Results 1 to 21 of 21
  1. #1
    Join Date
    Nov 2005
    Posts
    260

    Exclamation Ddos attacks: what to do against it?

    Can anyone out there please shed some light on how to prevent Ddos attacks and what to do when you are being attacked?



    We are currently experiencing Ddos attacks and we really have no idea on what to do. This is the second time within a month that we suffer from this.
    It seems some Russian guy is behind this and it seems more than 600 IP addresses are involved.
    Urgent help will be very much appreciated!

  2. #2
    Join Date
    Mar 2003
    Location
    WebHostingTalk
    Posts
    16,963
    APF with antidos enabled is fine.

    But for heavy, hardware is better.
    Specially 4 You
    .
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  3. #3
    Join Date
    Nov 2005
    Posts
    260
    'APF with antidos enabled is fine.'

    I really don't have a clue what that means.
    Can someone please explain like I'm a 6-year old?
    I'm not too technical myself and I would really appreciate it if anyone has a good explanation of what we can do against it as the Ddos attack is still going on today.

    If this takes too long we might have to pull the plug.

  4. #4
    You may download the APF from http://www.rfxnetworks.com/apf.php and reads up the docs http://www.rfxnetworks.com/apf/README.antidos and http://www.rfxnetworks.com/apf/README on how to configure it on your server.

    As net said, APF is not recommended for a heavy or large scale ddos attack. You may need to seek the data center for help.
    Tweakservers : SmarterTools | Paessler PRTG | MalwareBytes | Avast Antivirus | Mailenable
    TheSSLMart : Symantec, GeoTrust & Comodo SSL with Website Monitoring Alert

  5. #5
    Join Date
    Mar 2004
    Location
    Odessa, Ukraine
    Posts
    605
    If it is really DDOS - apf don't help you.
    Detect target of attack and set DNS A record to 127.0.0.1

  6. #6
    Join Date
    Apr 2006
    Location
    NJ, USA
    Posts
    258
    Miklo, I highly recommend you find a server admin or sign up for a servermanagement company. They will help with the small attacks and will be familiar with software such as APF firewall. Contact your data center for ddos hardware protection. What apf will do is show the number of connections per ip address. When that number is high, it is recommended that you ban that ip, this will stop the attack from that specific origin.
    Regards,


  7. #7
    there is an alternative for apf

    configserver dot com (stupid rule here prevents me to post a link....)

    It integrates in whm and has many tweaks, features from in there, even a section with advice on how to harden many parts. if set auto update etc, once instaled and tweaked, you can almost forget it

    I use it on all my servers with very nice results

    Next to that mod_evasive can help temper small ddos attacks, hardware is best.
    But beware , mod_evasive kills frontpage on cpanel

  8. #8
    Join Date
    Aug 2002
    Location
    Denver, CO
    Posts
    331
    If it's a localized attack from a small set of IP addresses - you can prevent it like suggested above. (or a netscreen firewall or other hardware firewall might help which honestly is probably more than you want! Took me a good 40 hours to truly figure my first netscreen out.) Many other hardware firewalls are available too!

    If it's a true attack (which I luckily have not experienced) you could have hundreds of thousands of hits per second from thousands of machines all over the web. Your only solution is to work with your datacenter which should be able to handle this amount of traffic. I can’t even imagine a true attack – which (question!) could eat up 200 Mbits of bandwidth!? Maybe working with the DNS provider might help – but then again that information is cached in so many places it might not help!

    Chances it might be one rogue user using a crawler / have a badly coded site accessing yours / etc? If so – simply stop this IP from accessing your network.

    (If I'm offering bad advice - someone please point it out! I'm not terribly experienced in this issue and only offering my best professional insight. Aka, Miklo - only take these as suggestions!)

  9. #9
    Join Date
    Nov 2005
    Posts
    260
    Well, the attack is still going on today, as I mentioned before it seems the master has around 600+ zombies who are requesting our website hundreds of times each minute.

    'APF is not recommended for a heavy or large scale ddos attack.'
    So it seems this is not a solution for us.

    We are hosted by RackSpace, but instead of helping us, they now want to cancel our account due to these issues. So far for dedicated hosting & support! They have really let us down in this situation...

    Now we are trying to move to a different website and different server, but it is all going so slowly that it might be better to pull the plug and start over from scratch.

  10. #10
    Join Date
    Aug 2002
    Location
    Denver, CO
    Posts
    331
    >> APF not being recommended

    I did not say this! (just to be clear) It could work out. I don't know and have not used APF!

    >> but instead of helping, cancel account

    This is frustrating for sure! How much do you spend with them? I can see if it's only $200 a month - they need compensation for helping with this issue. You are stuck with a big problem on that. (if you asked me to help when you were spending $150 a month and it would take me 40 hours man-time - it makes sense on their end. Frustrating!)

    Real question to you being: What would fixing this in 12 hours mean to you? If it means $500 in savings - tell them to just fix it. If it means $20 in savings - then you do have a dilemma. I’m not taking their side! Just trying to put it into perspective. I don’t know the details! I do know datacenters can be difficult to deal with because they look at things in terms of cost. No matter what it means to your or your business.

  11. #11
    Join Date
    Aug 2004
    Posts
    358
    Cant a firewall card do the trick? Wouldn't tie up the server resources either.

  12. #12
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    As every one has said, software options can deal if the attack is only upto a limit. Any way you can have a couple of checks. First check the target of the attack, if it is directed to only a domain, may be you can null route it for some time.
    Another thing to check is whether ther is a SYN attack? You can netstat command to see the connections to port 80.
    You can try this
    netstat -pan | sort +4 |awk '{print$5}'| sed -e s/':.*'/''/g | sort | uniq -c | sort -k1 -nr | head -n 20
    This will show you connections to port 80.
    Also try
    netstat -plan |grep TIME to see whether there is huge TIME_WAIT connections.
    I happen to use a tool which seems to be good in dealing small DDOS.
    http://www.inetbase.com/scripts/ddos/
    You can download the install.sh script and run it which will install a ddos checking script.
    What this do is that it will do a
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
    in every minute and will block the IP's which make more connections than the threshold number set in the conf file, /usr/local/ddos/ddos.conf
    May be you can try this.
    If it is too much TIME_wait connections you can try turning on the KeepAlive time out in httpd.conf and give a low value for keepalive time out and max keep alive requests.
    Please try these and let me know how this goes.

  13. #13
    Thanks david510 your program seemed to help stop the attacks I have been having for the last week.

  14. #14
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  15. #15
    Join Date
    May 2006
    Posts
    1,398
    dos deflate will only help against socket floods which are sometimes confused with ddos. There isnt much you can do software wise. I have a server with apf, dos defalte, and mod evasive on. With all features enabled on apf such as syn flood protection and reserved/private ips blocked. And still can get ddosed. A ddos is just a crap load of bots sending a few syns and connects at a time so none of them will trigger any of your software.
    You need a host with ddos protection like sharktech or ayksolutions.
    I havent seen ayksolutions ddos protection in action but Im sure it will suffice. Sharktech on the other hand, I have seen massive ddos attacks get deflected by them . I posted about this before but I took on a romanian security forum once and it got ddosed, none of my software protection worked. Id ban about 200 subnets /16 at once and the bots would just change their ips and start again. It drained 82 gb of bandwidth in 2 hours.
    I dont know if my datacenter would have been able to stop it or not, probably so but I didnt want to get them involved for a measly $6 a month. So anyway I told them guys to go to sharktech, I checked back with him in a week and he said they stopped the attacks totally in 2 days and his enemy was still trying to ddos him everyday and he couldnt even feel it.
    On my servers now I just try not to host people prone to ddos.

    I would like to point out however that most people confuse a simple apache flood dos with ddos but it is nothing like a ddos. I suppose it would just be considered a dos not a ddos

  16. #16
    Join Date
    Apr 2006
    Location
    Jacksonville, FL
    Posts
    498
    DDOS Deflate is great if it is coming from a simgle IP source.

  17. #17
    Miko, if all you're seeing is massive http requests against your server, as opposed to an massive flood of arbitrary incoming data, then you should be able to use tools like mod dos_evasive to take care of this, especially if the zombies are requesting the same pages over and over. 600 ips is quite a lot, but if that's all they've got and they're doing website requests rather than just filling up your bandwidth, a competant systems administrator should be able to help.

    To those who say it's not worth the web hosting provider's time in dealing with the issue, normally I would agree. However, this is Rackspace managed hosting he's got. The guys who charge 2-3 times what everyone else charges for the same thing. You know; the same guys who pride themselves on "fanatical customer support". Rackspace from what I've heard is not equipped to deal with massive scale DDoS or huge (multigigabit) traffic floods, but your particular attack seems like something they would at least be willing to look into.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  18. #18
    Join Date
    Nov 2005
    Posts
    260
    Thanks for all the posts.
    We have contacted a security officer who seems to be really experienced in this field and it seems all Ddos attack related traffic is now somehow being redirected away from our website. The website is up again and this guy and his team are trying to get back to the source of the attack. Don't ask me how, but when I contacted this guy the website was up and running again within 4 hours. It did cost me, however, loosing 80,000 USD daily in sales is much worse!

    Anyway, I just wanted to say thanks to all posters and I am sure that this thread will also be found by many others experiencing the same problem.

  19. #19
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    203
    SecureServerTech, special thanks for your comments.
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

  20. #20
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by funkywizard
    Miko, if all you're seeing is massive http requests against your server, as opposed to an massive flood of arbitrary incoming data, then you should be able to use tools like mod dos_evasive to take care of this, especially if the zombies are requesting the same pages over and over. 600 ips is quite a lot, but if that's all they've got and they're doing website requests rather than just filling up your bandwidth, a competant systems administrator should be able to help.
    .
    I really do not see how so many webmasters and server owners can confuse this issue. It doesn't matter if a botnet is sending syn or connect floods. It will still knock you off line.
    Suppose it is just sending connect floods and you have mod evasive and dos deflate by the time either one would kick in on just one ip you already have hundreds of ips doing the same exact thing and it will dos you. If you had 600 ips and they was all connecting like 20 socks at once you will go down unless you have a hefty server with gbit port maybe. Mod evasive, dos deflate, and apf will only protect against single ip connect floods period. You may be able to stop about 20 bots but your server load will go sky high and lag while it is processing it.

    Apache socket flood = Exploit against apache which I do not know why they have ever fixed, it is a DoS, not a ddos

    DdoS = Distributed dos by means of syn flood, connect floods, etc:

    I'm no dos expert but if any of you say that you or your system admin fended off a heavy ddos attack with only software means I would have to say you are exaggerating. Bots now can change their entire subnets in seconds, you can ban all you want unless you have hardware ddos protection your server will go down under a distributed denial of service. Install all the software you want it will not stop massive ddos attacks. It has to be a hardware level of protection.

    It is misleading to tell someone they can do this on the software level and will just waste someone's time and perhaps money. You can stop simple dos with software, not ddos.
    Not everyone needs ddos protection, but if anyone is having to deal with constant ddos attacks you will have to move to a ddos protected network or get used to your server being down all the time.
    Last edited by jon-f; 09-05-2006 at 12:33 PM.

  21. #21
    obviously you need the right tool for the job, and since hardware is specialized to have very high performance dealing with network issues, it can deal with bigger problems than software.

    but, since we don't know the exact nature of the problem, it is silly to say it can't be solved without some mega hardware device. certainly 600 computers can knock out his server, no doubt about that. but if they're engaged in particular kinds of attacks, and not others, then yes, you can do something about it, in software. granted, someone who has 600 computers at their disposal is probably sophisticated enough in their attack to pick methods that are very difficult to block against with just software, but this doesn't mean it's "impossible".

    it seems he has the situation under control now, so the entire point is moot.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •