DDOS + Connection Flood Attack

Hi people
My server at BurstNet was attacked by 10 ips... I have em all. What do I do to press charges on these losers???

Also, what can I do to prevent this from occuring again. Any host who has experienced this before?

Thanks,
Websiteunited.com

You would be best advised to consult your attorney for legal advice. Not us.

ATNO is correct.

You should also realize that all of those IP's could be from unwilling participants. Often they are hacked home machines on cable or DSL connections being used remotely to attack a site. (DDOS is an effective way to overflow the buffer on a server thus permitting the real intruder access.)

Cheers.

i agree with what they have said.

basically DDOS means distributed denial of service. "Distributed " coz attacks are launched from tens/hundreds of computers at the same time.
yr ten IPs may be victims themselves, most often- they are...

Try having a firewall script - preventing DDOS attack from happening.
not sure if this is the most appropriate action to be taken though..
maybe some ozzu members may suggest better alternatives..

yes sygate Profressional firewall(non free version) offers ddos protection... also, if affording alawyer is affordable (your site is a big money maker) then go do that

Hello,
You should login via SSH to your server and type the following for each IP:
iptables -A INPUT -s 127.0.0.1 -j DROP
Replace 127.0.0.1 with the actual IP address. Do this for each IP.
This will ban the IP from ever accessing the server again. Therefore if the person(s) involved try to DDoS you, it will not work.

If it happens again and you think your server is being DDoS, run this command:
netstat -n -p|grep SYN_REC | wc -l
It will give you how many SYN_RECV connections you have on the server. If it's above 20 or so, run this command to get the IPs involved:
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'

And then you can run:
netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}'
This will take all the IPs involved and ban them, just like the first command I gave you.

I would also recommend installing APF (firewall). It's free and it works very well with cPanel servers.

Let me know if you need anything else.

-Greg

Hi Greg,

Thanks for those instructions - just helped me block out some nasty IPs DDOSing one of our servers.

Do you know how to view which sites they were attacking, i.e. are there any logs I can check by searching for the offending IPs and the URLs they were trying to access?

Also can I ask where can i find the best resources for learning all of these commands other than searcing on google, or is google my best bet?

Regards,
Suhail.

Welcome to OZZU Suhail. Nice to see a post here helped you. It appears that you might have overlooked that you replied to a nearly year old post. No problem with that at all, but I just wanted to let you know Greg hasn't posted here since that last post.


However, there's many good people here that might be able to assist you and answer your questions. Hang tight.

Presumably, you run the sites that are being attacked.

The best recourse is to look at the web server logs. They should list both the attacked URL as well as the IP of the attacker.

On a side note, you can do DDoS limiting via firewalls, such as Cisco Pix, or go all out and get an IPS (Intrusion Prevention System -- sort of a smart IDS).

Cheers.

Hello - an easy way to discover the source of the attacks (if you run any sort of control panel) is by running a bandwith report from your CP admin during the period of the attack - usually - the results will show up here - the better way to do this is sort through the logs - however, a quick, semi-effective way is to monitor the bandwith..

As far as blocking the attack - and deamonguy would be better equipped to answer this one - you should be able to configure your firewall & or router to ignore packets if received from an IP greater the x times/sec for example...

Again - not my area of expertise as we have datacenter folks that take care of this... but, thought Id throw it out there - and hoping Daemonguy will provide more info

Well, speaking generically, it's difficult to really provide in-depth information.

However;
http://www.cisco.com/en/US/products/ps5 ... e927.shtml
Is a nice paper on the benefits of running a device which basically analyzes traffic patterns and determines if a DDoS is in effect.

Of course, as I said, the Pix also offers a level of protection from DDoS as well; nearly anything that uses IOS ("operating system", if you will, for Cisco gear) has the potential for such.

However, it seems that Cisco, since they have a nice nifty new product, really only speaks of it in as much as DDoS protection is concerned. It's nice though; comes in a blade format as well.

Blocking is simply not enough; it has to be dynamic, almost autonomic. If you notice a slowdown or have a service that monitors the connection for you like Gomez or Keynote -- by the time you are notified, they are already well into DDoSing you, and it's quite probably too late. The trick is to mitigate the risk ahead of time. If I want to DDoS someone, (and I *didn't* have 6 OC-48's at my disposal ) but I did have a metric boatload of compromised cable/dsl users, well, as you can plainly see... blocking all of them in time would be nigh impossible. As soon as one is blocked, 10 more spring up.
What you need is something to register the attack in progress and dynamically configure itself to simply drop the packets. Denies take processor time, which is precious in the midst of an attack. Remember the whole point of a DDoS (distributed DoS, Denial of Service) is generally to open up as many sockets as possible and leave them open, thereby taking up system resources and choking it to death; either the bandwidth or the box, makes no difference.
Ignoring (or dropping, same thing really) the packets is really the only answer.

Of course, you can work it out with your host to establish load and traffic utilization monitoring for an 'early warning' of attacks.

The simple answer is, there's no simple answer. There is no 'silver bullet' which you can buy, install and BAM, no more DDoS threat. Mitigated risk and protection from such is all encompassing. You have to have dedicated personnel who accomplish everything from firewall ACL's which block obvious DDoS threats (more sophisticated attacks use available services and crafted packets), to router maintainers who deny non-standard protocols from traversing the border. An IPS would be nice, but the gist is, you have to protect yourself BEFORE there's an issue. So while the question is easy, the answer is not.


You might want to read some of the resources found on SANS, http://www.sans.org

They have some interesting white papers on the subject.

Cheers.

When defending/hardening a server think in terms of layers. Only time too many layers are a problem is when they degrade server performance and/or consume more resources than they protect. BTW the logs you want to monitor are the apache access and error_logs.