Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Question on "DDOS" attacks

[dgessler]

Someone has done another "DDOS" attack on my hosts server (the attacker was targetting my website), bringing all the sites down for about a day, and my sites are still down apparently because he had to disable the IP. This is the 2nd time in about 5 months this has happened. Is there really no way to prevent these attacks from destroying the server? It seems pretty disturbing someone can just do this to any website, really.. Just curious. I feel bad for my host, for the second time he's had to deal with this.. Any info on this subject would be appreciated, thanks.

[Amish_Geek]

It depends on the security of your hosts server. If they have their server secured and properly monitored, they can set their firewall to drop all packets coming from the ddosser's IP(s)

[jackpot101]

Well DDOS are quiet hard to avoid..Unless you are on a network firewall that filters from the router before it even enters..Try one of the SM server with the firewall management system.

[dgessler]

So it's really this easy to ruin someone's site? I'm surprised it doesn't happen as often? *sigh*

So most normal hosts won't have protection against this, will they?

Thanks for the info guys.

[2Grumpy]

Quote:

Originally posted by amish_geek
It depends on the security of your hosts server. If they have their server secured and properly monitored, they can set their firewall to drop all packets coming from the ddosser's IP(s)

Dropped or not, those packets are still coming in and can bring the network to a standstill.

In a bad DDOS you have to get with your upstream (and often upstream's upstream) to block the traffic.

[NexDog]

Gary is absolutely correct. In small DoS or SYN flood cases, the server can just ignore all the packets but in a hard attack, those packets are just going to flood the network so the data center has to filter at the router.

[Kerry Jones]

I'm usually in SSH when a attack happens. I've stopped two DDOS Attacks in the last 2 weeks. Its actually a simple command to run. The following commands are the 3 most important commands you will need to know.

netstat
ip route add to unreachable [ip u wanna add]
ip route delete to [ip u blocked]

[TomK]

Kerry, this works in low-traffic DoS attacks, if anything major hits, 100mbs - Gb's of traffic, that won't do anything.

Tom

[dbbrock1]

And both those suggestions will work 10% of the time. Most attacks are from hundreds and hundreds and hundreds of different IPs.

[dgessler]

And it was a pretty major hit I believe, my sites just came back online after my host blocking the IP's or whatever. Attack seems to be over. I guess this is what I get for running a site where literally the entire visitor population is comprised of kids, and some "wannabe" hackers.

[idologicJeff]

Ok, lets say I had the skills to write software to conduct a DDOS - how would I do it?


CLIENT

I would start with virus software that exploits Microsoft's Distrubuted Object model. This gives the virus the ability to replicate itself and spread.

I now have a platform for conducting the DDOS. What then?

I write into the virus the ability to "call home". The virii contact an IRC server that I have set up to sit and listen, and they securely identify themselves to the IRCBOT seeking either instructions or a target.


IRCBOT

Of course the coder has no control of the spread of the virii, but the fact that they contact an IRCBOT (seeking instructions) means it doesn't matter.

The IRCBOT then feeds the IP address of a potential target to the clients calling home. When the virii phone in, they are given the IP, or instructions.

If the coder is stupid and without stealth - the virii commence sending malformed packets directly to the IP and they target a specific port.

If the coder has a bit more skill, they bounce the malformed packets of a middleman host (like an ftp server or something) so the packet appears to come from random IPS. Also, the malformed packets can't be traced back to the infected client. Also, target ports are randomly choosen and spread out (i.e. not in a narrow range)


DEFENSE

Now the first senario can be guarded against at the firewall layer through stateful packet inspection, because it targets a specific port, or narrow range of ports, and the IP's are not completely random.

If the second senario takes place - God help the victim! Not only are the source IP's forged, they are completely random (due to the packets being bounced off secondary (innocent) hosts) and they target random ports in wide ranges. Its extremeley difficult to guard against that.

Hope this helps you understand the problem. Good thing I don't have the skills (or inclination) or knowledge to write such beasts.

I only present this hypothetical senario to illustrate why DDOS can be real beasts.

Cheers
Jeff