Project 5x: Protecting Apache with iptables (15 pts.)

Requirements

You will need two machines--they can be physical or virtual, but they must be on the same LAN:

A Linux Apache2 Web server (any version is OK, I used Ubuntu 10.04)
A Windows attacker (any version is OK, I used Windows XP)

Viewing the Apache Server Status

In the Linux machine, open Firefox. Enter this address: http://localhost/server-status

You should see only one letter in the grid, indicating that only one client is being served at the moment, as shown below on this page.

Attacking Apache

On the Windows attacker, run the OWASP HTTP Attack tool as you did in previous projects. Attack the IP address of your Linux Apache server. Start with these parameters, which are sufficient to bring Apache to a total stop:

Attack Type: Slow headers
Connections: 40000
Connection rate: 50
Timeout(s): 100

Click the "Run attack" button. You should see the "HTTP Attack information" box, as shown below on this page.

Viewing the Apache Server Status

In the Linux machine, in Firefox, click the Refresh button. If the page does not load, you may have to stop the attack briefly to get the session started, and then restart the attack, and then refresh the Firefox page.

You should see the grid full of letters, indicating that all possible connections are in use, as shown below on this page. If you see only a few letters, see the "Troubleshoting" section below on this page.

Saving the Screen Image

Make sure you can see the grid filled with letters, as shown in the image above on this page.

Save a screen image with the filename Proj 5xa from Your Name.

Troubleshooting: Disabling mod_security

If modsecurity is still protecting your Apache server from an earlier project, you will need to disable it with these steps:

In the Linux machine, in the Terminal window, execute these commands:
cd /etc/apache2/modsecurity-rules
sudo nano modsecurity_crs_10_config.conf

Move the cursor to the end of this file. Add a # character to the start of the last line, as shown below on this page:

Save the file with Ctrl+X, Y, Enter.
Now, to restart Apache, in the Terminal window, enter this command:

sudo /etc/init.d/apache2 restart

Stopping the Attack

In the Windows machine, in the "HTTP Attack information" box, click the "Cancel attack" button.

Enabling Layer 7 DoS Protection with iptables

Tony Tia pointed out to me that you can protect a server from these layer 7 attacks with iptables, the usual Linux firewall.

In the Linux machine, in the Terminal window, execute these commands:

sudo iptables -A INPUT -p tcp --syn --dport 80 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --syn --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --rttl -j DROP

These rules filter out any host that makes more than 9 new connections within a minute.

Attacking Apache Again

On the Windows attacker, in the OWASP HTTP Attack tool, click the "Run attack" button. You should see the "HTTP Attack information" box, as shown below on this page.

Viewing the Apache Server Status

In the Linux machine, in Firefox, click the Refresh button.

You should see only ten letters in the grid. Iptables is stopping the attack!

Saving the Screen Image

Make sure you can see the status grid with only ten letters, as shown in the image above on this page.

Save a screen image with the filename Proj 5xb from Your Name.

Stopping the Attack

In the Windows machine, in the "HTTP Attack information" box, click the "Cancel attack" button.

Turning in Your Project

Email the images to [email protected] with a Subject line of Proj 5x from Your Name.

Last modified: 6 pm 3-12-11