Just curious, how do people protect themselves against attacks that consumes a lot of bandwidth?

Seems to me like a dedicated host with a 10Mbit connection through a fast backbone is an invitation to all evil people out there to let hell loose.

Hypotetical case:
Lets say I rent my own personal host, someone fires of
traffic to me from several hacked accounts. They should easily be able to hit me with 20-50GB a day if they are well connected.

I'm on holiday in the antarctic. Offline for 1 week.

How can you prevent that nasty bill?

Terje

Firewall may help some of the attakcs, but most attacks you can not prevent.

Simply track the attackers down and have them pay for the bill.

A firewall won't help you much at preventing someone from sending huge amount of data too you. Making some scripts that will control the outgoing data flow (reply) is easy enough, but doesn't really help if you get charged for the incoming data (which I cannot control unless I get access to their routers, or rather, their ISPs routers I guess)

If the hosting provider/NOC takes 2 days to stop the attack, you'll essentially risk paying the bill?

(No, I don't plan any activity that I can imagine will make me very likely to be attacked like this, just wondering if I should be the target of some random attack or bug).

Actually a firewall setup correctly can be you biggest friend in diverting certain attacks.... You can setup various rules for this or that attach, such as closing off ports etc...

The problem is that no matter how many ports you close, you cannot stop incoming traffic from triggering the counters at your webhost.

I would have loved to have a feature to tell the router/switch port that the host is on to trottle back on the traffic it's sending me in a way that would also affect the the counters used for the invoice.

Depending on where and how the traffic is measured, you could even shut down your host and the counters would still count.

Aparantly your not understanding me, a effective solution is for the NOC to put a Firewall between the router and the switch, which is how a firewall is supposed to be setup anyways, with this configuration, data would be blocked before it got to the switch hence your daily bandwidth would not be hurt as NOC monitor it at the switch port level......

You need to cap your bandwidth, colocation providers such as maxim.net provide such services, dialtoneinternet used to for extra (not sure if they still do). If you do 200GB a month, then tell your provider to put a temp. cap on the port at the router to your server set at 1Mbit (granted that more than 200GB, but peak/off peak traffic varies), any less then .5Mbit, don't go any lower though.

Also, I've read that stateful firewalling is very effective against these kinds of DoS attacks and is now integrated into the 2.4 Linux kernel, so should be standard within a few months.

I guess the short summary of why it's better is that you can set up rules to block IPs and so on based on dynamicly collected stats, versus on a standard firewall setup where you're mostly just trying to protect yourself from unauthorized access.