hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : How to stop DDOS/DOS attacks?
Reply

Forum Jump

How to stop DDOS/DOS attacks?

Reply Post New Thread In Dedicated Server Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: Jul 2011
Posts: 22

How to stop DDOS/DOS attacks?


Hey WHT,

I've been lurking on WHT for a while, and recently I joined up as a systems administrator on a Minecraft server (full administrator, as in I set up everything and keep it running smoothly, I fully manage it myself), and while I got everything working perfectly fine on our Limestone Networks dedi (C2Q 9400 2.66ghz, 8GB RAM, 500GB HDD, 100mbps port), I've been having some troubles with DDOS/DOS attacks recently.

Yes, a 3 week old server having troubles with attacks. (The most recent ones I've been having are from a very disgruntled banned player).

Now I can handle CentOS and the like fine for most tasks, but I've never learned much about what to do about DDOS/DOS attacks, especially with the scale of these attacks (75-100 mbps usually, which often maxes out our line). Limestone has great support, and they automatically stop most attacks within a few minutes, but I'm wondering if there's a way to detect/stop/log these attack instead of waiting for Limestone to get rid of them? We're also thinking of switching hosts due to cost issues, and I would especially need a method to stop attacks on hosts with stricter bandwidth and QOS policies.

I caught the attacker's IPs once (they were using Amazon EC2), but Amazon denied that the IPs ever touched us.

Basically, how and with what tools would I be able to stop/log DOS and DDOS attacks on CentOS 5.5, with that hardware/network.

I would love any and all advice on this matter.



Sponsored Links
  #2  
Old
WHT Addict
 
Join Date: Mar 2007
Posts: 106
Quote:
Originally Posted by battlekid View Post
Hey WHT,

I've been lurking on WHT for a while, and recently I joined up as a systems administrator on a Minecraft server (full administrator, as in I set up everything and keep it running smoothly, I fully manage it myself), and while I got everything working perfectly fine on our Limestone Networks dedi (C2Q 9400 2.66ghz, 8GB RAM, 500GB HDD, 100mbps port), I've been having some troubles with DDOS/DOS attacks recently.

Yes, a 3 week old server having troubles with attacks. (The most recent ones I've been having are from a very disgruntled banned player).

Now I can handle CentOS and the like fine for most tasks, but I've never learned much about what to do about DDOS/DOS attacks, especially with the scale of these attacks (75-100 mbps usually, which often maxes out our line). Limestone has great support, and they automatically stop most attacks within a few minutes, but I'm wondering if there's a way to detect/stop/log these attack instead of waiting for Limestone to get rid of them? We're also thinking of switching hosts due to cost issues, and I would especially need a method to stop attacks on hosts with stricter bandwidth and QOS policies.

I caught the attacker's IPs once (they were using Amazon EC2), but Amazon denied that the IPs ever touched us.

Basically, how and with what tools would I be able to stop/log DOS and DDOS attacks on CentOS 5.5, with that hardware/network.

I would love any and all advice on this matter.

You would need something that is sitting outside of the server to stop the attacks from reaching your server. Once they have reached your server it starts to affect the performance and bandwidth availability of the server. There are small time scripts to stop user's from getting a response from certain services running on your server but none of them keep the attack from reaching your physical server which is the key in stopping them.

I would recommend looking for a host that specializes in DDOS mitigation that does not just null route IPs when attacks occur. Some can add the IPs to their ACLs so they do not reach your physical server which will help mitigate the DOS and DDOS attacks.

  #3  
Old
WHT Addict
 
Join Date: Jan 2008
Location: Sweden
Posts: 140
Ask your provider to place a hardware firewall (this can even be a server configured as a firewall) between the switch and your server.

Sponsored Links
  #4  
Old
Web Hosting Master
 
Join Date: May 2011
Posts: 555
DDoS Attacks have always been a major problem on all game servers.

I would try this script: http://deflate.medialayer.com/

Also, if you can prove that the attacks are coming from Amazon EC2 (Get Limestone to write a statement for proof, too, with the IP address in logs), and Amazon EC2 is denying the attack (Even after you send the log), then hire a lawyer and see what can be done. DDoS attacks are a major problem, and when a host does not comply with reports then there can be trouble.

  #5  
Old
Disabled
 
Join Date: Sep 2010
Posts: 627
Upgrade to gigabit port. problem solved.

  #6  
Old
unghhh... Baaandwidth....
 
Join Date: Jan 2005
Posts: 9,047
Quote:
Originally Posted by misspink View Post
Upgrade to gigabit port. problem solved.
Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.

__________________
IOFLOOD.com -- We Love Servers
Watch this space...

  #7  
Old
Web Hosting Master
 
Join Date: May 2008
Posts: 582
Quote:
Originally Posted by funkywizard View Post
Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
you would also find a host that doesnt nullroute your ip on 1gbps port based on network spikes like softlayer does

  #8  
Old
unghhh... Baaandwidth....
 
Join Date: Jan 2005
Posts: 9,047
Quote:
Originally Posted by Maikon View Post
you would also find a host that doesnt nullroute your ip on 1gbps port based on network spikes like softlayer does
That's true, but it's not really a fair comparison because softlayer will null you even if there isn't a spike, just quite a bit of use. I've had this issue a number of times, and so wouldn't use them for anything requiring much reliability. For what it's worth, I've only heard of softlayer doing this for 100tb clients, it seems they treat direct clients better.

__________________
IOFLOOD.com -- We Love Servers
Watch this space...

  #9  
Old
Newbie
 
Join Date: Jul 2011
Posts: 22
Quote:
Originally Posted by TheHeartSmasher View Post
You would need something that is sitting outside of the server to stop the attacks from reaching your server. Once they have reached your server it starts to affect the performance and bandwidth availability of the server. There are small time scripts to stop user's from getting a response from certain services running on your server but none of them keep the attack from reaching your physical server which is the key in stopping them.

I would recommend looking for a host that specializes in DDOS mitigation that does not just null route IPs when attacks occur. Some can add the IPs to their ACLs so they do not reach your physical server which will help mitigate the DOS and DDOS attacks.
We use Limestone Networks, so they _do_ mitigate DDOS/DOS attacks for us instead of null routing our IPs, but they are a little too expensive for us to continue using, and it takes between 5min-3hours to mitigate the attacks on their side, and because we run a gaming community ANY downtime becomes a major problem, even in the Minecraft gameplay environment.

Quote:
Originally Posted by xema View Post
Ask your provider to place a hardware firewall (this can even be a server configured as a firewall) between the switch and your server.
As I mentioned above, they get rid of attacks for us after shortish delays, but they do not sell hardware firewalls and the cost of renting a second server just for that is very prohibitive.

Quote:
Originally Posted by Appdeveloper View Post
DDoS Attacks have always been a major problem on all game servers.

I would try this script: http://deflate.medialayer.com

Also, if you can prove that the attacks are coming from Amazon EC2 (Get Limestone to write a statement for proof, too, with the IP address in logs), and Amazon EC2 is denying the attack (Even after you send the log), then hire a lawyer and see what can be done. DDoS attacks are a major problem, and when a host does not comply with reports then there can be trouble.
Yeah, we've been having a LOT of problems..

http://img813.imageshack.us/img813/3...10716at101.png

When you try running a gaming community, it sucks when your users can't access the server due to network attacks...

I'll take a look at the script, thanks!

I contacted Limestone, they said that "They log all attacks and automatically send reports to the authorities". That wasn't enough for me, so I went and managed to capture a attacker's IP (3 IPs, registered to Amazon EC2), but when I sent a report in they claimed to have no record of such a attack... I ran whois lookups on all IPs I found connected the one time I was on the SSH when we were being hammered, and those 3 were the only ones that tripped any flags, plus they quickly disconnected and the attack stopped...

We're a (very) small gaming community, we barely cover operating costs, so we simply have no money for lawyers.

Quote:
Originally Posted by funkywizard View Post
Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
A 1gbps port from Limestone is $45/month extra, a little too much when we can barely afford the bills as-is, and we're thinking of moving to Hetzner to save money and get more power (and possibly a 1gbps port, although we're not sure if we even want to switch providers, especially so when we found out that Hetzner has a policy to null route your server if a attack is detected).

Limestone doesn't meter incoming BW, but again, the amount pushed in isn't the problem here, it's our line being saturated. I might be a little whiny, seeing as the attacks are usually stopped by Limestone with no interaction on our part in a relatively timely manner, but downtime for the type of services we are trying to offer can be catastrophic.

======

The software firewall is up, but the attackers just target random ports and overwhelm the line with brute force... Would there be a firewall rule that I could set up to LOG any suspicious connections on any port at any time? I'm still playing around with setup, trying to get a compromise between a massive log file and detailed log info.


Last edited by battlekid; 07-16-2011 at 11:51 PM. Reason: Spelling errors
  #10  
Old
Web Hosting Master
 
Join Date: Nov 2009
Location: /etc/my.cnf
Posts: 9,435
Quote:
Originally Posted by battlekid View Post
we're thinking of moving to Hetzner to save money and get more power (and possibly a 1gbps port, although we're not sure if we even want to switch providers, especially so when we found out that Hetzner has a policy to null route your server if a attack is detected).
Correct, Soon as Hetzner notices your under attack they null route you within minutes...

I suggest you contact BurstNET they might beable to help you

__________________
LeapHost Solid High Performance Litespeed + Varnish + RAMDisk + MariaDB Hosting.
Fat Dedicated Servers | Uptime Monitoring | Backups | Proactive Server Management.
Server Setups | Stable Migrations | Security/Hardening | cPanel DNS Cluster Setups.
24/7 Ticket + Phone + Live Chat Support | Fancy An Offer > | Visit Our Special Offers


  #11  
Old
CISSP-ISSMP, CISA
 
Join Date: Aug 2002
Location: Los Angeles, CA
Posts: 5,494
Quote:
Originally Posted by funkywizard View Post
Yup. If the attacker can only manage to send about 100 megabit to your server, a gig port is the easiest way to deal with this. If you can find a host who doesn't meter incoming bandwidth, then this should be fine, unless the particular user can find a way to throw 10x as much bandwidth into the attack.
100 Mbps could still be enough to exhaust the resources of the server in other ways, causing the server to go down regardless of the port size.

  #12  
Old
Web Hosting Master
 
Join Date: Feb 2010
Posts: 1,013
Quote:
Originally Posted by Appdeveloper View Post

I would try this script: http://deflate.medialayer.com/

Does it work?

  #13  
Old
Web Hosting Master
 
Join Date: May 2008
Posts: 582
Quote:
Originally Posted by chhit View Post
Does it work?
It doesnt for me when i got ddoes.

  #14  
Old
unghhh... Baaandwidth....
 
Join Date: Jan 2005
Posts: 9,047
Quote:
Originally Posted by IRCCo Jeff View Post
100 Mbps could still be enough to exhaust the resources of the server in other ways, causing the server to go down regardless of the port size.
Yes, that's certainly the case, depending on the kind of attack. For a script kiddie / udp flood, I've seen 1gbps attacks before that just slowed down the server a bit. Clearly if the attacker knows what they're doing, that can be a different story altogether.

__________________
IOFLOOD.com -- We Love Servers
Watch this space...

  #15  
Old
Newbie
 
Join Date: Jul 2011
Posts: 22
Alright, just found out that we're being targeted by some idiot hacker group (quantumbooter.info), this is not going well...

We basically told them to piss off and went and patched several major security holes they had been exploiting, so now they've decided to hammer us with a ~50mbps attack... Again.....

I must say, although Limestone is very expensive, they are very good about attacks!

Anyways, I guess the best idea right now is for us to just keep cleaning up security and rely on Limestone to mitigate the attacks as they appear.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
DDoS and DoS attacks rcpersons1 Reseller Hosting 17 08-03-2007 12:28 AM
Got DDoS? BLCC DDoS Protection sale! Stop HTTP GET attacks in their tracks! ddosguru Dedicated Hosting Offers 7 01-17-2007 12:49 PM
DoS/DDoS Attacks - Need Info. Babushka99 Hosting Security and Technology 5 06-18-2005 12:22 PM
DoS or DDos attacks prevention varunbihani Hosting Security and Technology 11 06-09-2005 09:43 PM

Related posts from TheWhir.com
Title Type Date Posted
The Cloud Is Under Siege; How Can I Protect It From DDoS Attacks? Webinars 2014-06-10 10:55:46
Arbor Networks Reports Alarming Increases in DDoS Attack Size in 2013 Web Hosting News 2013-10-17 13:40:25
Prolexic Warns of Growing Identity Theft Camouflaged by DDoS Attacks Web Hosting News 2013-08-28 12:20:19
DDoS Mitigation Provider Prolexic Blocks Extended DDoS Attack Against Ecommerce Website Parts Geek Web Hosting News 2012-11-07 10:57:01
Web Host Tenzing Launches DDoS, DoS Mitigation Service Web Hosting News 2012-10-11 17:35:53


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?