I have a server with LayeredTech (through a reseller) and it is currently down because it is going through a major DDOS attack. Their datacentre is theplanet.


The support team responded "Your IP was Null-rooted as your server is under a major incoming Ddos attack. We will keep you posted. " ...and ......"As of now the NOC technicians cannot do anything. Your server will be put back online as soon as the attack has stopped. Sorry for the inconvenience. "


This is just killing me as I cannot afford any downtime. Can someone explain what I can do in a situation like this? what is going on? Cant they block out the attacking ip addy and get my server up???

the first D in DDOS stands for DISTRIBUTED that means the attack is originating from any number of thousands of sites. Would you want to create firewall rules for all those IPs? I think not.

or... they could put your server up and have miserable speeds and blow all your bandwidth. your call

I hear you but do they keep monitoring it so when the attack stops they put it back online...or what?

Just need to know an ETA...this is killing me....

their NOC will eventually take off the nullroute once the attack is stopped. give it a few hours or half a day or something and ask them to check the traffic on your server.
if you'r sshing to your server and have more than 1 ip, you can ssh to your other ips

Originally posted by dan325ci
I hear you but do they keep monitoring it so when the attack stops they put it back online...or what?

Just need to know an ETA...this is killing me....


Bro, it could be down for days. It all depends on how long it takes for the attack to stop.

is firewall useful for this case? Does it mean these attacks going thru port 80?

Originally posted by spikeyspy
is firewall useful for this case? Does it mean these attacks going thru port 80?

totually not useful. they nullrouted you to protect their network (or sometimes to save your bw otherwise you'd use up all your bandwidth)
firewall is good for a network where theres no noc monitoring traffic. most dedicated server providers like ev1, sm, or managed nullroute your ip if they notice "weird" traffic to your server

Yes, this is a standard industry policy unless you are willing to pay for the bandwidth overage. Any large DDoS could mean serious treat to any network, null route is thus far the best way.

but if it let it up will DDoS eat up cpu usage?
i don't mind eating up my b/w if i still could bring my site up. Furthermore, IMHO it's end of the month b/w gonna reset anyway.

Originally posted by spikeyspy
but if it let it up will DDoS eat up cpu usage?
i don't mind eating up my b/w if i still could bring my site up. Furthermore, IMHO it's end of the month b/w gonna reset anyway.


I'm not sure about other OS's, but in FreeBSD, you can modify your settings and "protect" yourself to some extent using sysctl and other variables but that all depends on what type of ddos your getting and how big it is. syn attacks are the hardest to deal with. I know a few hosts that don't nullroute IPs no matter how much you get ddosed...

err, what if the attack goes on for weeks or months?

Originally posted by spikeyspy
but if it let it up will DDoS eat up cpu usage?
i don't mind eating up my b/w if i still could bring my site up. Furthermore, IMHO it's end of the month b/w gonna reset anyway.

What if it was a 100mbit/s DDoS for weeks? :D
1000GB BW standard allocation can be eaten up in just matter of days.

but is it possible that i block all ip but allowing some small list of safe ip range to access. Is this possible?

Is this done by the firewall or OS?

Originally posted by spikeyspy
but is it possible that i block all ip but allowing some small list of safe ip range to access. Is this possible?

Is this done by the firewall or OS?

I believe the host's NOC can probably do it but they wont; too much hassle
you can setup a stateful firewall or run a tool that monitors your traffic and adds firewall rules to your server (that works if your host does not nullroute ips)

oh okie.i got it. Thx. All will be stated clearly in TOS right?

you can ask their support (sales might not know)

Has anyone pursued DDOS attackers through legal channels?

This is what I plan to do.

dan325ci
Search forum about DDOS. It seems like almost impossible to do anything on DDOS attack unless FBI seriously involved.

Originally posted by dan325ci
Has anyone pursued DDOS attackers through legal channels?

This is what I plan to do.


well if you can prove that you've lost thosands of dollars then maybe FBI will look into it...

I think the FBI will *look into it* regardless, but the question is more *how long will it take* for them to look into and do something about.

