Im interested to know how some deal with DOS attacks.

We sustained one today, but managed to not have any downtime. Network was up, and so was the server.

After much research we found that one site was getting slammed, we are removing the account from our network.

We will also post a warning about the name, once we are done researching.

Thoughts welcome

Joe

Usually its not directed toward you, so just find the account that is under attack and suspend it untill you can contact the owner about the situation, if they have a uniqe IP then drop it temp from your router, so all packets being sent to that address will be droped.

Then find the flooders IP's and ban them from your network, if you want to go the extra mile, you use arin.net to look up the IP block lesse, and email the abuse department with the logs of the attack, if they don't respond, then you notify their upstream provider.....

we have suspended the account, and will actually probably cancel his account.

Its just a pain. I dont have a problem with hackers going to help security holes or something, but DOS attacks have no purpose.

Just gives people bad names...

Joe

DoS's are typicly excuted by script kiddies, they are pains in all our asses..

I've had a few boxes compromised due to security holes, and the attack took some brains, so I can respect that attacker, but I'm sorry, I can't respect a 13 year old who downloads some software off of NewOrder, and tries to DoS me....

DoS attacks are a fact of life, and hard to protect against...

I don't understand why the victim's account was dropped? That kind of means the DOSer wins. Success only breeds encouragement. Please correct me if my thinking is wrong.
Gary

Originally posted by projo
I don't understand why the victim's account was dropped? That kind of means the DOSer wins. Success only breeds encouragement. Please correct me if my thinking is wrong.
Gary
Yeh . . . .what he said :eek:

Originally posted by JBIZ718
Im interested to know how some deal with DOS attacks.

We sustained one today, but managed to not have any downtime. Network was up, and so was the server.

After much research we found that one site was getting slammed, we are removing the account from our network.

We will also post a warning about the name, once we are done researching.

Thoughts welcome

Joe

Block the attacking IP address(es) from your network at the router. If you cannot, configure your server to ignore the packets from the IP or IPs.

If you don't own the router talk to your network provider and let them know what is going on so they can block the attacker.

Good luck,

Brian

Ok, for one this is a brand new account, and within 3 days he gets attackted.

Two he is getting attacket by mulyiple IP's , the list is quite long and distiguished.

I spent 5hours dealing with the issue this morning, and thats 5 hours to many.

Im sorry but i dont appriciate brand new clients getting DOS within the first week of activiation.

We could configure our router, but that could take hours, suspending his account has fully resolved the issue, and the moment it goes on, the server gets slammed...

Joe

I won't pretend that I know how to stop the DOS attack.
But, I won't pretend that dumping your client that sustained the attack is the proper approach.
Would you suspend every client that is attacked?
What if the client that was attacked is not the target.
What if the target is you; and this client was the first on the attacker's list?
There must have been a better way to resolve this, I would think.

Well i dont think we where the target, or they would have hit the server a different way...

Im not saying we will dump the client, but the account will be suspended for a little while.

We are not totally sure what we are going to do.

We almost never get attacked, so we will have to see.

I would have to agrree with JBIZ718 on this one. Also, relling for Alabanza does not help either. Meaning, it is hard to get a a NOC to block one IP because of a DOS attack. NOC's suffer them all the time. Unless it is serious, they just don't have time.

In this case, it is a matter of protecting the other shared users on that server. The needs of the many out weigh the needs of the few.

If you cannot, configure your server to ignore the packets from the IP or IPs.

This is the quickest way to stop it (or slow it for that matter).

I cant believe what I am hearing here! The poor guy is being attacked and the
hosting company helps the offending party by dropping the site!! :rolleyes:
some of you are even encouraging the hackers with brains!!!
Whats so cool about a hacker? Hackers are no different than hooligans.

I am very surprised at some of the attitudes on this board. :angry:

I'm not sure if there is any more appropriate action- but you have to understand that DOS attacks can bring down a server, or severely hurt performance for other users... And any time that system performance is comprimised for the other users of that system, immediate action must be taken to restore performance to its previous state... It's the same kind of thing with a client script that's pushing server loads through the roof- sometimes you have to kill/disable the script first, and ask questions later.

Anyway, IMO, JBIZ718 was acting in the interest of all users on his system.

Brian

I have 150 clients that had there server slammed today.

I am looking out for all my clients, which is my job.

My job as a president is:

1. Provide Innovation and Solid Technology for my clients
2. Provide the best security possible my clients
3. Provide the best uptime possibe for my clients

I am not saying i will drop my client. I am saying currently the account is suspended because if it stays up, my other clients will suffer, which can not happen.

My other 150 clients dont have this problem, this 1 does.

Though i dont want to loose any clients, i would give up 1 to keep the integrity of my equipment and my other 150 clients happy...

What your saying kickster is I should keep the server up, and screw 150 other people...now does that make any sense

Joe

Hackers are no different than hooligans.

Does this include me?? I think you mean script kiddies who DoS servers and sit in their parents basements looking at woman who are 30 but claim to be underange.......

You have to protect your server first, I'd drop the sit depending on content, if its warez/h/p/c/porn site, then Yeah, drop it....

Ahh. . . .suspending the client. . . .A wise move:cool:

Let us know if any others get hit; will you??

Though the server handled the DOS attack it did get hit hard.

I will keep you posted, but suspending that one account, has stopped that attack in total.

Joe
:angry:

We've been victim of a couple of DDoS attacks as well. This is a tough situation; you have to look at it from the point of view of the web host as well as the client. From a web host's point of view, if 1 account is affecting 150 others adversely, then the decision is clear. Protect the integrity of your network, as well as your reputation. However, from a client's point of view, he couldn't help getting attacked, and it seems unfair to have his account terminated. Now I realize Joe doesn't have plans to terminate the account, this is just a hypothetical situation. There is yet a third angle which has been mentioned by The Prohacker. If the site contains content which would make it stand out as a DDoS target, then it is more than fair to have the account terminated. Warez, hacking, cracking, porn, and even accounts where spam was sent from are all potential targets. From past experience, if the script kiddie was targeting the web host, he would have done so at the main network segment. As far as preventative measures there is not a lot that can be done. I have seen firewalls with stateful packet inspection which are designed to stop DDoS attacks, while allowing legit traffic to pass through, although they are quite pricey. The best measure is to try and watch your clients site's content and watch out for high-risk content. We have tried the approach of contacting the authorities, armed with packet capture logs of the attacks, although they are extremely busy with this sort of matter as you can imagine, and they really didn't have the time or interest to investigate such a small matter.

In regards to content, i wish i could tell, its in a different language and i cant read it.

Thats a big issue also

Joe

Originally posted by kickster
I cant believe what I am hearing here! The poor guy is being attacked and the
hosting company helps the offending party by dropping the site!! :rolleyes:
some of you are even encouraging the hackers with brains!!!
Whats so cool about a hacker? Hackers are no different than hooligans.

I am very surprised at some of the attitudes on this board. :angry:

I don't care what the media says, there's a difference, a big one, between a hacker and someone who cracks into a system (compromises it). There's a huge difference. Also, what I believe these people were referring to, is that if someone compromises a server and doesn't do it to destroy anything, steal any information, etc., but simply out of curiosity and for the challenge without harm, even possibly notifying the administrator(s) of the system, that it's a little (or a lot) more forgivable, understandable and harmless, than some jerk that didn't even use some talent (if you call it that, it's usually not anyway) to get in and not cause any damage or whatever, by using some program they didn't create.

No one has any respect for a talented programmer that creates such a program, let alone someone that takes a program some idiot wrote, so they can abuse someone's services. Most people are considerably more forgiving to someone that was able to get into a relitively secure system, if they just do it for the challenge, and don't cause any damage, crack any passwords, steal any information or the like. As for if it bothers people, some people it might not bother, because there's no real threat to that, but then again, how can you know what they did anyway, if they did compromise the system? You can't, even if you have a good idea, so maybe it's not to harmless and they certainly had no business or right to do what they did anyway.

However, in comparison, there's a difference between the "outlaws", if you will. Some people go out to hurt other's, while some people don't hurt anyone or anything and are wrong simply based on the fact that they aren't authorized or welcome, nor are their harmless actions condoned. I don't think anyone was condoning, supporting or completely okay with someone in their system with access beyond what you want user's to have.

Nonetheless, if this is a system attack, and the system is the target and is a victim to a DoS attack due to ICMP responses, etc. You can add two lines to the top of (I assume this is a Linux system?) the rc.local file, such as this:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

(Put that at the top of the file)
Once the system is rebooted, and every time it's booted up after, it will basically make it so your system doesn't respond to ICMP packets or ping's, etc. This way, not only does it stop a lot of "script kiddies", as it were, from doing random network scans sending packets, as they won't hit what they can't see (from these probes anyway), and the refusal of rejecting packets that people ought to not be sending, will help prevent _some_ specific to general DoS attacks, assuming it's on that system and is the type these people are launching. Just remember, your user's will need to be informed, that just because they can't trace route or ping the server, that all the other services are indeed still up and running fine, just that they can't ping it, etc. This might or might not help.

There's other steps you can take, but I don't think I could explain them properly, without dedicating some time to explainations. Nonetheless, good luck with that, as you certainly can't cancel people's accounts, but it certainly does no good to keep that account active, when no one's account, including that one can be accessed anyway. Hopefully you can find a solution and maybe find a way to stop it, depending on what kind of attack it is. If you get any specific information about it, post it here and maybe I can suggest something else.

Well here is my 2 cents;)
I know I have had troll problems with my site.No Dos attacks YET.However I run a fairly simple and friendly tech site.Now if this troll starts to attack my site Via Dos attacks i would hope my host would do its best to help me stay rather than boot me off.
I understand you cant tell exactly what thier content is due to language barriers,tho do try your best to take care of the problem and keep everyone happy;)

Well i have been in contact with my DOS'd client all day.

He was very suprised. I explained to him the situation and why it is being suspended.

I do need to look out for all my clients, so right now the 150 that where on the server are happy the server is up.

I am working with the troubled client over the next few days and will work something out...

Joe

It may cost more, but you might asign the attacked client his own IP. So if he gets attacked, you can just remove the IP from your subnet, and wait for the attack to die down, then readd it....

That should save your server from crashing.....

We give all of our virtual clients dedicated IP's

It is a feature we like.

Are problem is because it is in another country being Indosnia, it one causes some issues, and two makes it harder to pin point the problem.

Also legally its almost impossible to go after the aka script kiddies, or hackers who caused this being outside the US.

Joe

I agree about suspending the client. I have been DOS'd before and it is no fun for everyone else. Getting one complaint is a lot better then 150 in his case. I dont know if it has been posted on this board but some fun DOS attacks and script kiddies:

http://grc.com/dos/grcdos.htm

Better have about 30 min free cause its a long but VERY interesting read on how a 13 year old can really F**K things up and no one else is willing to do jack.

That does make pursuing matters like this much harder, usually if you email their ISP it'll resolve the problem. Look up the IP on arin and find the netblock owner, and email their abuse department, and send logs of the attack with that email, since you are a host usually they'll listen to you, if they don't, trace their servers to find there upstream provider, usually someone like WorldCom, and notify them of the abuse, and lack of attention being brought to the situation by the ISP....

Originally posted by davidb
I dont know if it has been posted on this board but some fun DOS attacks and script kiddies:

http://grc.com/dos/grcdos.htm

Better have about 30 min free cause its a long but VERY interesting read on how a 13 year old can really F**K things up and no one else is willing to do jack.

A bit of a long read, but very good. Thankx for the link.

It sounds like JBIZ718 had to react immediately and suspension does seem like the only immediate tool. It also sounds like he has considered options and discussed the situation with the client. The client should feel like he/she was given consideration. Any solutions we find for this type of thing will help us all.

Good job JBIZ718!
Gary

And thanks to all of you for more education. This has turned into a really informative thread.
Gary

Our current problem, is that , almost the moment that we turn the account back on, the server gets slammed.

We are sort of at a loss on this one.

A bigger issue, is some of the logs are showing tons of IP's hitting the server, i imagine using like Sub 7 or Back Orfice.

We are sort of at a cross road on this, and seriously thinking about refunding the clients money.

I cant even turn the site on for 5 minutes without the server getting abused, thoughts welcome. It would take alot of work to screen all the ips pounding the server. the client is paying about 6$ monthly.

My IT person and I are still looking at options...

Its a tough situation

Joe

A solution must be found.
How can you as a host think about passing this client off to another host?
I understand your position and frustration. And fully agree with you suspending this particular client until a solution can be found.
But, only that. Suspend the client until a solution can be found. Of course if he wants to move before a remedy to action is formed; that would be his choice.
I just think you would sleep easier knowing that you did not simply move your problem to a colleague.

Well,

There isnt much of a solution.

Suspending the account, has solved the problem, but as I said the minute it is turned on, the DOS attack starts.

If any can think of a solution, id love to here it.

Are solution to the problem so far has been removing it from our servers, and the problem has been solved.

I dont know if theres any other options, but we are still looking at some stuff.

Joe

Let me reiterate.
I wholeheartedly agree with your decision to suspend your DOS attacked client.
You have to protect the welfare of you other customers.
But, I will not agree with refusing to host the victim.

I thought WHT was formed to bring all these great minds together.
Surely, if this is discussed thoroughly, a solution may in fact be found.
I do not possess the expertise to solve this dilemma. Yet, I propose that it must be solved. And not passed on to an unsuspecting host provider.

Again; I applaud your efforts. Let's see if anyone can aid in a solution.

My biggest problem is that anyone who hosts this account will get attacked.

The problem lies with the client, this is a serious issue.
Also under our guidelines it is up to our discretion whether we host it or not. If I refund the clients money, I have no ties to them, then. Im not saying im going to do that, but it is my company, and if I refuse to host them, based on the fact that my other clients could suffer, i dont think that is a bad discion...

If anyone hosts this domain, the server will get slammed.

I surely dont want that issue, nor do I want anyone else too, but i dont think there is much of a solution...

I think that this issue lies on the client, the attack come totally directed at them, im trying to help, but as i said there is not much i can do

Joe

Whats the content of this site???

Well for one I wish i knew.

Its in a different language

But the name is a hosting company based out of indosnia.

You might take some of the content out, and paste it into the Altavista Translator, it won't give you an exact translation, but it should give a good idea on what it is...

If the attacks are comming from Indosnia, and the owner of the site you are hosting, also lives there, you may hand records of the attack over to him, for him to handle with his local government. I don't currently know, what kind governing body presides over indosnia, but it may be your only hope to stop these attacks against that domain.....

Never mind. . .I was just saying what ProHacker said.
I'm just slower at typing I suppose.

Feel free to remove this post.

Wow, that is a very bad situation. You should also consider the fact that the attack might be from someone that knows and has something against your client and not his website.
I would probably give it a week to try find a solution for this problem since he got attacked almost right after he signed up with you and the DNS kicked in. To me it sounds like he's been having this problem with a previous host and got kicked out or something.
Since you can't keep the account inactive forever and can't activate it and sacrifice your server and 150 other clients for one new client, I wouldn't blame you if you gave him a refund. I would first have someone look at the site and translate the content though, there are a lot of indonesian people here that might be able to help you out.

Good luck.

Originally posted by JBIZ718
My biggest problem is that anyone who hosts this account will get attacked.

<snip>

If anyone hosts this domain, the server will get slammed.

I surely dont want that issue, nor do I want anyone else too, but i dont think there is much of a solution...


Well I am sure you tried the obvious things suchas changing your clients IP address. Often atacks are based from a list of IP's but this case seems to be targeted at the domain name. Definately offer your client a copy of the logs so he/she may take this up with their local law. These DoS attacks are definately bouncing the packets off other IPs. You may want to find a few of the IP's used especially the repeat IP's and lookup the ISP owning the IP's and ask them to help you track this down. They may find something in their logs to track who is responsible for the attacks. I do agree you should do everything in your power to find a resolution for this problem, but off top of my head right now the only other solution I can think of is ask the client to change his domain name. I am assuming this was a domain transfer. If so find out who his previous host was and ask them if they had these problems with him. You may find this was the reason the client ended up transfering his domain and changed hosts, or you may find the host can offer you a solution they did to keep the attacks down. If this was a domain transfer though, even changing the domain name will only work for a short while as this is most likely someone out for revenge on this guy. I have not experienced this situtation myself so I am only taking guesses here. Hope something helps and goodluck resolving this situation. Keep us posted on the situation as I am very interested in this thread.

installing portsentry will do a good job of protecting you from these types of attacks, it wont eliminate them, but it helps :) Also, there are ways to secure the server so these attacks are much more minimal. Read up on prevention and do what they suggest. Much of the stuff is pretty basic.

I wish it was that easy

Its not

Joe

I used to have a linux server at DI that constantly got DoS'd and once they hit it so hard, DI terminated our account. So we moved to skynetweb and changed the OS to FreeBSD, since then we have not had a single successful attack from the attempts, and we have attempts nearly twice a week.

I run a server off my 416kbps DSL line and a few weeks ago, someone felt the need to spawn about 10 instances of wget to recursively download my whole site, and kept repeating that. I set my server to redirect all of his requests to the site of a company we all hate, and after that night, the attacks died down.

Well on serverall attempts to try to resolve the problem we had no luck.

We also tried contacting the client, and get all email bounced back.

Overall the solution resolved itself. Its like someone signed up. tried to trash my network, failed, and never to be heard of.

I guess we won in this case, but just some unanswered questions

Joe

<EDIT>
sorry.......I keep postin' ta stuff what ain't there:blush:

Originally posted by Tim_Greer

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

(Put that at the top of the file)
Once the system is rebooted, and every time it's booted up after, it will basically make it so your system doesn't respond to ICMP packets or ping's, etc. This way, not only does it stop a lot of "script kiddies", as it were, from doing random network scans sending packets, as they won't hit what they can't see (from these probes anyway), and the refusal of rejecting packets that people ought to not be sending, will help prevent _some_ specific to general DoS attacks, assuming it's on that system and is the type these people are launching.

some i GUESS, but mainly it doesnt do SH**...

I have been dos'ed very badly before, with synfloods, and doing that didnt do ****. same with ipchains, any software firewall means crap all. because sometimes the attacks are coming so fast they are hammering your machine, therefor it wont be able to take any of it, it'll just go thru no matter what.....

hardware firewalls are the way to go :D :D :D :D

How do you detect DoS (Denial of Service) attack and stop it?

install iplog

you cant really stop dos attacks
you can with some
but not much sometimes
it depends