Results 1 to 25 of 25
  1. #1

    What are the best way to detect a ddos and mitigate it

    Hi dear forum,

    Since the beginning, i used to purchased fully managed vps until i find server management interesting .. i'm on an un-managed host now ......

    forum , could you pls be kind to share me the ways to detect a ddos attack from the terminal or if their are any gui based tools if avaible , what are they ?

    how can i mitigate such attacks ? ...
    i've heard about deflate and bfd but its better to ask the experts

    Thank you
    regards

  2. #2

    What are the best way to detect a ddos and mitigate it

    Hi dear forum,

    Since the beginning, i used to purchased fully managed vps until i found server management interesting .. i'm on an un-managed host now ......

    forum , could you pls be kind to share me the ways to detect a ddos attack from the terminal or if their are any gui based tools.... if avaible , what are they ?

    how can i mitigate such attacks ? ...
    i've heard about deflate and bfd but its better to ask the experts

    Thank you
    regards

  3. #3
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    These methods can be effective for small and Layer 7 type floods (eg. HTTP GET attacks) but often you'll find out about the DDoS when your server stops responding and the host asks you to leave.

  4. #4
    for simple and low volume floods, you can install software DDos protection like DDos deflate.
    ControlVM.com :: Elastic Cloud Hosting Alternatives to VPS Reliable Cloud Server
    Enterprise Hosting @
    Malaysia ● Germany ● USA ● Singapore
    We Accept: Paypal
    Alipay GrabPay Credit/Debit Card FPX Bank Transfer Bank TT

  5. #5
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,985
    Unless you're very knowledgeable, the "quick"/easy method is to enable CloudFlare on your sites and install ddos deflate.

    Won't protect you against much though.

  6. #6
    Join Date
    Mar 2010
    Posts
    1,154
    Why not go with a managed provider then so they can help you with this, or are you saying you want to learn and know how?

    If you are familiar with command line, use something like this to see how many active connections you have to your server:

    netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

    Another good thing to look at is how many active connections your server is currently processing.

    netstat -n | grep :80 |wc -l

    netstat -n | grep :80 | grep SYN |wc -l

    The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are above 500 you are most likely under attack. If the second command is over 100 you are having trouble with a syn attack.

    My advice, install CSF and it will help with this unless you are getting a very big DDOS attack and only then advance DDOS mitigation hardware firewalls can help you.

  7. #7
    Join Date
    Aug 2004
    Location
    Shanghai
    Posts
    1,475
    Hi,

    If you really have a massive ongoing DDoS attack on the IP address of your VPS, then you will have to deal with your hosting provider, who probably himself will deal with his upstream network providers so that they can block the flood. I don't think there's much you can do at the level of your VPS (you will never be able to block the incoming traffic that will flood the switches and routers you are connected to).

    In such case, the only thing you can hope is to have a good hosting provider.

    Thomas
    GPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
    Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
    Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel

  8. #8
    Quote Originally Posted by Flapadar View Post
    Unless you're very knowledgeable, the "quick"/easy method is to enable CloudFlare on your sites and install ddos deflate.

    Won't protect you against much though.
    CloudFlare`s Free or Pro plans dose not offer DDoS mitigation.
    https://www.cloudflare.com/plans
    Incapsula: Cloud CDN & Security | DDoS Mitigation
    -----------------------------------------------------------------------
    Instant DDoS Protection | Cloud-based PCI Compliant WAF | Dynamic content Caching | Global CDN | Anti-Spam

  9. #9
    Join Date
    Dec 2006
    Location
    Netherlands
    Posts
    1,435
    If you are asking this question here, you should try this first:
    http://deflate.medialayer.com/

  10. #10
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,985
    Quote Originally Posted by Igal Zeifman View Post
    CloudFlare`s Free or Pro plans dose not offer DDoS mitigation.
    https://www.cloudflare.com/plans
    They do mitigate small attacks on their free plans - as they are a reverse proxy (Much like your own services ) any ICMP/SYN/etc floods will hit their servers instead of the target. The more advanced filtering would be on their paid plans (I presume your service is similar - paid plan, more complex filtering?)

