RE: DDOS Attack simulator - Some Results
Tim, Very helpful. Many thanks! Randy Engle XC2 Software LLC -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Timothy Penner via 4D_Tech Sent: Friday, March 24, 2017 7:46 PM To: 4D iNug Technical <4d_tech@lists.4d.com> Cc: Timothy Penner <tpen...@4d.com> Subject: Re: DDOS Attack simulator - Some Results I think for something like LOIC (or any DDOS) you will need to implement some sort of firewall protection. It is very likely the actual request being sent to the web server is malformed, which could explain why you are getting 5xx errors in the weblog. From what i see online the best way to mitigate a Low Orbit Ion Cannon DDOS attack is with a firewall that is programmed to detect it: See more here: https://www.trustwave.com/Resources/SpiderLabs-Blog/LOIC-DDoS-Analysis-and-Detection/ -Tim ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: DDOS Attack simulator - Some Results
I think for something like LOIC (or any DDOS) you will need to implement some sort of firewall protection. It is very likely the actual request being sent to the web server is malformed, which could explain why you are getting 5xx errors in the weblog. From what i see online the best way to mitigate a Low Orbit Ion Cannon DDOS attack is with a firewall that is programmed to detect it: See more here: https://www.trustwave.com/Resources/SpiderLabs-Blog/LOIC-DDoS-Analysis-and-Detection/ -Tim ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator - Some Results
Got some "movement" on this, though not a complete solution. Using a DDOS Simulator (LOIC) Using 4D v15.4 (Windows) 4D Server crashed, actually the entire machine froze completely after 8-10 minutes While it was running, 4D was running at about 90%+ of memory, until kaboom. Needed to physically turn off machine No mouse, no keyboard, nada. Ooooh very bad! Changed to 15r5 4D ran at about 50% Didn't crash after 20 minutes (about 1,000,000 hits) Quickly went back to normal in a few seconds after stopping flooding. But I'd like to keep this from happening at all. Yes, we could put a proxy/firewall in the way. But I need to make the Cybersecurity guys feel all warm and fuzzy about our product. Any ideas what could be done in 4D alone. Steve O's idea of stopping the web server was good, except that I'm not seeing these attacks go through ON WEB CONNECTION, so there's nothing to trap for. 4D does put them in the logweb.txt file though. I appreciate all of your previous and future input. Randy Engle XC2 Software LLC ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
> I had a problem that needed a resolution (4D Server crashing) and I could > care less if anyone thinks it inappropriate, it fixed my problem and was not > meant to be a permanent fix. > Judge all you want... Steve, No judgement here - but this "resolution" was really just a patch you put in v13. I believe you also found that the issue was no longer reproducible in v15R5 without any "patch" so the true "solution" was (or should be) upgrading the version of 4D, right? I just want to make sure this is clear to anyone else reading along - you needed to patch v13 by turning off the web server, but in v15R5 it just worked without any patch... -Tim ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Lee, Whatever... I had a problem that needed a resolution (4D Server crashing) and I could care less if anyone thinks it inappropriate, it fixed my problem and was not meant to be a permanent fix. Judge all you want... Steve -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Lee Hinde via 4D_Tech Sent: Friday, March 24, 2017 5:36 PM To: 4D iNug Tech <4d_tech@lists.4d.com> Cc: Lee Hinde <leehi...@gmail.com> Subject: Re: DDOS Attack simulator Totally appropriate, IMHO. The problem is the test. When the problem is the problem, look at that. I’m guessing for 98% of websites powered by 4D, a DDOS is highly unlikely. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: DDOS Attack simulator
Totally appropriate, IMHO. The problem is the test. When the problem is the problem, look at that. I’m guessing for 98% of websites powered by 4D, a DDOS is highly unlikely. > On Mar 24, 2017, at 3:17 PM, Kirk Brooks via 4D_Tech <4d_tech@lists.4d.com> > wrote: > > Hi Steve, > Isn't that just patching for the test instead of the problem the test is > trying to identify? Or am I missing something - which is entirely possible? > > On Fri, Mar 24, 2017 at 9:31 AM, Stephen J. Orth via 4D_Tech < > 4d_tech@lists.4d.com> wrote: > >> To get around this, we did a rather simple "trick" >> >> Since we know the format of every web request coming into our system, I >> simply created a new method called "Utility_Web_Intrusion_Shutdown" which >> looks like this: >> >> $minutes:=5*3600 >> WEB STOP SERVER >> DELAY PROCESS(Current process;$minutes) >> WEB START SERVER >> > > -- > Kirk Brooks > San Francisco, CA > === ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: DDOS Attack simulator
Hi Steve, Isn't that just patching for the test instead of the problem the test is trying to identify? Or am I missing something - which is entirely possible? On Fri, Mar 24, 2017 at 9:31 AM, Stephen J. Orth via 4D_Tech < 4d_tech@lists.4d.com> wrote: > To get around this, we did a rather simple "trick" > > Since we know the format of every web request coming into our system, I > simply created a new method called "Utility_Web_Intrusion_Shutdown" which > looks like this: > > $minutes:=5*3600 > WEB STOP SERVER > DELAY PROCESS(Current process;$minutes) > WEB START SERVER > -- Kirk Brooks San Francisco, CA === ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Neil, I can probably operate on the basis that my customer will want to test this without a firewall... I just need to be prepared for everything. ;-O Randy Engle XC2 Software LLC > Any and all information regarding the above will be accepted with much > gratitude! I thought most firewall routers will stop a DDos attack before it hits your 4D server. Was this not the case for you or are you testing without a firewall? Neil ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Tim, Most appreciated! Randy Engle XC2 Software LLC -Original Message- From: Timothy Penner [mailto:tpen...@4d.com] Sent: Friday, March 24, 2017 11:03 AM To: 4D iNug Technical <4d_tech@lists.4d.com> Cc: Randy Engle <4d.l...@xc2.us> Subject: RE: DDOS Attack simulator > Anybody know a security scanning service that doesn't break the bank? Nessus used to have a community edition that was able to get gotten and used for free in non-commercial environments... it looks like they renamed this option to "Nessus Home" https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code Here is a large list of vulnerability scanners online: http://sectools.org/tag/vuln-scanners/ -Tim Timothy Penner Technical Services Engineer 4D Inc 95 S. Market Street, Suite #240 CA 95113 San Jose United States Telephone : +1-408-557-4600 Standard : +1-408-557-4600 Fax : +1-408-271-5080 Email : tpen...@4d.com Web : www.4D.com ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
> Anybody know a security scanning service that doesn't break the bank? Nessus used to have a community edition that was able to get gotten and used for free in non-commercial environments... it looks like they renamed this option to "Nessus Home" https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code Here is a large list of vulnerability scanners online: http://sectools.org/tag/vuln-scanners/ -Tim ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
So... back to my original question: Anybody know a security scanning service that doesn't break the bank? Or a tried and true simulator that I can use to test. I've been using "LOIC" (Low Orbit Ion Cannon) However, my app seems to handle this no problem. Been running from 2 different systems for an hour. Lobweb.txt file is growing... status of all calls are "200" I need to know how to "break" it, so I can prevent it. Any more input on this? Thanks Randy Engle XC2 Software LLC ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Hi Randy, One of the things that the "security scan" is probably finding is that HTTP TRACE is enabled. Starting with v16 this has been disabled by default and there is now an option to enable it. http://livedoc.4d.com/4Dv16/help/Title/en/page8822.html#3101893 I suggest testing with v16 because there have been some improvements in that version... at the very least you will no longer be flagged for having HTTP TRACE enabled. -Tim ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Hi Tim, RE: Didn’t v15R5 also cure the crashing during those scans?" Thanks for chiming in. I'm not finding any reference to crashing during scans in the v15R5 release notes/bug fixes. Did I miss something? Randy Engle XC2 Software LLC ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Neil, They will, unless it comes from internally, which was our case. The Corporate IT team was running software to continually test all their servers, even though we explained our web server is behind the firewall and there was no pin-hole to the outside. We argued any attack to our system would have to come from inside the company, they simply did not care. Best, Steve * Stephen J. Orth The Aquila Group, Inc. Office: (608) 834-9213 P.O. Box 690 Mobile: (608) 347-6447 Sun Prairie, WI 53590 E-Mail: s.o...@the-aquila-group.com * -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Dennis, Neil via 4D_Tech Sent: Friday, March 24, 2017 11:48 AM To: '4D iNug Technical' <4d_tech@lists.4d.com> Cc: Dennis, Neil <neil.den...@umb.com> Subject: RE: DDOS Attack simulator > Any and all information regarding the above will be accepted with much > gratitude! I thought most firewall routers will stop a DDos attack before it hits your 4D server. Was this not the case for you or are you testing without a firewall? Neil -- Privacy Disclaimer: This message contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please delete this email from your system and notify the sender immediately by replying to this email. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The Alternative Investments division of UMB Fund Services provides a full range of services to hedge funds, funds of funds and private equity funds. Any tax advice in this communication is not intended to be used, and cannot be used, by a client or any other person or entity for the purpose of (a) avoiding penalties that may be imposed on any taxpayer or (b) promoting, marketing, or recommending to another party any matter addressed herein. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
> Any and all information regarding the above will be accepted with much > gratitude! I thought most firewall routers will stop a DDos attack before it hits your 4D server. Was this not the case for you or are you testing without a firewall? Neil -- Privacy Disclaimer: This message contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please delete this email from your system and notify the sender immediately by replying to this email. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. The Alternative Investments division of UMB Fund Services provides a full range of services to hedge funds, funds of funds and private equity funds. Any tax advice in this communication is not intended to be used, and cannot be used, by a client or any other person or entity for the purpose of (a) avoiding penalties that may be imposed on any taxpayer or (b) promoting, marketing, or recommending to another party any matter addressed herein. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Tim, Yes, this is why I stated it was 4D V13. I was just trying to explain to Randy a Q way we resolved this problem, while we took the time to get our V15 release in production release state. Steve * Stephen J. Orth The Aquila Group, Inc. Office: (608) 834-9213 P.O. Box 690 Mobile: (608) 347-6447 Sun Prairie, WI 53590 E-Mail: s.o...@the-aquila-group.com * -Original Message- From: Timothy Penner [mailto:tpen...@4d.com] Sent: Friday, March 24, 2017 11:35 AM To: s.o...@the-aquila-group.com; 4D iNug Technical <4d_tech@lists.4d.com> Subject: RE: DDOS Attack simulator Hi Steve, Didn’t v15R5 also cure the crashing during those scans? -Tim Timothy Penner Technical Services Engineer 4D Inc 95 S. Market Street, Suite #240 CA 95113 San Jose United States Telephone : +1-408-557-4600 Standard : +1-408-557-4600 Fax : +1-408-271-5080 Email : tpen...@4d.com Web : www.4D.com ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Hi Steve, Didn’t v15R5 also cure the crashing during those scans? -Tim ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: DDOS Attack simulator
Randy, We have several customers who were using commercial scanning software to test web servers and one test was basically of DOS. When this test was run, 4D Server (V13) would crash...not good. To get around this, we did a rather simple "trick" Since we know the format of every web request coming into our system, I simply created a new method called "Utility_Web_Intrusion_Shutdown" which looks like this: $minutes:=5*3600 WEB STOP SERVER DELAY PROCESS(Current process;$minutes) WEB START SERVER When an unknown request came in, we routed it to the method above. This effectively killed their test and did not crash 4D Server. In my example above, the web server was down for 5 minutes, no magic for that number. However, if the test was still running when the time limit was up, it would simply jump back into this routine. Quick & Dirty, but it did work... Steve * Stephen J. Orth The Aquila Group, Inc. Office: (608) 834-9213 P.O. Box 690 Mobile: (608) 347-6447 Sun Prairie, WI 53590 E-Mail: s.o...@the-aquila-group.com * -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Randy Engle via 4D_Tech Sent: Friday, March 24, 2017 11:19 AM To: '4D iNug Technical' <4d_tech@lists.4d.com> Cc: Randy Engle <4d.l...@xc2.us> Subject: DDOS Attack simulator A customer has "requested" us to do our own security scan of our web application. (Using 4D Web Server v15.4/Windows... currently) I'm a raw newbie at this stuff, so please be gentle. ;-) ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