Originally posted by UltraUnixNET
What if it was a 100mbit/s DDoS for weeks? :D
1000GB BW standard allocation can be eaten up in just matter of days.

It would actually be used in less than a day... Chances are, the attack is also larger than 100mbit/sec anyway. You really want to pay possibly thousands of dollars in overages? Also, I'm guessing the port will be more than saturated anyway, so even if your server were up it would not be accessable.

Just wondering will something like servermatrix's floodguard come in handy in this type of situation?
I doubt it yeah?
Anyone begs to differ?

I have heard that it is not too effective. Although I couldn't say as I have never had a DDoS attack on one of our servers.

so there's no hope if we get seriously ddos'ed ? :(

i believe microsoft's servers is the mostly ddos'ed one i'm curious to know how they deal with it

thanks

You need a dedicated solution, which will cost you a lot money.

I bet there is a solution. I mean reputable companies can't just shrug their shoulders and go "Can't help it" to their clients, they must have some sort of anti DDOS mechanisms installed.

Large companies spend millions of dollars on hardware to defeat the problem..

Plus Small and mid sized companies who found a good solution keep it to themselves.


Originally posted by lumbyjj
Large companies spend millions of dollars on hardware to defeat the problem..

perhaps company like mircosoft will get GB/s line where those attackers only have MB/s line.

Cos attackers r poor while large companies r richer!

I bet there is a solution. I mean reputable companies can't just shrug their shoulders and go "Can't help it" to their clients, they must have some sort of anti DDOS mechanisms installed.


They all use Akamai to defeat DDOS.

Akamai is the world's biggest content hoster. There clients include microsoft, google, yahoo etc. files that appear to be at www.microsoft.com are, in reality, hosted at www.microsoft.akamai.net.

r u sure? how come even microsoft also outsource to other people?

Don't tell me mircosoft using linux to run their server...if that's true i will have to get a great laugh first.

There are many solutions to effectively filter DDOS, however if you are paying less than a few thousand dollars a month for service it's very unlikely you will receive any such solution.

Riverhead solutions are available from larger managed operations. Solutions such as this detect nefarious traffic through monitoring devices which in turn have filtering devices make iBGP announcements for the intended victims. This routes traffic for the intended target to the filtering box instead of directly to it's destination. The filtering devices at this stage sanitizes the DDOS traffic and allow valid traffic to flow through. The result is uninterupted service to the targetted website.

You obviously need an edge router capapble of forwarding the packets, and a very powerful filtering solution to dynamicly sanitize traffic. A Cisco GSR, or Juniper M20 or larger (really just any nice edge router) is sufficient as an edge router to handle just about anything near to wire rate (assuming line card are recent). Although their capabilities through ACL's obviously aren't as advanced as a specialized box, especially when they have other traffic with which to concern themselves.

In the case of The Planet you've probably been null routed at the network edge (on their M20's) and that's the end of the story. They'll remove it eventually and watch your traffic, if DDOS continues they'll null you again. The 6509 core switch portion of their network definitely doesn't want to see denial of service traffic, nor any other links right down to the rack switch (if traffic is indeed massive). They have a fairly nice network, but it serves budget servers, they really have no reason to make efforts beyond a null route unforunately.

If you have $100,000 to blow, I recommend Riverhead as they are IMO the best. There are other solutions, although most are not as nearly robust. I anxiously await the day when prices become reasonable for such specialty equipment.

Microsoft outsourced their DNS service to Akamai and
Akamai's Microsoft DNS servers are all running Linux.

see http://www.linuxjournal.com/article.php?sid=4962

but could these article be trusted?

but i think even it's true there is nothing impossible. Cos i heard some time back hotmail using oracle as their database.

Whoever Interested in DOS attacks and post attack analysis should read this article

http://www.grc.com/dos/grcdos.htm

Which one of the best article I ever read on this subject.

Thanks for the info. btw, anyone know how to DoS attack?