  11. #11
    Join Date
    Apr 2012
    Posts
    545
    Use a cloud to load balance everything. If you are good, you can make 2 servers with a NGINX, it will take time but it will work. Collect IPs of your regular valid vistors, make a script or analysis of your forum's traffic to get the most popular vistors, via NGINX redirect them specifically to another server that is always running. Now for the rest of world the server stays different. This way even in the case of a DDOS attack most of your genuine visitors will be able to see you running while the rest of world or DDOS people will think you died.

  12. #12
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,985
    Quote Originally Posted by darknessends View Post
    This way even in the case of a DDOS attack most of your genuine visitors will be able to see you running while the rest of world or DDOS people will think you died.
    Depends, when I was running a project that kept getting attacked by a persistent attacker, I had 6 1gbps servers load balanced via nginx with DNS round robin, and it still managed to get absolutely hammered. I had extensive protection against level 7 attacks + blocked absolutely everything that wasn't needed via iptables.

    Success of such method will always be dependant on the determination of the attacker (and your budget)

  13. #13
    Join Date
    Apr 2012
    Posts
    545
    Quote Originally Posted by Flapadar View Post
    Depends, when I was running a project that kept getting attacked by a persistent attacker, I had 6 1gbps servers load balanced via nginx with DNS round robin, and it still managed to get absolutely hammered. I had extensive protection against level 7 attacks + blocked absolutely everything that wasn't needed via iptables.

    Success of such method will always be dependant on the determination of the attacker (and your budget)
    Perhaps you did not understand what I said and what you were doing. You did round robin, I am not doing round robin, I am implementing a scheme that automatically sends a premium regular white list of users to a different stable server. Round robin distributes things in a distributed manner without any identification of the past visiting experience of that IP.

  14. #14
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,985
    Quote Originally Posted by darknessends View Post
    Perhaps you did not understand what I said and what you were doing. You did round robin, I am not doing round robin, I am implementing a scheme that automatically sends a premium regular white list of users to a different stable server. Round robin distributes things in a distributed manner without any identification of the past visiting experience of that IP.
    And how is that going to help you when you get hammered with a 10G attack that saturates the server that determines the past history of that IP?

    Round robin worked partially on that part - although I would have needed more servers to cope.

  15. #15
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,580
    When it is an issue of saturation, its best to have a hardware appliance, or worst case, you can just null route the destination IP in collaboration with your ISP.

    When it comes to floods and even some high bandwidth attacks, cloudflare will work.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  16. #16
    Denial of service… kind of says it all, doesn’t it – your users are denied service. Did someone pull the plug on your server? No, but it is inaccessible – you’re most probably being hit by a DDoS attack. If you watch the web server logs for i.) connection request behavior - where abnormalities can mean application level attacks and, ii.) quantity of packets on network interface that usually reveal volumetric attacks – and you see big differences to normal operation, and especially if the server is down, you have a DDoS attack.

    DDoS Deflate is a simple tool that could help you, but only while under a certain type of attack: IP’s identifiable by “abnormal” connections number, substantially greater than “legitimate” IP connection rates. This type of attack is usually carried out by a limited number of IP’s, and DDoS Deflate helps identify and block those. Today, such attacks are rare and considered rather elementary. Now, imagine 20K IP’s making “slow” requests amounting to the same aggregate quantity as in the example above – you have your DDoS again but what will DDoS Deflate do about it? Unfortunately, the times when solutions such as DDoS Deflate, mod_limitpconn, etc. could actually help are long gone. A defense mechanism that bans legitimate users along with the bots actually works in favor of the attackers, doesn’t it? Truth is most of today’s DDoS situations require substantial experience and resource in dealing with the different types of floods, deploying all sorts of different methods such as ban on signature, user verification techniques, etc. So, if you don’t plan to devote yourself full-time to dealing with this problem, I suggest you go to the experts.

    A word of advice: If your site/service IS accessible even with some increase in metrics, proceed as if under normal conditions, i.e. do nothing. The reason: with any kind of mitigating technique you always get varying amounts of fail positives, and you want to avoid these.

  17. #17
    Join Date
    Jul 2002
    Posts
    66
    Great free firewall software can be found at www.configserver.com/ . You can set things up for email notification when attacks begin, automatically blocks abnormal activity, and the software has a great set of tools to mitigate DDOS attacks.

    Many VPS providers include it as part of cpanel (as a plugin). If you do use it, contribute to the development. The software is worth it.

  18. #18
    Join Date
    Apr 2012
    Posts
    545
    Quote Originally Posted by Flapadar View Post
    And how is that going to help you when you get hammered with a 10G attack that saturates the server that determines the past history of that IP?

    Round robin worked partially on that part - although I would have needed more servers to cope.
    Understand brother, DDOS is something even PayPal was affected with, If you scale properly there is nothing that can not affect by a dynamic DDOS, But yes, with the solution I provided you are basically filtering out your regular genuine users on behalf of a white list, Dynamic DDOS is the one thats effective and you do it with having a big botnet, all of them are unknown IPs which never actually connected to you in past, and you can redirect them to a different spot. But yes, with a powerful bandwidth and enough IPs/Servers you can DDOS virtually anything, its something you can't restrict by any normal means. But atleast this way you can keep your site open and working for a more genuine set of users.

  19. #19
    Join Date
    Jun 2011
    Location
    Internet
    Posts
    2,985
    Quote Originally Posted by darknessends View Post
    Understand brother, DDOS is something even PayPal was affected with, If you scale properly there is nothing that can not affect by a dynamic DDOS, But yes, with the solution I provided you are basically filtering out your regular genuine users on behalf of a white list, Dynamic DDOS is the one thats effective and you do it with having a big botnet, all of them are unknown IPs which never actually connected to you in past, and you can redirect them to a different spot. But yes, with a powerful bandwidth and enough IPs/Servers you can DDOS virtually anything, its something you can't restrict by any normal means. But atleast this way you can keep your site open and working for a more genuine set of users.
    What you're describing is layer 7 protection. What will really cripple your application is layer 4 or 3.

    Your whitelist-type idea won't work if nobody can connect to your server

  20. #20
    Join Date
    Apr 2012
    Posts
    545
    Quote Originally Posted by reto View Post
    Denial of service… kind of says it all, doesn’t it – your users are denied service. Did someone pull the plug on your server? No, but it is inaccessible – you’re most probably being hit by a DDoS attack. If you watch the web server logs for i.) connection request behavior - where abnormalities can mean application level attacks and, ii.) quantity of packets on network interface that usually reveal volumetric attacks – and you see big differences to normal operation, and especially if the server is down, you have a DDoS attack.

    DDoS Deflate is a simple tool that could help you, but only while under a certain type of attack: IP’s identifiable by “abnormal” connections number, substantially greater than “legitimate” IP connection rates. This type of attack is usually carried out by a limited number of IP’s, and DDoS Deflate helps identify and block those. Today, such attacks are rare and considered rather elementary. Now, imagine 20K IP’s making “slow” requests amounting to the same aggregate quantity as in the example above – you have your DDoS again but what will DDoS Deflate do about it? Unfortunately, the times when solutions such as DDoS Deflate, mod_limitpconn, etc. could actually help are long gone. A defense mechanism that bans legitimate users along with the bots actually works in favor of the attackers, doesn’t it? Truth is most of today’s DDoS situations require substantial experience and resource in dealing with the different types of floods, deploying all sorts of different methods such as ban on signature, user verification techniques, etc. So, if you don’t plan to devote yourself full-time to dealing with this problem, I suggest you go to the experts.

    A word of advice: If your site/service IS accessible even with some increase in metrics, proceed as if under normal conditions, i.e. do nothing. The reason: with any kind of mitigating technique you always get varying amounts of fail positives, and you want to avoid these.
    How about load balancing with the history of IP. If it was a regular user from past few months and his average load than redirect to a different set of servers, totally new IPs go to a different set of servers. You can define such schemes. But yes if your redirection node also went off, which will, if the attack is substantially powerful you cant do anything. But we should always remember you can DDOS anything when u have sufficient participants and bandwidth, its all about safely utilizing it.

  21. #21
    Join Date
    Apr 2012
    Posts
    545
    This is a duplicate thread. It has been posted here as well.
    http://www.webhostingtalk.com/showthread.php?t=1162563

  22. #22
    Quote Originally Posted by darknessends View Post
    How about load balancing with the history of IP. If it was a regular user from past few months and his average load than redirect to a different set of servers, totally new IPs go to a different set of servers. You can define such schemes. But yes if your redirection node also went off, which will, if the attack is substantially powerful you cant do anything. But we should always remember you can DDOS anything when u have sufficient participants and bandwidth, its all about safely utilizing it.
    We are talking about one node here and the problem of deciphering between good and bad IP's within this one node. If under your present conditions the one node is not enough - balancing is the only way, of course, and power here is much less material than technological prowess.

    What you are suggesting here would not achieve anything really as you're not mitigating the attack - you have the resource to hold the entire attack traffic (redirecting it is also a resource, Nginx is fast but will also die under a large HTTP Flood), you deny new visitors access to the site which could be acceptable for a permanent/verified users forum site, but would be entirely unacceptable for, say, some online shop relying on new-comers.

    You're right, it's all about size with DDoS, and it's all about equipment resilience on one side and bandwidth on the other.

  23. #23
    Join Date
    Mar 2003
    Location
    Jaipur, India
    Posts
    643
    Please download the given DDoS Deflate script.

    wget http://www.inetbase.com/scripts/ddos/install.sh

    After download please change the permission.
    chmod 0700 install.sh

    now please run the install.
    ./install.sh
    RackNap
    Business Automation Platform for Web Hosting and Cloud Solution Providers

  24. #24
    Join Date
    Nov 2010
    Location
    San Francisco, CA
    Posts
    901

    Post Hi,

    Quote Originally Posted by Igal Zeifman View Post
    CloudFlare`s Free or Pro plans dose not offer DDoS mitigation.
    https://www.cloudflare.com/plans
    Once again, incorrect. I'm Under Attack is available to all customers in their CloudFlare Account Security Profile.
    CloudFlare Community Evangelist

  25. #25
    Join Date
    Nov 2010
    Location
    San Francisco, CA
    Posts
    901

    Post HI,

    Quote Originally Posted by Flapadar View Post
    They do mitigate small attacks on their free plans - as they are a reverse proxy (Much like your own services ) any ICMP/SYN/etc floods will hit their servers instead of the target. The more advanced filtering would be on their paid plans (I presume your service is similar - paid plan, more complex filtering?)
    We have actually changed a lot in this arena over the past few months, including a new feature to help site owners combat many common DDoS attacks.
    CloudFlare Community Evangelist

Similar Threads

  1. Large network spikes? DDoS ?!? How to detect?
    By phactor in forum Hosting Security and Technology
    Replies: 9
    Last Post: 04-30-2010, 10:15 AM
  2. Looking for a data center that can mitigate ddos
    By koin in forum Dedicated Server
    Replies: 14
    Last Post: 03-11-2010, 04:19 PM
  3. How to detect a DDoS attack?
    By TorstenD in forum Hosting Security and Technology
    Replies: 24
    Last Post: 06-09-2009, 02:10 AM
  4. how do you detect and black ddos or large number of connection ?
    By joelin in forum Hosting Security and Technology
    Replies: 6
    Last Post: 11-10-2008, 06:47 PM
  5. Using Ethereal to detect DDOS attacks?
    By Webfanatic in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-19-2006, 03:12 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •