A first-hand account of a DDOS attack mitigation

A few days ago, I lived through a DDOS attack at one of the sites I run. It started with the general unavialability of Apache, although the system was idle and the ssh access functioned perfectly. As I already had some experience with DDOS attacks, I immediately looked at the network connections using netstat and saw over 300 IPs sending SYN_REC packets in mass. The attack was much more powerful than I ever experienced.

~# netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'| sort |uniq |wc -l
310

I immediately started the APF firewall with RAB enabled and a script to block the offending IPs in iptables, as I had these at hand from the previous DDOS attack:

BEGIN {
 pipe = "netstat -n|gawk '{print $5}'|gawk 'BEGIN{FS=\":\"}{print $1}'|sort|uniq -c |sort -n"
 while (( pipe| getline) > 0 )  {
   if ($1 > 29 && $2 != "") {
     command="/sbin/iptables -I INPUT -s " $2 " -j DROP"
     date="date"
     command | getline result
     date | getline dateresult
     print dateresult " - command: " command ", result: " result >>"/var/log/firewall.log"
     }
   }
   close(pipe)
}

After a few hours it became clear that the IPs are rotating too often and the size of the botnet is well over 10.000, so I was left with a choice of either dying under DDOS or dying due to the performance hit of the large pool of IP addresses in iptables. The SYN_REC part was being filtered easily by syncookies, APF activated them on launch. The real problem was the HTTP flood.

Tags: 
sysadmin
ddos

The pitfalls of the part-time business in Belgium

Anyone working at least part-time as an employee in Belgium can opt for his own part-time business. This is even mandatory if you have a constant revenue stream coming from the side projects.

At first sight, this option looks very competitive. You pay lower social charges and retain all the benefits of the employee position while being able to exercise the secondary activity in your spare time.

On the taxation side, things look much dimmer. Let's assume that you are a full-time employee in IT and want to do some consulting on the side. You probably have a rather high salary, that attains already, although barely, the highest 53.50% tax level. This is realistic for many IT professionals.

You do your first project and charge your client 1000 €, including VAT. How much will you have left after the taxes?

Well, that's easy. You pay subsequently 21% of VAT, 22% in social charges, and then 53.50% of the income tax, which amounts to

1000*0.79*0.78*0.4650=286.53 €

286.53 € out of that nifty pay-check of 1000 € that you just thought will go into your pocket.

You were expecting to get more, and you start to look for ways to avoid taxation. Fortunately, this is possible by going to the natural economy instead of the monetary one. That is, you try to increase your expenses and reduce the monetary profits.

Bye-bye, Yahoo!

I am probably the last webmaster in the world to ban Yahoo! Slurp from indexing my sites. Now, I am resolved. Bye-bye, Yahoo! You were just behaving too badly.

iptables -A INPUT -s 66.196.64.0/18 -j DROP
iptables -A INPUT -s 68.142.192.0/18 -j DROP
iptables -A INPUT -s 72.30.0.0/16 -j DROP
iptables -A INPUT -s 74.6.0.0/16 -j DROP
Tags: 
linux
sysadmin
SEO

La diminution des tirages des journaux à l'époque de l'internet: un exemple concret.

Les tirages des quotidiens francophones en Belgique ont diminué de 19% sur la période de dix ans, de 1997 à 2007. C'est la conclusion que je tire des statistiques du CIM, publiée sur leur site et complétés par les chiffres de 1997 venant d'un dossier thématique de la Revue Nouvelle. Malheureusement, je n'ai pas sû trouver les chiffres des tirages des quotidiens flamands en 1997. D'après les statistiques des années 2003-2007 disponibles sur le site de CIM, les quotidiens flamands doivent se porter mieux que les francophones.

Traditionellement, j'inclus ci-dessous les chiffres crus, ainsi que le script gnuplot

données:
"Journal" 1997 2007
"L'Echo" 27449 24696
"Vers l'avenir" 131155 110559
"La Derniere Heure" 101327 110124
"La Libre Belgique" 73103 56808
"Le Soir" 178569 112265
script:
set terminal png enhanced
set output "evaluation.png"
set boxwidth 1 absolute
set style fill  solid 1.00 border -1
set style histogram clustered gap 2 title

set style data histograms
set xtics rotate
set yrange [ 0 : 200000]

plot 'graph.dat' u 2:xtic(1) ti col, '' u 3 ti col
Tags: 
journalism

"Свинья везде грязь найдёт"

Сегодня я зашёл в блог известного в узких кругах автора Struts Framework и Java Server Faces Крэйга Мак-Кланагана.

Своим некачественным кодом этот человек портил жизнь сотням тысячам программистов, а если учесть, что он ещё и автор Catalina, то миллионам.

Недавно он заинтересовался Ruby on Rails. Берегитесь, рубероиды!

Tags: 
software
java
rails
struts

How to expose a web application through Apache

I did this a few times in my life, and every time it was painful to reconstruct the necessary toolset and configuration options. So, here it goes. First, enable the proxy support.

~# a2enmod proxy # utility functions
~# a2enmod proxy_http # http forwarding
~# a2enmod proxy_html # html rewriting
~# a2enmod headers # http headers rewriting

Then, assuming that your web application runs on port 3031 on the same host as Apache, and you want to make it available at the /demo url in Apache, write the following in the Apache config:

<IfModule mod_proxy.c>
  <IfModule mod_proxy_http.c>
    <IfModule mod_proxy_html.c>
      <IfModule mod_headers.c>
        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>

        ProxyPass  /demo http://localhost:3301
        ProxyPassReverse /demo http://localhost:3301
        <Location "/demo">
            # ask the localhost to return the uncompressed HTML
            RequestHeader   unset   Accept-Encoding
            # Filter Responses through mod_proxy_html
            SetOutputFilter proxy-html
            # convert URLs in CSS and JavaScript as well
            ProxyHTMLExtended On
            # convert URLs in a.hrefs
            ProxyHTMLURLMap ^/ /demo/ R 
            # convert URLs in CSS and JS
            ProxyHTMLURLMap "'/" "'/demo/" 
            # convert URLs in CSS and JS
            ProxyHTMLURLMap "\"/" "\"/demo/" 
        </Location>
      </IfModule>
    </IfModule>
  </IfModule>
</IfModule>
Tags: 
sysadmin
apache
proxy

[Mission Impossible] Contacter le service des équivalences de la Communauté Française de Belgique

Voici un exemple de l'accessibilité de l'état aux citoyens.

Ce matin, j'ai été sur le site web du Service des équivalences pour l'enseignement secondaire de la Communauté française de Belgique. Après avoir lu les informations sur le site il me restaient une question.

J'ai décidé donc d'appeler le Service au numéro indique sur la page web. Après avoir navigué les menus vocaux dans toutes les directions et avoir attendu une bonne heure, voici la conclusion que j'en tire: il est impossible de contacter l'opérateur du service au téléphone. 

Effectivement, les menus vocaux présentent l'hiérarchie suivante (légèrement simplifiée):
  • Vérifier si le dossier a été reçu.
  • Obtenir des informations sur le dossier déjà introduit.
    • introduire le # du dossier
  • Obtenir un rendez-vous.
    • Aucune réponse pendant une demi-heure d'attente
  • Obtenir les informations générales.
    • Un message invitant à visiter le site web du Service.
Ainsi, il n'y a aucun moyen de joindre la permanence téléphonique.

Je suis retourné vers le site web du Service pour rédiger un courriel avec ma question à l'intention de  equi.oblig@cfwb.be . Quelle était ma surprise quand, quelques secondes après l'envoi du courriel, j'ai reçu un message d'erreur signalant que mon courriel ne peut pas être envoyé, avec la raison:

Invalid final delivery userid: catherine.hallin@cfwb.be

Je suis à bout d'idées, il me reste de me rendre au Service en personne, ce que je ferai sûrement un de ces jours.
 
Tags: 
belgium

Pages