DoS Protection via APF, BFD, DDOS and RootKit

by :

Being a web host, your servers are constantly being attacked by hackers by
denial-of-service (DoS) and other brute
force attacks. There is no foolproof
method to stop 100% of all attacks, but there are ways to protect your servers
by applying firewall rules, and detecting and banning attacking IPs.

This article makes use of the
, BFD,
DDoS Deflate and
RootKit to
detect and protect your server from denial-of-service type attacks. To apply
those utilities, please follow the instructions below:

To begin installation, login to your server as a root user.

% ssh -l root [hostname]
root@[hostname]'s password: [password]
Last login: [Date] from [hostname]

APF — Advanced Policy-based Firewall

Get the latest source from the rfxnetworks, and install the software.

# cd /usr/src
# mkdir utils
# cd utils
# wget
# tar xfz apf-current.tar.gz
# cd apf-*
# ./

Read the README.apf and README.antidos for configuration options. Edit the
/etc/apf/conf.apf and modify the following lines to your need.


By default, APF is setup to run in development mode which flushes firewall
rules every 5 minutes. Running in development mode defeats the purpose of
running APF, as it will automatically flush every 5 minutes. Configure
the Ingress (inbound) TCP and UDP ports that need to be opened. Finally,
enable AntiDos by setting USE_AD="1".

Edit the /etc/apf/ad/conf.antidos as you fit necessary, and start the APF

# apf --start

BFD — Brute Force Detection

BFD is a shell script which parses security logs and detects
authentication failures. It is a brute force implementation without
much complexity, and it works in conjunction with a APF (Advanced
Policy-based Firewall).

## Get the latest source and untar.
# cd /usr/src/utils
# wget
# tar xfz bfd-current.tar.gz
# cd bfd-*
# ./

Read the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd.
Find ALERT="0" and replace it with ALERT="1"
Find EMAIL_USR="root" and replace it with EMAIL_USR=""

Edit /usr/local/bfd/ignore.hosts file, and add your own trusted IPs.
BFD uses APF and hence it orverrides allow_hosts.rules, so it is
important that you add trusted IP addresses to prevent yourself from being locked out.

## Start the program.
# /usr/local/sbin/bfd -s

DDoS Deflate

## Get the latest source 
# cd /usr/src/utils
# mkdir ddos
# cd ddos
# wget
# sh

Edit the configuration file, /usr/local/ddos/ddos.conf, and start the ddos.

# /usr/local/ddos/ -c

RootKit — Spyware and Junkware detection and removal tool

Go to Rootkit Hunter homepage, and download the latest release.

## Get the latest source and untar
# cd /usr/src/utils
# wget<version>.tar.gz
# tar xfz rkhunter-*.gz
# cd rkhunter
# ./
## run rkhunter
# rkhunter -c

Setup automatic protection on System Reboot

## Edit /etc/rc.d/rc.local 
## (or similar file depending on Linux version)
## Add the following lines at the bottom of the file

/usr/local/sbin/apf --start
/usr/local/ddos/ -c


The SYN Floods and ICMP DDoS may also be prevented by utilizing the Linux
traffic control utility (tc). To view
setup instructions, please see relevant sections of
Linux Advanced Routing & Traffic Control

Notes from the users:

Some of the users experienced following errors while starting APF.

bash# apf --start

Unable to load iptables module (ip_tables), aborting.

According to Burst and Ryan of, changing the SET_MONOKERN
variable in /etc/apf/conf.apf to "1" will correct the problem.



Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  เปลี่ยนแปลง )

Google+ photo

You are commenting using your Google+ account. Log Out /  เปลี่ยนแปลง )

Twitter picture

You are commenting using your Twitter account. Log Out /  เปลี่ยนแปลง )

Facebook photo

You are commenting using your Facebook account. Log Out /  เปลี่ยนแปลง )


Connecting to %s