|Open Letter to FurNation Regarding Security Posted by: DarkXander at 10-12-2015 10:23 AM, Last Modified 10-12-2015 13:15 PM
This open letter is to discuss a security flaw that exists and assist in the resolution of it.
This letter is not intended to be any form of aggression, and is merely intended to help a site in need.
DDoS is a big isssue for websites, and there are few defenses against them that are 100% effective. However i will detail some facts, as well as some methods that may help.
First off, from all outside appearences, the FurNation server appears to be running on a windows machine running Microsofts IIS Web Application Server. With CloudFlare now.
This was first deduced using the Wappalizer Chrome Extention prior to the addition of CloudFlare at FurNation.
From my perspective there are 2 ways to solve the DDoS Problems FurNation Faces. And i will detail them below after discussing the important points which are.
1. FurNation has been under attack for some time, So unless the Real IP of the server has been changed, since the addition of CloudFlare, the addition of CloudFlare fails to
fully protect the server from SYN Floods and other popular DDoS Methods. I would speculate that its the same attacker or perhaps the same group of them, and as such they probably have the Real IP saved.
2. Anything hosted on the same server, including mail, or other programs or sites, must go through cloudflare, OR it leterally exposes the servers real IP for Attacks, a common low to mid skill attacker could assume you host your mail from the same server, or at least send the notifications from the same server and use either the mail DNS records, or the source IP on a notification email they recieved to find the servers real IP and attack it.
3. If the Attack is a massive bandwidth type of flood, and its going after the servers real IP, your screwed no matter what firewall you have. PROTECT AND HIDE YOUR REAL IPS AT ALL COSTS.
4. Most web server platforms in their stock or mostly stock configuration easily fall victim to SYN Flood DoS Attacks, which can be done successfully from a good Dialup connection or mobile 3G Cell Phone connection. This attack was witnessed being used against Furnation by unknown assailants. On the last serious attack just before CloudFlare was installed onto Furnation, the site became super slow, pages failed to load 2/3s of the time, and yet when a ping was run against the site the time was only 50ms, indicating there was no bandwidth flood happenning. This would then indicate it wasnt the connection that was stuck, it was the servers IIS Service. The most common way to hangup IIS without using a mass bandwidth flood style DoS is by using a SYN Flood.
A SYN flood literally just runs the server out of possible connections. Every Server has a maximum number of connections it can process at a time. A SYN Flood grabs those possible connection slots, and hangs onto them, holding them open and in progress much much longer then normal, while constantly openning new ones as well, untill there are none left, and suddenly everyone gets "this page cannot be displayed" when they try to open the site because the server essentially says, I have no connection slots left, sorry. Even while this is happenning, the CPU usage could be 10%, The RAM usage would tend to spike up a bit though. And the system op would be left scratching his head as to what was happenning.
IIS does not have a permanent or good fix for this scenario, The best way to prevent it, is to put a hardware firewall in front of the server, and configure it to forward port 80 and 443 to the server, BUT have it limit the open sessions per external IP address to 4-8, AND if capable, EXEMPT the CloudFlare IPs from this limitation. A good firewall that can do this, would be pFsense, which can also be run as a Virtual Appliance on VMware or HyperV, or on its own box seperate from the server.
Read up on this article for info from Microsoft, that isnt much help unfortunatly:
http://forums.iis.net/t/1217914.aspx?Tsunami SYN Flood attack
Even if you harden IIS against these attacks, The Windows Kernel is still a weakness and still handles the sockets, so they will still cause higher load then normal, and have an effect, tho somewhat lessened.
If a hardware firewall is not possible at your datacenter. I am familiar with a good hosting company where you could setup a much better hosting of scenario.
DataShack, FurrTrax does not make use of them because we have our own mainframe, BUT, if we didnt have that, ITs probably where we would be. AND the Game Development Project I am a partner of does use them for all of their hosting needs, for a roster of almost a million players.
Rent a VMware ESXi 5.5 BOX, $60 bucks gets a quad core intel I7, 16GB of RAM, and either 1TB of rotational disk space, or a 120GB SSD or both for slightly more cost. Then we install pFsense firewall as a VM, and force all internet traffic to route through that pFsense Appliance which isnt hard. Now you would have full control of your network, and what traffic would even be able to hit the web server. Install your dorky windows in a VM if you must but now its behind a very powerfull firewall, and safe, as long as properly configured. Better option would be to host it on Linux using Apache but to each their own. IF you got the SSD as an Addon, you could install your SQL to it for very fast page response times. FurrTrax is 100% SSD!
Either way, once its all setup, then configure the firewall so that Ports 80 and 443, only allow traffic from CloudFlares IP Ranges, and all other traffic is DROP, this forces all traffic to use cloudflare, and prevents someone from SYN Flooding the REAL IP even if they are able to discover it. Because they are not allowed to even reach it due to the firewall. I have deployed this same rough setup multiple times for various projects, and it works very well.
This is a low budget, somewhat simple way to beef the security over what you currently have, but also keep it easy to manage.
My experience comes from being a Network Engineer for 9 years now, with 15 years linux experience, 11 years of windows server experience,
7 years of datacenter operations experience, 7 years of VMware ESX/ESXi/Server/vCenter experience,
and having worked with:
11 Law Enforcement Agencies
81 Private Sector Corporations
and Holding 15 Certifications.
Good Luck. And if you have questions, feel free to contact me, Despite the rough patch between us I am willing to help, always was, things just got out of control....
Phone: 1-844-IM-FURRY (Ext: 700)......