Home/ Hacking My Own Environment/ Attack Mitigation

Defense

Attack Mitigation

Network Config Hydra Metasploit Denial-of-Service Attack Mitigation
Mitigation 01

Denial-of-Service attack

Implementing firewall rules to block malicious packets is the most effective solution. A common SYN flood pattern is that the Max Segment Size (MSS) is set abnormally high or not set at all, which can be used to filter attacks.

Configuring firewall rules

iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -t mangle -I PREROUTINGAdds a new incoming packet filtering rule.
-p tcp -m tcp --dport 80Targets TCP packets with destination port 80.
-m state --state NEWOnly filters new connections.
-m tcpmss ! --mss 536:65535Matches packets with MSS outside the normal range.
-j DROPDrops matching packets without processing.

Configuring system security settings

The sysctl.conf file was edited using sudo nano /etc/sysctl.conf:

sysctl.conf configuration for SYN cookies

net.ipv4.tcp_syncookies = 1 — Enables SYN cookies, keeping server resources free until the full handshake completes.

net.ipv4.tcp_synack_retries = 3 — Reduces SYN/ACK retries from the default of 5, allowing faster packet processing.

Packet capture during second SYN flood showing mitigation
After applying the rules and settings, a second SYN flood was launched. Fewer malicious packets were processed and the webserver was able to keep up with the requests without denying connections.

Video — website running during the SYN flood:

Mitigation 02

Hydra login cracker

Access Control Lists were configured on the defend router to restrict services to only trusted IP addresses, preventing future brute-force attacks.

ACL configuration

access-list 100 permit tcp 192.168.0.0 0.0.255.255 any eq ftpPermits FTP from the 192.168.x.x range only.
access-list 100 permit tcp 192.168.0.0 0.0.255.255 any eq 22Permits SSH from the 192.168.x.x range only.
interface gigabitethernet0/1 → ip access-group 100 inApplies the ACL to inbound traffic on the interface.
access-list 100 permit tcp any any eq wwwPermits all HTTP traffic (required due to implicit deny).
access-list 100 ospf permit ospf any anyPermits OSPF hello messages to maintain routing.
Ping showing packet filtered response
After applying ACLs, a ping returned a packet filtered message — the host is up but not processing echo replies.
Wireshark showing retransmitted FTP packets
Running Hydra again showed a flood of retransmitted FTP packets — Hydra kept retrying but was unable to get through.
Hydra output showing failed attack after ACL
Mitigation 03

Metasploit reverse shell

The exploit was mitigated by updating the vulnerable VSFTPD service and restricting FTP access via ACLs.

Patching VSFTPD

VSFTPD version 2.3.4 contains the exploited backdoor. It was updated to version 3.0.3 using:

sudo apt-get install vsftpd
apt-get install vsftpdChecks for and installs available VSFTPD updates.

After updating, the exploit was run again. A connection was made but the exploit failed — the server was confirmed running version 3.0.3.

Metasploit output showing failed exploit after VSFTPD update
Wireshark showing FTP connection reset after patch
A Wireshark capture during the second attack showed an FTP connection was made but immediately reset after the login attempt failed — confirming the patch was effective.
← Denial-of-Service Back to project overview →