A Preventing Denial-of-Service Attacks

This appendix provides a sample procedure for preventing Denial-of-Service (DoS) attacks on STA. It provides instructions for using the sample script in Example A-1 to define input rules for the IPTables utility to block hosts based on any of the following criteria:

  • Ethernet interface

  • Ethernet protocol

  • Port number

  • Maximum number of requests within a specified time period

Note:

This procedure is optional and is provided as information only. Site security is the customer's responsibility.

Define Rules for Preventing DoS Attacks

Note:

Before using this procedure, configure and verify the library connections on STA. See the STA User's Guide for details.

Use this procedure to configure input rules for the IPTables utility to watch for and prevent attacks on STA.

For STA, Oracle recommends attaching rules to UDP port 162 (the port on which SNMP traps are received) and on the ports you have defined for the STA managed servers. See the STA Installation and Configuration Guide for details about the ports.

  1. Log in to the STA server as the system root user.

  2. Copy the contents of Example A-1 into a text editor.

  3. Modify the following variables as appropriate for your environment.

    • INTERFACE—Ethernet interface to watch for attacks (Eth0, for example)

    • PROTO—Ethernet protocol to watch for attacks (TCP or UDP)

    • PORT—Port number to watch for attacks

    • HITS and TIME—Specify reasonable values for the number of requests (HITS) within a given time period, in seconds (TIME). Any host that exceeds the number of requests within the specified time period is blocked from further connections for the remainder of the period.

  4. Save the script and execute it. The new rules are added to the IPTables utility and take effect immediately.

  5. Verify that STA is still successfully monitoring your libraries. See the STA User's Guide for details.

Example A-1 iptables Sample Script

# The name of the iptable chain
CHAIN=INPUT
# The ethernet interface to watch for attacks
INTERFACE=eth0
# The port number to watch for attacks
PORT=80
# The protocol (tcp or udp)
PROTO=tcp
# A server that sends HITS number of requests within TIME seconds will be blocked
HITS=8
TIME=60
# Log filtered IPs to file
touch /var/log/iptables.log
grep iptables /etc/syslog.conf 1>/dev/null 2>&1
if [$? -ne 0 ]; then
 echo kern.warning /var/log/iptables.log >>
 /etc/syslog.conf
 echo touch /var/log/iptables.log >> /etc/syslog.conf
 /etc/init.d/syslog restart
fi
# Undo any previous chaining for this combination of chain, proto, hits, and time
/sbin/iptables -L $CHAIN |grep $PROTO |grep $HITS |grep $TIME 1>/dev/null 2>&1
if [$? -eq 0 ]; then
 R=0
 while [$R -eq 0 ]; do
 /sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1
 R=$?
 done
fi
# Logging rule
/sbin/iptables --append $CHAIN --jump LOG --log-level 4
# Interface rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set
# Blocking rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP