hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : UDP DDoS
Reply

Forum Jump

UDP DDoS

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-05-2009, 11:18 PM
Orbixx Orbixx is offline
New Member
 
Join Date: Jun 2009
Posts: 3
Arrow

UDP DDoS


Hi there,

I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.

Does anybody have any suggestions?

Thanks in advance.



Sponsored Links
  #2  
Old 06-05-2009, 11:54 PM
Lightwave Lightwave is offline
Web Hosting Master
 
Join Date: Apr 2003
Location: San Jose, CA.
Posts: 1,620
Quote:
Originally Posted by Orbixx View Post
I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server
I'm a little curious why your webserver listens to UDP traffic.

__________________
Daved @ Lightwave Networking, LLC.
AS1426 https:/www.lightwave.net
Primary Bandwidth: EGIHosting (NLayer, NTT, HE, Cogent)
Xen PV VPS Hosting

  #3  
Old 06-05-2009, 11:55 PM
Orbixx Orbixx is offline
New Member
 
Join Date: Jun 2009
Posts: 3
It doesn't. It's just UDP traffic coming in aimed at port 80.

Sponsored Links
  #4  
Old 06-06-2009, 02:27 AM
Lightwave Lightwave is offline
Web Hosting Master
 
Join Date: Apr 2003
Location: San Jose, CA.
Posts: 1,620
Do you understand why little of what you said makes any sense?

  #5  
Old 06-06-2009, 03:08 AM
Orbixx Orbixx is offline
New Member
 
Join Date: Jun 2009
Posts: 3
No, I don't see anything wrong with somebody sending a UDP packet destined for port 80 on my server. Sure Apache isn't listening for UDP packets as http is TCP based only, but the packets I am getting are UDP and they are trying to hit port 80.

What's so ridiculous about that?

  #6  
Old 06-06-2009, 03:42 AM
beastserv beastserv is offline
RedHat Certified
 
Join Date: Mar 2009
Location: Israel
Posts: 1,204
what kind of firewall are you useing?, do you have acccess to your router?
is the attack directed to your main IP address?
or is it an IP alias ?

__________________
beast5.com - Managed Hosting Solutions 2004 - 2014

  #7  
Old 06-06-2009, 03:54 AM
hhw hhw is offline
Web Hosting Master
 
Join Date: Oct 2002
Location: Vancouver, B.C.
Posts: 2,203
Quote:
Originally Posted by Orbixx View Post
Hi there,

I'm experiencing a significant UDP DDoS at the moment which is aimed at port 80 on my server, it's currently crippling Apache, but only on port 80, https (443) is fine. I've told iptables it drop UDP packets sent to port 80 and have also completely blocked most of the attacking IPs, this has helped, but the webserver is still periodically unresponsive.

Does anybody have any suggestions?

Thanks in advance.
Try requesting an ACL from your provider, so the traffic is blocked before it gets to you.

It doesn't make much sense why the attack would affect Apache on TCP port 80 and not 443. Are you certain it's not affecting both?

__________________
Han Hwei Woo, ASTUTE HOSTING AS54527 *Advanced and customized solutions for the savvy customer!*
Dedicated Hosting and CDN out of Vancouver, Seattle, LA, Toronto, NY, Miami, and (soon) London
We include CDN, anycast DNS, onboard KVMoIP, firewall, local and global load-balancing, and privatenet with all servers.
sales@astutehosting.com

  #8  
Old 06-06-2009, 04:07 AM
plumsauce plumsauce is offline
******* Unleaded
 
Join Date: Feb 2004
Posts: 3,802
Quote:
Originally Posted by hhw View Post
Try requesting an ACL from your provider, so the traffic is blocked before it gets to you.

It doesn't make much sense why the attack would affect Apache on TCP port 80 and not 443. Are you certain it's not affecting both?
At a guess, it might be the relative efficiency of iptables at distinguishing ports versus some other factor. In other words, it may be further down the food chain before it gets dealt with by dropping. In the meantime, it chews up resources until it gets to that rule.

__________________
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com

  #9  
Old 06-06-2009, 04:31 AM
msherman msherman is offline
Web Hosting Guru
 
Join Date: Feb 2008
Location: California
Posts: 315
Does your provider offer any sort of DDoS mitigation at the network level? If so, ask them to enable it.

Short of that, as hhw suggested, as your provider to block UDP (or specifically UDP port 80 if that's all that's hitting you) traffic via an ACL. Keep in mind that some services typically run over UDP (such as name service), so if you require those services to be running make sure your provider carves out exceptions to the ACL.

__________________
Take 2 Hosting, Inc. - Hosting Done Right
Fully automated setup - new servers in as little as 10 minutes
http://www.take2hosting.com/

  #10  
Old 06-06-2009, 09:31 AM
ddosguru ddosguru is offline
CISSP-ISSMP, CISA
 
Join Date: Aug 2002
Location: Los Angeles, CA
Posts: 5,425
If you're not a DDoS risk any really only receive an occasional attack you might just look for a provider that has a managed firewall appliance (eg. Netscreen) so you can set your own rules on the network and block the traffic you don't need.

__________________
.._(_)_.. Black Lotus Communications - AS32421
(_)@(_) >> Carrier grade DDoS mitigation for service providers and enterprises
....(_)..... >> 480 Gbps active DDoS filtering capacity available in Los Angeles and Ashburn facilities

  #11  
Old 06-06-2009, 01:03 PM
Lightwave Lightwave is offline
Web Hosting Master
 
Join Date: Apr 2003
Location: San Jose, CA.
Posts: 1,620
Quote:
Originally Posted by Orbixx View Post
No, I don't see anything wrong with somebody sending a UDP packet destined for port 80 on my server. Sure Apache isn't listening for UDP packets as http is TCP based only, but the packets I am getting are UDP and they are trying to hit port 80.

What's so ridiculous about that?
Ok... So, someone is sending you UDP packets to port80, and you think that's slowing down Apache, specifically on port 80.

Apache isn't processing UDP data, so saying Apache is running slow on port 80 but fine on port 443 doesn't make sense or shows some unrelated problem.

You've added a rule to your firewall saying drop all UDP data for port 80. What is it going to do with that data without that rule? Drop it. (Blocking it after it's already reached your box is pointless).

  #12  
Old 06-06-2009, 04:24 PM
eth1 eth1 is offline
Web Hosting Guru
 
Join Date: May 2008
Posts: 340
Can you paste the output of the following commands so that we can see the requests coming in on port 80 ?

Quote:
netstat -plant | grep httpd
Quote:
tcpdump -vv -i eth0 udp

Reply

Related posts from TheWhir.com
Title Type Date Posted
The Cloud Is Under Siege; How Can I Protect It From DDoS Attacks? Webinars 2014-04-17 15:45:49
Arbor Networks and Google Ideas Help Users Visualize, Explore DDoS Attack Trends Web Hosting News 2013-10-22 10:11:35
Arbor Networks Reports Alarming Increases in DDoS Attack Size in 2013 Web Hosting News 2013-10-17 13:40:25
Prolexic Warns of Growing Identity Theft Camouflaged by DDoS Attacks Web Hosting News 2013-08-28 12:20:19
DDoS Mitigation Provider Prolexic Blocks Extended DDoS Attack Against Ecommerce Website Parts Geek Web Hosting News 2012-11-07 10:57:01


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?