What if you know that your site has been DDoS attacked by your competitor? Who should you report to? Any international authorities to handle these? or should the victim just DDoS back?

Thanks for the reply. Whats interesting is the ip attacked is stilled nulled....so this DDOS has really been going on this long?

Wow, amazing. :eek:

Yes, they can go on for days. I had it happen here not but a week ago, I had to null route a customers ip for about 2 days..

Isnt there any easier way to find out where the originating attack is coming from, identify the individual and shut him down?

very hard to identify 100% correctly, as packet source address can be easily forged... ...

You aren't going to get your $110/month box (guess) to be protected against a major ddos attack, it just ain't gonna happen.

So we are basically screwed if we get DDOSed, true?

Someone should step forward and create a solution for small time server owners I think.

DDoS solutions would not be easy to create and do require expensive hardware. You get what you pay for. :)

Originally posted by BitError
There are many solutions to effectively filter DDOS, however if you are paying less than a few thousand dollars a month for service it's very unlikely you will receive any such solution.

Riverhead solutions are available from larger managed operations. Solutions such as this detect nefarious traffic through monitoring devices which in turn have filtering devices make iBGP announcements for the intended victims. This routes traffic for the intended target to the filtering box instead of directly to it's destination. The filtering devices at this stage sanitizes the DDOS traffic and allow valid traffic to flow through. The result is uninterupted service to the targetted website.

You obviously need an edge router capapble of forwarding the packets, and a very powerful filtering solution to dynamicly sanitize traffic. A Cisco GSR, or Juniper M20 or larger (really just any nice edge router) is sufficient as an edge router to handle just about anything near to wire rate (assuming line card are recent). Although their capabilities through ACL's obviously aren't as advanced as a specialized box, especially when they have other traffic with which to concern themselves.

In the case of The Planet you've probably been null routed at the network edge (on their M20's) and that's the end of the story. They'll remove it eventually and watch your traffic, if DDOS continues they'll null you again. The 6509 core switch portion of their network definitely doesn't want to see denial of service traffic, nor any other links right down to the rack switch (if traffic is indeed massive). They have a fairly nice network, but it serves budget servers, they really have no reason to make efforts beyond a null route unforunately.

If you have $100,000 to blow, I recommend Riverhead as they are IMO the best. There are other solutions, although most are not as nearly robust. I anxiously await the day when prices become reasonable for such specialty equipment.

Sorry to dig up this old thread, but I thought this was of note; ThePlanet is implementing RiverHead's solution network-wide, for free for all customers (Incl. ServerMatrix)

There are solution providers that provide DoS/DDoS protection without null-routing you. We do it! :) as I am sure many others.

However, like everyone has rightly said, you need to cough up money, not necessarily $1000s per a few hundred at least for a service provider with network-wise DoS/DDoS protection gear installed.

Alternatively, you can contact companies like Top Layer, Captus Networks, Arbor Networks, Riverhead Networks (now part of Cisco), Mazu Networks, Netscreen (high-end firewalls), Foundry Networks (their Layer 2/3 and SPECIALLY Layer 4/7 Switches), etc. to provide you with the necessary gear on a "leased" basis.

Just to cite some financials at you, to protect 100Mbps, the 3-layer DoS/DDoS gear (Layer 4/7 Switch, IPS/IDS and Firewall) will cost you about $6,000-$9,000 per month - this is for a 50,000 setups per second scenario, with 1 million concurrent sessions.

The most important thing about DDoS attacks are:

1. The setups per second
2. The ability for your device to define the transaction rate limitation before it (traffic incoming) is classified as DDoS traffic
3. The mitigation time-frames
4. The ability to keep track of the packets coming in (genuine vs non-genuine).
5. And most importantly the perimeter bandwidth. For a 100Mbps attack in full, with 100Mbps connectivity to your server, the attack will be stopped for sure. Guaranteed, but genuine traffic will have one hell of a time just "reaching" your network edge.
6. Have some form of an agreement with your provider that DoS/DDoS traffic is NOT counted in your bandwidth quota. This is somewhat going to be difficult to do, but not impossible.

