Results 1 to 13 of 13
  1. #1
    Join Date
    Feb 2003
    Location
    St. Petersburg, Russia
    Posts
    70

    Dedicated server with DDoS protection... Where?

    One of our customers seems have some "friends" who loves to DDoS his site.

    He tried few shared hostings and now moved to dedicated server.

    We place him in SM and add FloodGuard protection on all his ips.
    SM offers FloodGuard as DoS/DDoS protection solution.

    But about a week ago server was attacked and FloodGuard seems helpless

    I got the folowing message from SM:
    Your server has been under a sustained 50+ MB DoS attack and constant exploit attempts from spoofes sources all over the world for over a week.

    Yes, FloodGuard is enabled for all 16 IP's.

    It is quite understandable that the site would be slow, given the tremendous pounding it is taking from thousands of attacking DoS and http exploit sources.

    Your server is not hardened, and judging from the continuous 7 MB of outbound traffic, your server appears to be compromised.

    FloodGuard will ONLY block the inbound DoS traffic. FlooodGuard will NOT protect your server from the other malicious traffic that you are seeing on your server, which amounts to about 6.8 - 8.2 MB of malformed web requests, web-stress tools, apache exploit attempts, directory traversal attempts, memory depletion attempts......etc
    Can anybody offer solution for this situation?

  2. #2
    Join Date
    Jul 2003
    Location
    Satyr, Chrisalya, Canada
    Posts
    1,901
    It's as simple as they said.
    They're protecting you from DoS, but due to your lax security methods, There is other stuff running amok in your server causing the traffic.
    --

  3. #3
    Join Date
    Jan 2003
    Location
    Wisconsin
    Posts
    367
    Should check out www.blccd.com they specialize in this kind of thing, but if your server is compromised like they claim you may want to hire an admin as well as any ammount of filtering is not going to prevent you from being hacked.

  4. #4
    Join Date
    Feb 2003
    Location
    St. Petersburg, Russia
    Posts
    70
    Server do not looks like hacked...
    There is now deface, logged users, new users, strange processes and so on. Just a lot of strange traffic to it...

  5. #5
    Join Date
    Mar 2003
    Location
    Charlotte, NC
    Posts
    2,761
    You may want to check out HTTPD.net/CIT/Foonet.net, or one of their resellers, such as Sharpnet.net.

    -Josh

  6. #6
    Join Date
    Jan 2003
    Location
    Wisconsin
    Posts
    367
    Foonet would auto-null route the IP which in turn would make his site completely down.

  7. #7
    Join Date
    Apr 2003
    Posts
    553
    Originally posted by sysc
    Foonet would auto-null route the IP which in turn would make his site completely down.
    Not true - the null-route procedure is taken with shell providers as they are all given 64 - 128 or 255 ip's so losing 1 does no damage. With websites, Paul can and will configure other options for filtering. He's done it many times for lots of big sites hosted at Foonet.

  8. #8
    Join Date
    Apr 2003
    Location
    Ottawa
    Posts
    959
    Originally posted by volgafan
    Server do not looks like hacked...
    There is now deface, logged users, new users, strange processes and so on. Just a lot of strange traffic to it...
    By now do you mean no?
    Also you may whish to enable syn cookies in your kernel (can help a bit) .

  9. #9

    Get the Upstream Provider Involved

    You should have the dedicated server provider contact the upstream providers at the Data Center. The pulling of the plug fix is not really going to help. As stated the guy has move to different providers. SYN cookies, only if it's a SYN ATTACK.

    Also you should provide SM (Dedicated Server Provider) with more info. If they are stating it was hacked and you don't have a back up, then have an experienced security admin have a look at the server. If you have a backup, wipe the server, reinstall with all patches don't start any services, if the attack still continues it's obviously not the server and SM should really see how they can effectively slow the attack down. FloodGuard must not be working. If prevention of DDoS is something they associate with their pricing, then you should get compensated for the lack of service.

    If the attack is big enough or you have enough pull with your upstream provider, they will look at traffic patterns and investigate.


    Good Luck
    Datums Internet Solutions, LLC
    Systems Engineering & Managed Hosting Services
    Complex Hosting Consultants

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Umm dude, you need to hire a admin to check out ur server. Just because there is no odd things going on dosent mean its not hacked. THey could have used a rootkit to hide all of that. My suggestion to you is to hire a admin..
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    Re: Get the Upstream Provider Involved

    Originally posted by datums
    You should have the dedicated server provider contact the upstream providers at the Data Center. The pulling of the plug fix is not really going to help. As stated the guy has move to different providers. SYN cookies, only if it's a SYN ATTACK.

    Also you should provide SM (Dedicated Server Provider) with more info. If they are stating it was hacked and you don't have a back up, then have an experienced security admin have a look at the server. If you have a backup, wipe the server, reinstall with all patches don't start any services, if the attack still continues it's obviously not the server and SM should really see how they can effectively slow the attack down. FloodGuard must not be working. If prevention of DDoS is something they associate with their pricing, then you should get compensated for the lack of service.

    If the attack is big enough or you have enough pull with your upstream provider, they will look at traffic patterns and investigate.


    Good Luck

    hes getting 7MB of outbound traffic so, either theres a bunch of downloads, or soemthing or the server is attacking another place
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  12. #12
    The server could be responding to requests = outbound traffic
    Example lets say there are dns request from a spoofed host, then dns will respond to the request, that's outbound traffic, without no real hack in place.


    Get someone to take a look at the server. If this is too expensive, wipe the server,patch it, stop all services, if you still see incoming traffic, find out what port is it all your addresses, is this attack on a bigger range ?
    Datums Internet Solutions, LLC
    Systems Engineering & Managed Hosting Services
    Complex Hosting Consultants

  13. #13
    Greetings:

    Security has to be done in layers to be most effective.

    For Unix-based systems, this should include the following:

    * Disable telnet.
    * Limit SSH access to specific IP addresses.
    * Disable direct root login.
    * Remove unnecessary packages / software.
    * Harden the kernel against synflood and basic DOS attacks.
    * Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
    * Ensure /tmp is in its own partition with noexec, nosuid.
    * Ensure kernel and software is up to date.
    * Remove unnecessary users and groups.
    * Install chkrootkit, logwatch, tripwire.
    * Install a firewall, and port scan detector.
    * For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and other H-Sphere applications.
    * Secure DNS Servers
    * Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting our servers

    It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •