Results 1 to 25 of 25
-
06-10-2012, 01:25 AM #1Newbie
- Join Date
- Jun 2012
- Posts
- 14
What are the best way to detect a ddos and mitigate it
Hi dear forum,
Since the beginning, i used to purchased fully managed vps until i find server management interesting .. i'm on an un-managed host now ......
forum , could you pls be kind to share me the ways to detect a ddos attack from the terminal or if their are any gui based tools if avaible , what are they ?
how can i mitigate such attacks ? ...
i've heard about deflate and bfd but its better to ask the experts
Thank you
regards
-
06-10-2012, 01:42 AM #2Newbie
- Join Date
- Jun 2012
- Posts
- 14
What are the best way to detect a ddos and mitigate it
Hi dear forum,
Since the beginning, i used to purchased fully managed vps until i found server management interesting .. i'm on an un-managed host now ......
forum , could you pls be kind to share me the ways to detect a ddos attack from the terminal or if their are any gui based tools.... if avaible , what are they ?
how can i mitigate such attacks ? ...
i've heard about deflate and bfd but its better to ask the experts
Thank you
regards
-
06-10-2012, 03:09 AM #3CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
These methods can be effective for small and Layer 7 type floods (eg. HTTP GET attacks) but often you'll find out about the DDoS when your server stops responding and the host asks you to leave.
-
06-10-2012, 04:27 AM #4Web Hosting Master
- Join Date
- Aug 2009
- Posts
- 3,207
for simple and low volume floods, you can install software DDos protection like DDos deflate.
█ ControlVM.com :: Elastic Cloud Hosting Alternatives to VPS ● Reliable Cloud Server
█ Enterprise Hosting @ Malaysia ● Germany ● USA ● Singapore
We Accept: Paypal ● Alipay ● GrabPay ● Credit/Debit Card ● FPX Bank Transfer ● Bank TT
-
06-10-2012, 08:56 AM #5Web Hosting Master
- Join Date
- Jun 2011
- Location
- Internet
- Posts
- 2,985
Unless you're very knowledgeable, the "quick"/easy method is to enable CloudFlare on your sites and install ddos deflate.
Won't protect you against much though.
-
06-10-2012, 11:07 PM #6Temporarily Suspended
- Join Date
- Mar 2010
- Posts
- 1,154
Why not go with a managed provider then so they can help you with this, or are you saying you want to learn and know how?
If you are familiar with command line, use something like this to see how many active connections you have to your server:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
Another good thing to look at is how many active connections your server is currently processing.
netstat -n | grep :80 |wc -l
netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are above 500 you are most likely under attack. If the second command is over 100 you are having trouble with a syn attack.
My advice, install CSF and it will help with this unless you are getting a very big DDOS attack and only then advance DDOS mitigation hardware firewalls can help you.
-
06-11-2012, 01:33 PM #7Web Hosting Master
- Join Date
- Aug 2004
- Location
- Shanghai
- Posts
- 1,475
Hi,
If you really have a massive ongoing DDoS attack on the IP address of your VPS, then you will have to deal with your hosting provider, who probably himself will deal with his upstream network providers so that they can block the flood. I don't think there's much you can do at the level of your VPS (you will never be able to block the incoming traffic that will flood the switches and routers you are connected to).
In such case, the only thing you can hope is to have a good hosting provider.
ThomasGPLHost:>_ open source hosting worldwide (I'm founder, CEO & official Debian Developer)
Servers & our leading control panel and our Xen VPS hosting, which are already included in Debian and Ubuntu
Available in: Kuala Lumpur, Singapore, Sydney, Seattle, Atlanta, Paris, London, Barcelona, Zurich, Israel
-
06-12-2012, 07:55 AM #8WHT Addict
- Join Date
- May 2012
- Posts
- 116
CloudFlare`s Free or Pro plans dose not offer DDoS mitigation.
https://www.cloudflare.com/plans█ Incapsula: Cloud CDN & Security | DDoS Mitigation
-----------------------------------------------------------------------
█ Instant DDoS Protection | Cloud-based PCI Compliant WAF | Dynamic content Caching | Global CDN | Anti-Spam
-
06-12-2012, 07:58 AM #9Web Hosting Master
- Join Date
- Dec 2006
- Location
- Netherlands
- Posts
- 1,435
If you are asking this question here, you should try this first:
http://deflate.medialayer.com/
-
06-12-2012, 08:36 AM #10Web Hosting Master
- Join Date
- Jun 2011
- Location
- Internet
- Posts
- 2,985
They do mitigate small attacks on their free plans - as they are a reverse proxy (Much like your own services ) any ICMP/SYN/etc floods will hit their servers instead of the target. The more advanced filtering would be on their paid plans (I presume your service is similar - paid plan, more complex filtering?)
-
06-12-2012, 09:02 AM #11Web Hosting Evangelist
- Join Date
- Apr 2012
- Posts
- 545
Use a cloud to load balance everything. If you are good, you can make 2 servers with a NGINX, it will take time but it will work. Collect IPs of your regular valid vistors, make a script or analysis of your forum's traffic to get the most popular vistors, via NGINX redirect them specifically to another server that is always running. Now for the rest of world the server stays different. This way even in the case of a DDOS attack most of your genuine visitors will be able to see you running while the rest of world or DDOS people will think you died.
-
06-12-2012, 09:05 AM #12Web Hosting Master
- Join Date
- Jun 2011
- Location
- Internet
- Posts
- 2,985
Depends, when I was running a project that kept getting attacked by a persistent attacker, I had 6 1gbps servers load balanced via nginx with DNS round robin, and it still managed to get absolutely hammered. I had extensive protection against level 7 attacks + blocked absolutely everything that wasn't needed via iptables.
Success of such method will always be dependant on the determination of the attacker (and your budget)
-
06-12-2012, 09:15 AM #13Web Hosting Evangelist
- Join Date
- Apr 2012
- Posts
- 545
Perhaps you did not understand what I said and what you were doing. You did round robin, I am not doing round robin, I am implementing a scheme that automatically sends a premium regular white list of users to a different stable server. Round robin distributes things in a distributed manner without any identification of the past visiting experience of that IP.
-
06-12-2012, 09:16 AM #14Web Hosting Master
- Join Date
- Jun 2011
- Location
- Internet
- Posts
- 2,985
-
06-12-2012, 09:34 AM #15virtualizing the world
- Join Date
- Mar 2004
- Location
- Seattle, WA
- Posts
- 2,580
When it is an issue of saturation, its best to have a hardware appliance, or worst case, you can just null route the destination IP in collaboration with your ISP.
When it comes to floods and even some high bandwidth attacks, cloudflare will work.ColoInSeattle - From 1U to cage space colocation in Seattle
ServerStadium - Affordable Dedicated Servers
Come visit our 18k sq ft. facility in Seattle!
Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers
-
06-12-2012, 09:51 AM #16Disabled
- Join Date
- Jun 2012
- Posts
- 215
Denial of service… kind of says it all, doesn’t it – your users are denied service. Did someone pull the plug on your server? No, but it is inaccessible – you’re most probably being hit by a DDoS attack. If you watch the web server logs for i.) connection request behavior - where abnormalities can mean application level attacks and, ii.) quantity of packets on network interface that usually reveal volumetric attacks – and you see big differences to normal operation, and especially if the server is down, you have a DDoS attack.
DDoS Deflate is a simple tool that could help you, but only while under a certain type of attack: IP’s identifiable by “abnormal” connections number, substantially greater than “legitimate” IP connection rates. This type of attack is usually carried out by a limited number of IP’s, and DDoS Deflate helps identify and block those. Today, such attacks are rare and considered rather elementary. Now, imagine 20K IP’s making “slow” requests amounting to the same aggregate quantity as in the example above – you have your DDoS again but what will DDoS Deflate do about it? Unfortunately, the times when solutions such as DDoS Deflate, mod_limitpconn, etc. could actually help are long gone. A defense mechanism that bans legitimate users along with the bots actually works in favor of the attackers, doesn’t it? Truth is most of today’s DDoS situations require substantial experience and resource in dealing with the different types of floods, deploying all sorts of different methods such as ban on signature, user verification techniques, etc. So, if you don’t plan to devote yourself full-time to dealing with this problem, I suggest you go to the experts.
A word of advice: If your site/service IS accessible even with some increase in metrics, proceed as if under normal conditions, i.e. do nothing. The reason: with any kind of mitigating technique you always get varying amounts of fail positives, and you want to avoid these.
-
06-12-2012, 10:17 AM #17Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 66
Great free firewall software can be found at www.configserver.com/ . You can set things up for email notification when attacks begin, automatically blocks abnormal activity, and the software has a great set of tools to mitigate DDOS attacks.
Many VPS providers include it as part of cpanel (as a plugin). If you do use it, contribute to the development. The software is worth it.
-
06-12-2012, 10:21 AM #18Web Hosting Evangelist
- Join Date
- Apr 2012
- Posts
- 545
Understand brother, DDOS is something even PayPal was affected with, If you scale properly there is nothing that can not affect by a dynamic DDOS, But yes, with the solution I provided you are basically filtering out your regular genuine users on behalf of a white list, Dynamic DDOS is the one thats effective and you do it with having a big botnet, all of them are unknown IPs which never actually connected to you in past, and you can redirect them to a different spot. But yes, with a powerful bandwidth and enough IPs/Servers you can DDOS virtually anything, its something you can't restrict by any normal means. But atleast this way you can keep your site open and working for a more genuine set of users.
-
06-12-2012, 10:24 AM #19Web Hosting Master
- Join Date
- Jun 2011
- Location
- Internet
- Posts
- 2,985
-
06-12-2012, 10:25 AM #20Web Hosting Evangelist
- Join Date
- Apr 2012
- Posts
- 545
How about load balancing with the history of IP. If it was a regular user from past few months and his average load than redirect to a different set of servers, totally new IPs go to a different set of servers. You can define such schemes. But yes if your redirection node also went off, which will, if the attack is substantially powerful you cant do anything. But we should always remember you can DDOS anything when u have sufficient participants and bandwidth, its all about safely utilizing it.
-
06-12-2012, 10:41 AM #21Web Hosting Evangelist
- Join Date
- Apr 2012
- Posts
- 545
This is a duplicate thread. It has been posted here as well.
http://www.webhostingtalk.com/showthread.php?t=1162563
-
06-12-2012, 11:49 AM #22Disabled
- Join Date
- Jun 2012
- Posts
- 215
We are talking about one node here and the problem of deciphering between good and bad IP's within this one node. If under your present conditions the one node is not enough - balancing is the only way, of course, and power here is much less material than technological prowess.
What you are suggesting here would not achieve anything really as you're not mitigating the attack - you have the resource to hold the entire attack traffic (redirecting it is also a resource, Nginx is fast but will also die under a large HTTP Flood), you deny new visitors access to the site which could be acceptable for a permanent/verified users forum site, but would be entirely unacceptable for, say, some online shop relying on new-comers.
You're right, it's all about size with DDoS, and it's all about equipment resilience on one side and bandwidth on the other.
-
06-12-2012, 11:55 AM #23Web Hosting Master
- Join Date
- Mar 2003
- Location
- Jaipur, India
- Posts
- 643
Please download the given DDoS Deflate script.
wget http://www.inetbase.com/scripts/ddos/install.sh
After download please change the permission.
chmod 0700 install.sh
now please run the install.
./install.shRackNap
Business Automation Platform for Web Hosting and Cloud Solution Providers
-
06-13-2012, 12:57 AM #24Web Hosting Master
- Join Date
- Nov 2010
- Location
- San Francisco, CA
- Posts
- 901
-
06-13-2012, 01:24 AM #25Web Hosting Master
- Join Date
- Nov 2010
- Location
- San Francisco, CA
- Posts
- 901
Similar Threads
-
Large network spikes? DDoS ?!? How to detect?
By phactor in forum Hosting Security and TechnologyReplies: 9Last Post: 04-30-2010, 10:15 AM -
Looking for a data center that can mitigate ddos
By koin in forum Dedicated ServerReplies: 14Last Post: 03-11-2010, 04:19 PM -
How to detect a DDoS attack?
By TorstenD in forum Hosting Security and TechnologyReplies: 24Last Post: 06-09-2009, 02:10 AM -
how do you detect and black ddos or large number of connection ?
By joelin in forum Hosting Security and TechnologyReplies: 6Last Post: 11-10-2008, 06:47 PM -
Using Ethereal to detect DDOS attacks?
By Webfanatic in forum Hosting Security and TechnologyReplies: 3Last Post: 08-19-2006, 03:12 PM