Results 1 to 17 of 17
  1. #1
    Join Date
    May 2006
    Location
    222
    Posts
    27

    Acceptable DDoS Time

    Hi All

    I periodically experience DDoS Attacks. I wanted to get some input on what you consider an acceptable amount of time before they stop?

    I am hosted with The Planet which has some kind of DoS protection, and I've got APF / BFD installed which also prevents some. Usually it'll last 10/20 minutes and be ok again. Is this within the "acceptable" time frame, or would a Hardware Firewall do much better?

    The Planet has: Check Point VPN-1 UTM Edge OR Cisco ASA 5510 SP / 5520 / 5550

    Basically I don't want to get a Hardware Firewall if it's not going to do any better. But I don't not want to get one if I could be providing better services to my website users.

    Thanks!

  2. #2
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202
    Do you know what type of attack it is?

    how many connections and how much bulk data are they spitting at you each request or SYN rq?

    BFD - brute force detection, doesn't stop dDOS attacks.

    APF - Manages your iptables. It will block a certain amount, however all its going to do is bog down your box if you
    don't have it configured correctly.

    ThePlanet cannot save your box from a dDOS attack unless its BIG, if its a crafted attack then its not going to work at all.

    Best Regards,
    Logan
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  3. #3
    Join Date
    May 2006
    Location
    222
    Posts
    27
    I'm not exactly sure, but doing alot of searching it seems to be a SYN attack of some sort. Basically Apache gets stuck reading requests until it's run out of processes.. all reading..

    APF I have it set to do the SYN cookies things so I think it's blocking the IPs after a certain interval, but maybe I'm wrong? I do know the list of IPs it's blocking increases..

    Not sure how many connections or how much data. I have a pretty active website, so whenever I run the netstat commands it lists so much information, and many of the IPs are valid users. I do know that the IPs when sorted by connections, the top connected ones are almost always known members.

    Any advice?

    Thanks!

  4. #4
    Join Date
    Mar 2008
    Location
    kolkata, India
    Posts
    102
    I periodically experience DDoS Attacks. I wanted to get some input on what you consider an acceptable amount of time before they stop?
    What kind of Input? As the nature of data can point us which to discus.
    Sysfirm
    So you think your server is secure?
    Try our security Service
    With SysFirm

  5. #5
    Join Date
    Jan 2006
    Location
    Europe
    Posts
    50
    You should try mod_evasive+iptables if it's a simple SYN flood, also you should renew your firewall rules, for example 3-4 sources per IP or so.


  6. #6
    It it's a small attack, the Planet's hardware firewall won't even detect it. If you have your own hardware firewall at Planet, tweak it's threshold to low it down. Good luck.

  7. #7
    Join Date
    Feb 2008
    Posts
    269
    Nothing is acceptable when we talk about ddos attacks. Try setting up iptables.

  8. #8
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by ElTino View Post
    Nothing is acceptable when we talk about ddos attacks. Try setting up iptables.
    He's already said he's using APF, so he is using iptables as APF is an iptables front end.

    You might be better off with CSF as it does have some rate detection code built into it. I'm not 100% confident whether it will be better here, but it may be worth reading up on it and just comparing whether it's better in practice, particularly if you are running cpanel. The other thing worth testing is whether CSF is more responsive to ongoing attacks.

    mod_evasive won't help at all if it's a SYN flood. Why, you ask? A SYN flood works by overloading the kernel tables used to open new connections so the packets would never make it to the httpd process which is where mod_evasive runs. mod_evasive only works if the DDOS is coming from a small number of IPs, if it's coming from a large number it gets harder to do useful things and all the solutions struggle.

    Do you have your kernel set to do SYN Cookies? I saw that you had APF set, but I'm not sure whether that activates SYN cookies in the kernel or whether it's an APF level above that. SYN Cookies fix things so the kernel tables that get flooded by a SYN flood actually aren't used any more, so the attack doesn't work on you as well as it did.

  9. #9
    Join Date
    May 2006
    Location
    222
    Posts
    27
    Yes, Syn Cookies are enabled in kernel. With it enabled, can you still get a SYN Flood? Or could this perhaps be something else and I'm looking in the wrong direction?

    The symptoms.. Only Apache is affected, and it happens when it slowly gets stuck in "reading request" mode for each request. Eventually all are stuck reading, and the system restarts it.

  10. #10
    You need to collect data during the attack.
    Can you tell if there are multiple IP addresses as sources or is it a single IP address hammering your server?
    Do you have any traffic graphs of your inbound interface so that you can access the ammount of traffic that floods you?

    Depending on these questions you may be able to fend off DoS attacks using iptables to limit the ammount of connections per IP and by using a recent version of appache that will only spawn a child process after receiving a GET request (This will protect you agains DDoS attacks with spoofed IP source or simple SYN floods)

    Regards,
    Jorge Luis

  11. #11
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by xxclixxx View Post
    Yes, Syn Cookies are enabled in kernel. With it enabled, can you still get a SYN Flood? Or could this perhaps be something else and I'm looking in the wrong direction?
    If SYN Cookies are enabled, you're not getting a SYN Flood. Google up on it and you'll see what I mean.

    The symptoms.. Only Apache is affected, and it happens when it slowly gets stuck in "reading request" mode for each request. Eventually all are stuck reading, and the system restarts it.
    This sounds like what jluis is describing immediately above. The DDOS is opening apache connections but not sending any data, so you get a hang. As jluis says, apparently newer versions of Apache handle this gracefully, only handing off to a httpd if valid data arrives.

    Most DDOSes come from a limited range of IPs so that is really worth checking out - often you'll get 4-5 IPs opening 10-20 connections each, which is enough to floor your apache but could easily be dealt with by CSF or iptable connlimit or something similar.

  12. #12
    Join Date
    Feb 2006
    Location
    India
    Posts
    858
    I have a DDOS attack going on for 40 days now, similar problem. Just build enough redundancy into your system so that it does not affect you.

  13. #13
    Quote Originally Posted by dnki View Post
    I have a DDOS attack going on for 40 days now, similar problem. Just build enough redundancy into your system so that it does not affect you.
    What type of DDOS?
    I suppose that it does not affect your bandwidth significantly.
    What kind of countermeasures have you taken to identify and fend off the incoming traffic?

    Regards,
    Jorge

  14. #14
    Join Date
    Feb 2006
    Location
    India
    Posts
    858
    They are opening a lot of connections , which is creating a problem. These are small sites, so it does not matter.

  15. #15
    Have you resolved this issue or are you still experiencing attacks?

    Quote Originally Posted by xxclixxx View Post
    Hi All

    I periodically experience DDoS Attacks. I wanted to get some input on what you consider an acceptable amount of time before they stop?

    I am hosted with The Planet which has some kind of DoS protection, and I've got APF / BFD installed which also prevents some. Usually it'll last 10/20 minutes and be ok again. Is this within the "acceptable" time frame, or would a Hardware Firewall do much better?

    The Planet has: Check Point VPN-1 UTM Edge OR Cisco ASA 5510 SP / 5520 / 5550

    Basically I don't want to get a Hardware Firewall if it's not going to do any better. But I don't not want to get one if I could be providing better services to my website users.

    Thanks!

  16. #16
    I have to agree with you here. Unfortunately theplanet is not so enlightened. One of my servers at theplanet is suffering frequent and intermittent loss of connectivity due to another server possibly the same one OP refers to that is being DoS'd. The situation has been ongoing for weeks and I'm on my fourth ticket regarding the same.

    Today they graciously offered to move my server to another switch and asked me to allow them four (4) hours of downtime to effect said move. Needless to say I'm not happy about this at all especially since my server is not the subject of these attacks. I'm the victim, experiencing the ill effects of the same from the server that is being atttacked. Thus I asked why arent they moving the server that is being DoS'd and causing the problem... Put that server on a switch with other problem servers or cancel the server pursuant to their own Network Abuse AUP clause which specifically prohibits the cause or initiation of disruptions to network communication and/or connectivity. Surely the offending server is not initiating the DoS attacks however the same are the cause of my frequent connectivity loss. In any event I don't think it is unreasonable to move the server that is being attacked? Do you?


    Quote Originally Posted by ElTino View Post
    Nothing is acceptable when we talk about ddos attacks. Try setting up iptables.

  17. #17
    Join Date
    Feb 2008
    Posts
    269
    Your case is definitely of interesting nature if I can put it that way. Having read the stated facts I can undoubtedly say that moving your server to a different host would be, unfortunately, just a partial solution to your issues.

    A good approach towards securing a server's uptime IMO would be choosing a company to host with and a company that will provide you with the required DDoS protection.

    Bear in mind that there are many tools, software solutions, hardware devices that are being advertised as high end, top class DDoS protection tools which I think are incapable of mitigating let alone preventing massive DDoS attacks.

    Most often the quality services, the ones that really help mitigating and protecting from these attacks, are expensive and people tent to choose the cheaper options. This is definitely a the worst call a company can make as the losses from a potential downtime (if the case is that the company has huge daily earnings just for their online presence) could be way more than the expenses for a quality DDoS mitigation service.

    At the end of the day a company with an online business that depends on its uptime has to consider the pros and the cons of choosing a solution be it software, hardware or professional anti-DDoS service because clients do not care about that thing after all. All they want from their providers, suppliers or sellers is availability all time, every time. Else, they would go to your competitors and you loose something more precious and valuable than money - CUSTOMERS!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •