combination. The cps keyword limits the number of connections per second that your service will accept. If the limit is exceeded, then xinetd will disable the service temporarily. You determine how long to disable the service via the second argument, in seconds.

The instances keyword limits the number of concurrent instances of the given service. By default there is no limit, though you can state this explicitly with:

instances = UNLIMITED

The per_source keyword is similar: instead of limiting server instances, it limits sessions for each source IP address. For example, to prevent any remote host from having multiple FTP connections to your site:

/etc/xinetd.conf or /etc/xinetd.d/ftp: service ftp {         ...         per_source = 1 }

Finally, the max_load keyword disables a service if the local system load average gets too high, to prevent throttling the CPU.

inetd is less flexible: it has a -R command option that limits the number of invocations for each service per minute. The limit applies to all services, individually. If the limit is exceeded, inetd logs a message of the form:

telnet/tcp server failing (looping), service terminated

Actually, the service isn't terminated, it's just disabled for ten minutes. This time period cannot be adjusted.

Some firewalls have similar features: for example, iptables can limit the total number of incoming connections. On the other hand, iptables does not support the per_source functionality: it cannot limit the total per source address.

3.16.4 See Also

xinetd.conf(5).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Beginning Cryptography with Java
Software Configuration Management
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Programming Microsoft ASP.NET 3.5
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy