[Help] Prevent DDOS attack.

Ask your general or IRC related questions.
Lysergic
Posts: 35

Post by Lysergic »

Speaking about DDOS, a friend got his server DDOS:ed yesterday... :roll:

Someone did both TCP-floods, as well as bruteforcing via SSH and some kind of flood on the FTP-server... The person who did it is not very bright in other words.
Macedonia is a province in Greece.

User avatar
Mitko
Posts: 594
Location: Europe

Post by Mitko »

Do we care ? Is your comment of any benefit of the topic ? No. But, good, it's nice you didn't mention the whole process howto ddos, so that way this would have turned in "howto ddos" section. Thousands of machines are ddosed everyday, if we write them here, we'll get nowhere, and it is totally out of topic.
Dimitar Tnokovski aka Mitko
[img]http://rap.com.mk/images/UL/mitko_userbar.gif[/img]

Lysergic
Posts: 35

Post by Lysergic »

Apart from the above meaningless comments:

What settings do you use in your firewall settings in order to minimize the effect of a DDOS? (apart from taking down the possibility to ping, for example)

And if subjected to a DDOS, what is the best path of action?
Macedonia is a province in Greece.

User avatar
xplora
Posts: 564
Location: Hamilton, New Zealand

Post by xplora »

If you can unplug the modem/router/whatever connection to the internet you have, that is always a good first step.

And no I agree it's not the best idea but it does make a good place to start...

Second, start talking with your uplink for help identifying to source(s), blocking, and with any luck tracing them back to the source.

Course if you happen to have the bandwidth to handle it, skip to second item.

(flames expected and ignored, ISP's need to take more responsibility to help stop DDoS, spam, viruses, and crackers, after all it's their networks)

Lysergic
Posts: 35

Post by Lysergic »

I've got better things to do than to flame you!!! :lol: ;)

But ok... I meant apart from the obvious "pull the plug" tactic... are there any firewall rules to setup, for example using IPtables - and are there anyone reading this who have practical experience in having implemented such firewall rules?
Macedonia is a province in Greece.

User avatar
Jay`Z
Posts: 131
Location: East Side

Post by Jay`Z »

Well, the only way I know of stoping DoS is the so called "null routing" technique. This works via the BGP protocol, and what it does is, it instructs the uplink router (via BGP commands) to drop all packets that have your destination, from a certan source. If efectivley configured, the uplink router will also send instructions to it's uplink and so on till it gets to be discarded at the edge of the network. Now as far as I know there is no certified software or equipment for this so each ISP/hosting company ..etc writes their own code which usualy runs on some *NIX box. Now the thing which makes it efective is it's ability to detect DoS from normal large bandwidth traffic on very busy networks; that's why one company's code may be very effective while another's isn't worth the resources it needs to run.
So I'd say this would be a step beyond the "unpluging" method 8)
"All people have the right to stupidity but only some of them abuse the privilege"
Image

Lysergic
Posts: 35

Post by Lysergic »

What makes me marvel is that if the DDOS:er uses a massive botnet and sends sequenced packets on port80 via http, how will any man / software know how to differ normal traffic from that of the botnet?! :o

Sidenote: Once I got ddos:ed on one of the DSL-lines I connected to the net with that I couldn't go online for 2 weekend in a row, yes some f*cker felt that it was a cool thing to ruin my weekends - and yes, this was IRC-related, if I had a bouncer back then, I would never have experienced this in the first place :cry:

So yes, bouncers help! ;)
Macedonia is a province in Greece.

User avatar
Mitko
Posts: 594
Location: Europe

Post by Mitko »

So, just to save your ass, you'll let the machine where the bouncer is hosted to be ddosed ? And then, they should worry about it and not you. How lame.
Dimitar Tnokovski aka Mitko
[img]http://rap.com.mk/images/UL/mitko_userbar.gif[/img]

Lysergic
Posts: 35

Post by Lysergic »

Lame? Hmm??? :-?

In most cases, the machine running the bouncer(s) have better hardware / OS / Internet-connection(s) and know-how to stop a DDOS in it's tracks, most individual users does not.


Your comments are redundant, I wish there was an ignore button on this forum.
Macedonia is a province in Greece.

User avatar
Mitko
Posts: 594
Location: Europe

Post by Mitko »

The only way to ignore me is to stop posting stupid comments.

Almost all shell companies are running on 100Mbps. Only some of them have really good protection against ddos. Something else, for most persons +x is good enough to hide the IP on Undernet and protect theirselfs from being ddosed. But newbies (not knowledgable users) who cannot use the +x mode, normally will use a proxy to protect theirselfs (include bouncers in 'proxy'). One good way to protect yourself is to catch the IPs, call your ISP and tell the ISP to block all those net blocks where the flood comes from. (they will do it directly from the ISP of course, in simple words: the packets sent from those net blocks to your IP will be ignored). NOTE: you cannot stop ddos with your client-side software firewall. The firewall will only "block" the packets, but you will be still being ddosed, your connection will be overflowed, and the only way to stop that is to unplug your cable as xplora said.

I see no point commenting on this topic anymore. It is going nowhere.


Best Regards,
Mit 8)
Dimitar Tnokovski aka Mitko
[img]http://rap.com.mk/images/UL/mitko_userbar.gif[/img]

User avatar
Mitko
Posts: 594
Location: Europe

Post by Mitko »

I hope this will help you:

http://www.cse.iitk.ac.in/~dheeraj/repo ... revent.pdf

It is 19 pages. Read it before you comment.
Dimitar Tnokovski aka Mitko
[img]http://rap.com.mk/images/UL/mitko_userbar.gif[/img]

Lysergic
Posts: 35

Post by Lysergic »

:sleeping:
Macedonia is a province in Greece.