Thus in this scenario, it would be great to have GigE connectivity, this way you can sustain upto 500Mbps sustained DoS/DDoS attacks and still be fully functional.

Good devices will spit out an ACL of IPs that need to be put a halt to at your upstream network provider's level, provided after they have broken what is called "sustainability threshold", i.e. if an attack - despite being continual and informed to the source of the same - continues for say 4 hours, then it is best to have the IP route anulled to your network by your upstream provider.

Someone here very correctly mentioned that Routers if told to implement ACLs/Filtering would sccumb quite fast. A switched environment would be lovely.

By the way on the FBI thingy, there is a complaint you can file with your local FBI office, I am NOT sure, (forgotten), but its called a Form FD-77 or something like that. DDoS/DoS is a Federal Crime (AFAIK). The FBI usually does get involved, but the seriousness of it all is validated after how damaging the attack is.

Hope this information helps.

Babs.

I'd imagine it'd be easier to simply rent a dedicated server or colocate inside a facility that provides DDoS mitigation equipment. For example, ServerMatrix/TP uses RiverHead network wide, and EV1 uses FireSlayer.

Maybe if you rented severall dedicated servers around the country in datacenters that have some sort of DDoS protection and had your site loading from all of them you would be okay. Does anone know if that sort of "on the cheap" solution might work?

Chuck

Personally if I wanted to survive DDoS attacks I'd get a high-powered server (Dual Xeon 2.8 perhaps?) with a gigabit port, hardware firewall, and RiverHead DDoS mitigation. A bit pricey, but still less than multiple servers from all over.

Anyhow, how would you load the site on multiple servers without having a single point of failure? Only way I can think of is DNS round robin, which would mean that if one server is taken out, your users would still see downtime (If one of five servers were down, about one in five users would have trouble).

But I don't worry about that sort of thing. I have a low-powered server on a 100mbit port protected by RiverHead, so I'm happy.

Does anyone know which datacenters use RiverHead? The Planet is one based on discussions above, but I'd like to know about others. This is a big concern for our company, but we don't have hundreds of thousands to do what Microsoft can do :-)

You can find most of them via RiverHead's press releases:

http://www.riverhead.com/ne/index.html

I see well known names in there like RackSpace.

I had a attack on my old sagonet box that went on for over a week. Every morning the auto nulls came off, causing my IRC network to fall apart around 3am (me being asleep in bed, unable to call in for another null route).

The legal way works, if you got the patience. I was talking to a guy on the rizon irc network, who got a bill for $6000 from his host due to a dos attack. He ended up getting some buds to check out the guys setup, getting access to all of the servers on the guys botnet, passwords, the works.

He made up this uber list of info (even found out where he went to school, who his parents were, etc). In the end, the FBI sent the script kiddie a bill in the ten's of thousands in damages ;)

No clue how long this took though.

If the attack is big enough, most places won't deal with it, just 'cuz it will (usually) hurt the customers on the same switch/router.

~Francisco

So if I was to have a server on another ISP mirror a server hosted at another hosting provider, will that help ward off a ddos attack?

Good question, MadCool. I'm curious about that too. Do DDOSers hit IP addresses or domain names. If it is IP addresses, I could have a duplicate server at another ISP and switch to it when the attack starts. They would then have to adjust their attack for the new IP. Of course, I guess that wouldn't be too hard.

Anyone?

Depends on how newbie the script kiddie is. If they just hit the domain, just edit the records to point to 127.0.0.1 for the time being. They should end up ripping their own bots offline.

From what i can tell though, the newer kits resolve the dns and hit the IP directly.

Where's that auto-attacking router that was on slashdot a while back when we need it? :D

~Francisco

Having multiple servers at different IPs won't help... The moment you try to switch a domain name over to a different IP (Something that takes time to propagate too), the attacker will realize this and move his attack to the new target. Or both targets.

On the other hand, a provider with a massive network capacity and DDoS mitigation might allow you to survive... I guess it all depends on how efficient/effective solutions like RiverHead are.