I would like someone who knows to explain us what kind of ddos attacks there are and how we can stop them!
For example i know about ping attacks. The attacker do pings to your server sending big packets. The server try to reply to all of them and because of that is getting down.
A solution to that is to put rule to the router for blocking all icmp and if you do that you will never have problem again with that kind of ddos attacks
I know also about udp attacks. I dont know what the attacker do but i know that we can stop them again with puting a rule to the router for blocking udp attacks. Although we must have at least one ip out of the blocking if we want to have dns
Other kind of attacks i know is syn flood and with spoofed ips! (dont know if i say their names right)
Please as i am newbie in that things correct me if i am wrong!
Explain what other ddos attacks do you know and also how can we stop them with hardwares and softwares
I also know about some hardware like TopLayer, NetScreen, CISCO Guard/RiverHeard and some others that can help a lot!
Thanks for your time. I am waiting for your replies and explainations!
A lot of us have a very intimate knowledge of what DDoS attacks are and how to stop them, however, no one spoon fed that information to us. We had to learn it over a course of many years.
As such, most folks are going to be reluctant to out right tell you everything they know on DDoS mitigation as doing so would begin to spoil their market niche. Sure, there is a lot of public information out there but it is often incomplete and sometimes incorrect.
Hope someone here running dedicated servers or just know about explain to a forum with many users what is going on, so anyone of us can handle them (of course not all and not perfect but it would be better than nothing!)
Heres an attempt at a simple explanation of some common attacks, its not as informative as the links above, but aimed toward explaining the concept more than the details.
The basic idea of any Denial of Service (DOS) or Distributed Denial of Service (DDOS or botnet) attack is to consume the resources of a service or device to the extent that it cannot perform its intended function.
For example you have a dsl line and I have a dedicated server (or 10,000) and I tell all my servers to scream in your dsl modems ear until all it can hear is my botnets traffic.
You mentioned for a ping flood, basic principal of this being the attacker sends you a massive number of ping requests which your device is then supposed to reply to. The more ping requests you got and replied to, the slower you would be to answer other legitimate traffic, say your web server for example.
A UDP Flood may or may not also invoke a reaction from your server, depending on what service or port the attacker is slamming. Something like this is often used as a PPS/Bandwidth consumption attack. Or if the packets were formed a certain way and aimed at the correct port/IP they could exploit services running on the victim to send traffic back to the source, or crash, or otherwise malfunction in some undesired manner.
SYN Floods tend to come from spoofed IP addresses, or not depending on who is doing it. The basic idea of this is to overload your server with a massive number of connection requests, in the event of a spoofed SYN flood, a single host could cause you to try and open sessions with thousands of other machines, and a botnet could do all that times whatever number of bots the attacker controls.
Simpler attacks, you run a web server, you have a file hosted for download... I tell 500 hacked servers to download that file at the same time over and over again. Or simply refresh your home page at a rediculous rate.
Email/Spam attacks, someone forces their botnet to deliver mail to your mail server at such a rate that no other emails can be sent/received.
They open up a massive number connections to your ftp/ssh/telnet/mail/www/irc/any other service simultaneosly making it unable to establish sessions with legitimate users.
The list goes on, because all a denial of service attack really is, is exploiting existing services and the limitations thereof. Any automated system that reacts a certain way when a certain thing happens, and does it every time no matter how fast can become overwhelmed by a more powerful machine or army of said machines known as a botnet.
How do you stop them?
The simple answer to this is, you cannot. Even the most secure server in the world, on the most secure network ever built, would still be vulnerable to denial of service attacks, because it usually has a certain limit of how much bandwidth is available to it. If I have 2gbps bandwidth available to me and you have 100mbps, and I throw as many packets at you as I can, things are pretty much a wrap, not just for your server, but for everyone on the same network as you, no matter how much filtering you have, it is still possible for one, if so inclined, to overwhelm your filtering devices with more traffic than even they can handle.
But there are things you can do to be more resistant to them.
A few quick tips
Do not do things that will encourage people to DDOS you. I say this first because its the most obvious but also the best way to not get attacked. People who spam, violate copyrights, hack/probe/attack other computers/networks, steal, or participate other generally lame abusive behaviour on the internet get flooded. People who do good business, avoid trouble, keep an RFC compliant abuse@ email address and respond to complaints in a timely manner generally don't get attacked. DDOS attacks, unlike worms and hackers, are always aimed and intentional. Nobody ever wasted 200mbps traffic to see a random IP stop responding to ping, someone with enough knowledge (not to give them any credit, any 5 year old could do this) and time to kill went through the trouble of accumulating those hacked computers that are attacking you, and he is only going to risk blowing his cover if someone makes him mad.
Secure your server, use strong passwords, a firewall closing off all ports except the ones used, and preferably some sort of packet filtering on the open ports, Windows servers make sure you have an up to date anti virus.
Use your server just for what your server is for, for example don't install a BNC on your production web server, then connect to IRC with a PTR like myserver.wantsaddos.org and mouth off to the chanops of #botnet.
Alternately, you can host with a provider that actually has the capacity and willingness to handle and/or filter the attacks. If you have a few more dollars in your pocket you can purchase a GE or two, some DDoS/firewall appliances, and do your own filtering.
In this day and age "you cannot" is not an acceptable answer.
There are hardware devices that help, we use Netscreen for example. But if someone throws a gig of traffic down your pipe it doesnt matter, even if we could keep things working under that type of attack, the cost of bandwidth would be more than anyone would ever pay on a dedicated server...
I'm not sure about you guys, but most mid-large providers have that and more to spare taking into account that DDoS is all inbound traffic and most of your utilization it outbound. In those situations, your cost is minimal.
For smaller players, you can contact providers such as AboveNet or Cogent and buy a GE that will be used exclusively for inbound traffic (those two providers in particular will give very, very, very low rates for inbound traffic).
Originally posted by IRCCo Jeff Alternately, you can host with a provider that actually has the capacity and willingness to handle and/or filter the attacks. If you have a few more dollars in your pocket you can purchase a GE or two, some DDoS/firewall appliances, and do your own filtering.
In this day and age "you cannot" is not an acceptable answer.
Not true; look at what happened to SCO. They tried everything they could, and still could not stop it. The attack was trying to push more data than the datacenter could transfer (it had 2x OC192 from XO), and it took the whole building offline until they null routed sco.com
The same has happened to microsoft, several UK betting sites, etc. There are countless of smaller datacenters being overwhelmed too.
The problem with DDoSes is that once a site is overwhelmed by a well-executed attack, it is very hard to re-work infrastructure to deliver more bandwidth where its needed, if the mitigation hardware fails.
You cannot mitigate an attack that tries to consume more bandwidth than you have. Now, granted, these are rare, and the average user who is in a big datacenter has nothing to worry about.
We're not talking about SCO, those were attacks launched by specifically engineered virus payload, timers, the whole nine yards. The discussion at hand is "typical" DDoS.
As it stands, I have customers being hit with 100 - 500 Mbps and staying online. Anything more than that would probably result in a null route.
I have friends that can muster 4Gbps, and thats not all that uncommon among attackers. To think that multiple Gbps attacks are uncommon is fooling yourself.
That said, people with that much bandwidth to throw around aren't dumb people, and don't do these things for no reason. The best way to defend against a DDoS is not to attract one. Serious, committed DDoSes require significant provocation.
Originally posted by Take-IT-EZZI Ya definitely got me beat if you would really let a customer that pays less than $100/month sustain 100mbps on your network. Can people sell IRC shells on your network?
Scratch the question, just read your site. Answer is yes.
Filtering low to moderate level DDoS is not a huge issue. When you agree to filter as a policy, you'll find that only a handful of your customers are actually huge magents. Its kind of like overselling.
For larger DDoS such as the kind that kernelpanic is talking about, you'll want to make sure you have good relations with federal authorities.
Have you ever had FBI agents and such contact you needing assistance with some type of criminal activity that has found its way onto your network?
Of course, we all have and those are the same folks that you will want to stay in touch with to ask for return favors if you ever find yourself requiring such assistance.
Ya definitely got me beat if you would really let a customer that pays less than $100/month sustain 100mbps on your network. Can people sell IRC shells on your network?
For how inexpensive ingress bandwidth is from quite a few known providers it is able to be handled. Provided a datacenter runs proper ddos mitigation hardware there is no problem with them handling ddos. Technically speaking that 100-500MBps of ddos is not going to even get to the local server as if the edge routers or wherever is filtering the attacks is running proper rules it will knock the attack dead and allow the normal traffic flow into the datacenter's network.
Overall DDoS is really stopped by how well you know DDoS techniques of what people have been hitting you with (years of experience in router maintenance and upkeep is usually how this is found out, granted the hard way but still just about the only tried and true method). As well as the hardware you use to stop the attacks and how well you know your hardware and what it can and can not handle.
Originally posted by D3m0n
Blacklotus have ddos protected servers for irc?
Their site says DDOS protection is available for $0.95
It also says under construction when you click on the DDOS Mitigation link. For someone with as much tolerance and knowledge as Jeff seems to have here, one would think this page would have some information.
EZZI doesnt even allow people to sustain an attack on our network and we have information about our ddos solutions on our site.
DDoS's are almost impossible to defend.They can range from SYN or PING floods, to irc cloning or troll attacks.Basically, if the server can accept multiple incoming connections, it can be DDoSed.It only takes a 12 year old kid that finds an sdbot source to become a threat - Its not hard to do, it requires minimal effort and is LAME.Although saying this, the botnet scene is rather quiet, and allot of the sourcecodes are extremely private - most botnet kiddies go in groups and do it in large quantitys (2mil comprimised hosts and upwards), as long as your customer doesnt piss one of these groups off, a severe DDoS is very unlikely.
DoS's however, CAN be defended by blocking the offending IP.
Originally posted by dtredwell DDoS's are almost impossible to defend.
We stop DDOS every day, we have not had one of our clients ever "dropped" from DDOS on our irc network or our high risk web network, we have never had to null route IP's on our network, we constantly have 10 or more attacks towards multiple targets on our network with out issue.
In other words DDOS is not impossible to defend, but there is only a small handful of providers out there who have the expertise who will defend against it. And there is even a less amount of those who do have the expertise and WANT to defend against it.
Dedicated Servers + Cloud Servers + Colocation + DDOS Protection + IP Transit with FCP optimized routing
Locations in Chicago Los Angeles and Ashburn