Denying the DDoS

With the recent uptick in Distributed Denial of  Service (DDoS) attacks, we're often asked what steps can be taken from an OS-perspective once communication gets past firewall and other filtering devices out on your network's edge.  It's a sad reality of our technological lives today that attacks like these are here to stay.  So what do you do when dozens, or hundreds, or thousands of bots are poking and probing at you?  While there is no magic pill that can defend against every attack, the best defense you can field is a layered one that helps compensate for gaps within any one technology.

Some of the suggestions I'll give are not Red Hat-supported solutions, but have really proved themselves out in the Community, so are valuable to note.   (insert lawyer-speak "Some of the  software/modules mentioned here are not officially shipped or supported by Red Hat. According to Red Hat's "production scope of coverage" (Defined at https://access.redhat.com/support/offerings/production/soc.html), "Implementation and development of security rules and policies" is not supported. suggestions given in this case are purely based on knowledge and experience and are given for reference purpose only." )  Before implementing ANY new change to your environment please ensure you've thoroughly read and understand all instructions/documentation and have tested out your new configuration in a non-production environment to measure the impact it will have.

First and foremost, if you don't need a service or a port exposed to the world, turn it off.  Period.  Only turn on what is absolutely necessary to conduct your business, anything else is inviting unneeded risk.  The same thing goes with Access Controls, if people don't need to read it, remove permissions to it.  Harden your server and give it the smallest possible footprint of exposure.

Now sometimes you absolutely can not *not* have something exposed.  In those cases, iptables can be your bestest-buddy ever.  iptables can quickly and effectively used to block traffic by port, protocol, ip, etc.

More information about iptables can be found in the Red Hat Linux Security Guide:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Firewalls.html

Be sure to test any changes prior to executing.  Another handy thing to do is once you've put a solution in place is to review any logs to make sure you've stopped the bad traffic and are still allowing the good.  

   How do I setup logging in the iptables firewall?
     https://access.redhat.com/knowledge/solutions/6249

For those of you out there that are Apache-enthusiasts, there are two modules that can be leveraged to help manage (and stop) unwanted traffic.

mod_qs is a great lightweight tool that can quickly and easily be integrated with your webserver.  It isn't as feature-rich as others, but it certainly can do the trick.

A more advanced option might be to leverage mod_security.  This is a robust open-source web application firewall.  It's much more involved than mod_qs ad will require a higher-level of expertise to really get the best protection, but it does a great job.

     http://www.modsecurity.org/
     http://opensource.adnovum.ch/mod_qos/

All of this might not be enough, and you have to work with your Edge provider and start to blacklist attackers.  That's where tools like Project Artillery or (D)DOS-DEFLATE might come in handy.  Again, your mileage may vary and changes might need to be made to make non-Red Hat supplied packages work on your RHEL systems.

     https://www.trustedsec.com/downloads/artillery/
     http://deflate.medialayer.com/

So what would you add to help someone faced with a DDoS attack?  Any tips or tools you've found useful in defending your castle?