We hit the ddos ​​botnet on our own



    Good day, dear habrasociety, at the request of the Khabrovsk citizens, I decided to share some of my achievements in the fight against DDoS on the basis of personal practical experience in repelling attacks.
    This article will not be another new way how to protect yourself from DDoS on your own, there is plenty of information on this. We will go a little on the other side.
    As they say, the best defense is attack. So we will strike with you at the most painful place of ddosers - at bots. An additional pleasant bonus for us will be that we will do a good deed and free at least some of the infected machines from the captivity of evil botnets.
    It’s clear that we can’t kill a botnet, but sometimes a very significant blow can be delivered, especially if the main part of the botnet is made up of grandfathers with rootkits, which sometimes create the main problem when repelling an attack. Well, the kulhacker Vasya with his hundreds of blood and then the mined bots can also be very well done. For bots, especially on good channels and from good regions, cost money and sometimes considerable. If they start to breathe from the crumbling abuses, it may be unprofitable for the dDoder to continue to harass you and they can increase the price for the customer or even stop the attack. It’s much easier to train someone from whom there will be no unnecessary noise.


    How to kill a bot?



    So, how do we kill the bot, or at least try to free his soul from the evil forces that have infested it?

    For this it is necessary:

    1). Determine the ip addresses of the attacking bots
    2). Determine who the IP address data belongs to (parent organization: DC, provider, institution ...), from whois get a list of contact abuse email, to which we will send complaints
    3). Prepare logs confirming the fact of the attack.
    4). Send a log to the lists of abuse email

    If there are not many bots, you can certainly do all this by hand, but we will automate this process.

    Ddos is different


    We remember that there is a different DDoS and there are no universal methods for determining malicious addresses, in each particular one there will be a different algorithm and other sources.

    In general, this is a topic for a separate article, but I will try to understand the choice of a simple and accessible method for everyone.
    So, let's say we have TCP / UDP flood on different ports, some DDoS methods are holding back, there is access to the machine, but we want to reduce the attack power and prevent its increase, well, or just spoil the DDoSers.
    The task is to strike back, to deprive botnets of the most active bots.

    We collect logs


    There are many options, again, the topic for a separate article. There are many different ways of logging traffic, for example tcpdump, iptrtaf, netflow ...
    I somehow historically had the majority of logs removed using iptraf, which was used to monitor the attack and all scripts were configured to parse them. The solution may not be the most beautiful, but quite universal. With the very minimum modification, you can use any logs and do all the manipulations listed below in real time.

    So, the DDoS started, we start iptraf, in the Settings (Configure) enable logging (Logging), now when we run IP traffic monitor, it will ask which file to save the log to, for example
    /var/log/iptraf/iptraf.log
    Now iptraf for us will record basic information about each package (including the dropped one).
    According to personal observation, the server will not get worse from this, this logging almost does not waste useful server resources.

    We send abuses


    When the log is there, we can proceed to its processing and sending letters of happiness to the providers of infected machines, so that they deal with the owners.
    To do this, I offer several self-written scripts designed for this.
    Scripts were written in a very difficult time, so there was no talk of beauty and optimization, now they have been slightly modified, seasoned with comments.
    Specially broke all the work into several modules, each of which is responsible for its task. This will allow you to adapt them to your case and control every step.

    Scripts


    All scripts can be downloaded here: github.com/Ajex/AntiDdosAbuse

    Below I will describe each.

    1). show_ips.sh - displays a list of ip addresses from the log and the number of packets that have passed during the collection interval.

    Launch parameters:
    ./show_ips.sh iptraf.log "Dec 12" > ddos_ips.txt

    After that, the script parses the file using the iptraf.log file and the Dec 12 filter as the initial log and displays the result in the ddos_ips.txt file for further analysis by other scripts.

    * You can apply any of your filters, choosing data for example for a specific hour.

    Its output will be of this type:

         3 1.1.1.1.
         3 1.1.1.2.
         3 1.1.2.1.
       10 2.3.2.2.
       10 2.3.2.2.
    ....
    7833 x.x.x.x
    19343 y.y.y.y
    58234 z.z.z.z
    


    Given that this log will be done at the time of the attack, there will be a very strong gap between the smallest and largest values. Sometimes thousands and tens of thousands of times. Here, again, there are no universal algorithms on what basis to consider traffic anomalous, you need to look and think with your head.
    But as a rule, the file will be very clearly visible, because a normal user cannot send several tens of thousands of requests in a few minutes.
    Based on this log, we determine the border with which IPs are considered bots. You can additionally manually check some of the addresses from the tops using the apache / nginx and iptraf logs.
    For example, the bot crashed over UDP, and you only had a webserver or TCP banged on some left ports, which you have tightly closed.
    It is very important to include the head at this step, because I repeat there are no universal methods, it all depends on what kind of server is under attack, what services are running, what load.
    You can refine the script and, for example, display the address region and count the number of closed ports on which the bot crashed, add information from the web server logs ...
    There is a whole field for mental activity that is beyond the scope of this article.

    2). get_info.sh - extracts abuse email from whois information for each IP address received by show_ips.sh script in step 1.
    Launch parameters:
    ./get_info.sh ddos_ips.txt > abuse_email.txt

    where, ddos_ips.txt is the file created in step 1.
    After that, abuse_email.txt will contain a list of email addresses for sending letters.

    Its conclusion will be of this kind:

    x.x.x.x abuse@aaa.com master@aaa.com
    y.y.y.y abuse@bbb.com
    z.z.z.z abuse@ccc.com
    ....
    


    It is important that the script has the configuration parameter th_limit , it means how many connections should be considered ip bot, this boundary is determined in the previous step.

    3). get_logs.sh - the script extracts information from each ip address from the iptraf log, saves it to a separate file and packs it into Gzip

    Launch parameters:

    ./get_logs.sh ddos_ips.txt iptraf.log "Nov 20" pref

    where, pref is the prefix of the created logs for the convenience of sorting them.

    It is mandatory to specify th_limit in the parameters, this is again the number of connections from the ddos_ips.txt file that separate good ip addresses from bots.
    At the output in the current folder, Gzip files containing logs for each individual ip will be created.

    4). mail_send.sh - script sending out abuses from lists received from step 2. script get_info.sh Launch

    parameters:

    ./mail_send.sh abuse_email.txt pref


    where abuse_email.txt file obtained in step 2

    Inside the script there is a header and body of the letter, which you redo to fit your needs. You can scare all sorts of punishments from heaven and threats to contact the police, etc., for some it even works. (I don’t specifically provide my text, so as not to be sent according to the template and not included in the spam filter) The script, in the sending template, contains a link to the log file. I tried to attach files directly to the letter, but, firstly, they are often voluminous, secondly they are often cut with spam filters and cause suspicion, thirdly it is difficult to send them from a machine under a dDoS, and a link to a corporate website looks more substantial and safer.

    echo "Hi, today, our server x.x.x.x was attacked from your or your c$ip
    Here are the logs yourcompany.com/abuse$pref$ip.txt.gz (TZ - Europe/Moscow) ... bla bla bla ... The Company Name Ltd." | mail -s "[Abuse] ddos attack from your $ip" $email_row




    Therefore, I copied the logs to another machine with a raised web server with a simple script, and simply indicated a link to the log in the body of the message.

    do_all.sh - this script performs all the actions sequentially, but more has been done for demonstration, because before you start it, you need to tune the script parameters, especially th_limit for your case.

    Here are its parameters:

    parse_date - Grep logs will be made on this expression, if necessary select entries for a certain number or hour
    pref - prefix for the created files, for example the same date
    iptraf_raw_file - where to get the iptrafa log

    It is clear that it was possible to make scripts through streams, but for the article and understanding the work I did as it is, the scope for imagination is endless. You can refine and automate all processes, for example, by automatically turning on logging after the start of an attack, making a more accurate analyzer for step 1.

    If you act wisely, you can deliver a fairly significant blow to the botnet, especially if the number of bots is small, but for the most part they consist of Dedics on rootkits. I say this from personal experience.

    And what is the result? Will this really work?


    What will happen to the resulting abuse? Perhaps, of course, they will ignore it, but, for example, the next day the IP address will again be blacklisted and abusa will go away again, etc., maybe someday they will react.
    If un is some kind of air force / airborne server and the abuse gets into the data center with detailed logs, for example, it is normally issued, then it will most likely be examined, and if the logs are very weighty and converge with the statistics of the data center, then there may be a block. It’s somewhere around 50/50, which is generally not bad either.
    If this comes to the provider, he will most likely notify the subscriber (he talked with some acquaintances, they said that they will do just that), and if there are several complaints that are again reasoned, they can be blocked until the client installs a normal antivirus.

    After our newsletter around the world, there will be a whole chain of events that we may never know about, and perhaps they will not have any decisive impact, but in any case it’s better than not doing anything and hoping to finish tomorrow will be someone else and not you.
    If such actions will be carried out by the majority and abuses will be strewed from different IPs, providers will be forced to take measures, each such abuse is a nail in the coffin of a botnet.

    Thank you for your attention, this is my first article on the hub, please do not scold me much if something is wrong. If the topic is of interest, I’ll share my practical experience as having no serious resources, having 3 rubles in your bosom you can withstand your own strengths against quite strong attacks. Sometimes cunning and ingenuity can give more than powerful iron or a wide channel.

    UPD: By the way, there are times when the method described in the article can be a real salvation from DDoS. For example, if you fill up the entire port width with a relatively small number of bots on wide channels or the network can not cope with the flow of requests. In this case, either the block on the side of the higher-level router will help, which very often is not possible in many DCs, or the fight with the help of abuses. The latter, besides its simplicity and accessibility, makes it possible to do so well for the dDoders and disarm them.

    Also popular now: