A Preventing Denial of Service Attacks

This appendix describes a method to prevent Denial of Service (DoS) attacks on the STA server. Follow these procedures only after the initial library configuration is successful. After configuring IPTables, you should ensure that STA is still successfully monitoring your libraries.

This appendix includes the following sections:

Note:

The procedures in this appendix are optional, and are provided for informational purposes only. Site security remains the responsibility of the customer.

Overview

To protect the server from DoS attacks, configure the Linux iptables software to establish rules that filter ports and/or IP addresses. Based on the configuration of STA, Oracle recommends you attach rules to UDP 162 and the port values the STA managed servers are running on.

Note:

See the STA Installation and Configuration Guide for port information, including the default port values STA uses.

The iptables Sample Script can be used to define an input rule on the server to block hosts that attempt to connect, based on these criteria:

  • A specific Ethernet interface

  • A specific port

  • A specific protocol

  • The number of requests within a specified time period.

If the host connection count is exceeded within that time period, that host is blocked from further connections for the remainder of the time period.

Configure iptables Rules

To configure iptables rules:

  1. Copy the source of the iptables Sample Script into a text editor.

  2. Modify the following variables to suit your environment:

    • INTERFACE—Defines the ethernet interface to watch for attacks

    • PORT—Defines the port number to watch for attacks

    • PROTO—Defines the protocol (TCP or UDP)

    • HITS and TIME—Decide what are reasonable values for the number of requests (HITS) within a given time period in seconds (TIME) to block a server.

  3. Save the script to your system and execute it.

    The new rules are added to iptables and take effect immediately.

iptables Sample Script

The following is an iptables sample script.

# The name of the iptable chain

CHAIN=INPUT

# The ethernet interface to watch for attacks

INTERFACE=eth0

# The port number to watch for attacks

PORT=80

# The protocol (tcp or udp)

PROTO=tcp

# A server that sends HITS number of requests within TIME seconds will be blocked

HITS=8

TIME=60

# Log filtered IPs to file

touch /var/log/iptables.log

grep iptables /etc/syslog.conf 1>/dev/null 2>&1

if [$? -ne 0 ]; then

echo kern.warning /var/log/iptables.log >>

/etc/syslog.conf

echo touch /var/log/iptables.log >> /etc/syslog.conf

/etc/init.d/syslog restart

fi

# Undo any previous chaining for this combination of chain, proto, hits, and time

/sbin/iptables -L $CHAIN |grep $PROTO |grep $HITS |grep $TIME 1>/dev/null 2>&1

if [$? -eq 0 ]; then

R=0

while [$R -eq 0 ]; do

/sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1

R=$?

done

fi

# Logging rule

/sbin/iptables --append $CHAIN --jump LOG --log-level 4

# Interface rule

/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set

# Blocking rule

/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP