LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   DDoS solution (http://www.linuxquestions.org/questions/linux-newbie-8/ddos-solution-750221/)

prudens 08-25-2009 06:17 PM

DDoS solution
 
Hi,

I'm running a very simple webserver and would really appreciate any wisdom on how to prevent DDoS attacks.

Thanks in advance!

unSpawn 08-25-2009 07:37 PM

As you maybe know DoS stands for "Denial of Service", using up a machines resources in a way it can no longer fulfill its purpose. Depending on how a machine is DoSsed you have a range of direct and indirect measures to try cope with increased or malicious traffic ranging from the SYN cookies sysctl (make the kernel deal with SYN flooding differently), rate limiting, tar-pitting and other packet filtering (let the firewall function as a revolving door of sorts), application level firewall (let mod_security determine if a request is valid), IDS (let an intrusion detection system like Snort or Prelude if traffic has a malicious payload) and (reverse) proxying (buffer traffic to filter and lighten load) to load balancing and multi-colocation (depending on the size of ones wallet). If none of the methods deployed can filter or slow down traffic in a way that the machine can deal with it then you can only route traffic away and sit it out. For a SOHO server that would mean firewalling it or shutting it down, in other situations it might require the ISP to temporarily route traffic to the bit bucket.

In DDoS the first d starts for "distributed" meaning the adversary has access to a structure, a "network inside a network" comprising of thousands to tens of thousands of machines (zombies) to perform the actual attack. In such situations the pressure will be on the ISP to work with routing peers to temporarily route traffic to the bit bucket because at that volume traffic threathens their infrastructure.

As such DDoS attacks can't really be "prevented", it more comes down to a form of "trying to cope with". What's often forgotten to mention is that prevention may well start by not publishing content that works like a red rag on a bull for certain groups (I'm thinking certain pr0n, 88, belief-related content or revisionism, not the average petty "I hate you" site), not bragging about or deliberately taunting people...

For more information about DoS and DDoS search LQ, The LQ Security references part about DoS and DDoS (http://www.linuxquestions.org/questi...579#post222579) and the SANS Reading Room (http://www.sans.org/reading_room/), they have gathered much material about different topics over the past years like http://www.sans.org/reading_room/whi...&cat=intrusion

HTH

prudens 08-25-2009 07:44 PM

Hmm, isn't there like a software that disables these constant "attacks"?

anomie 08-25-2009 07:49 PM

Quote:

Originally Posted by prudens
Hmm, isn't there like a software that disables these constant "attacks"?

If it were that simple, we'd probably never have heard of DDoS. :) As mentioned, DDoS attacks are generally best managed somewhere upstream (i.e. by working with your ISP).

unSpawn 08-25-2009 07:52 PM

Quote:

Originally Posted by prudens (Post 3657491)
Hmm, isn't there like a software that disables these constant "attacks"?

If there was, would I be trying to explain it in 300+ words instead of saying "use product X"?

prudens 08-25-2009 07:52 PM

How can I check for logs of constant bombardments of DDoS Attackers? I can just find their IP and ban right?

heh heh sorry i didn't mean to be rude.

unSpawn 08-25-2009 08:09 PM

Quote:

Originally Posted by prudens (Post 3657499)
How can I check for logs of constant bombardments of DDoS Attackers?

Let's try countering this with some questions: what would a "regular" request look like? In what ways would a DDoS request be different from a regular request?


Quote:

Originally Posted by prudens (Post 3657499)
I can just find their IP and ban right?

OK, so you desperately try to telnet (uh) into your server, switch from your unprivileged account to root, try to bring up 'netstat' to get a display of all excessive traffic and all the while more and more requests come in. When you finally remember how to code a oneliner to grep for and drop IP addresses your server gives in and drops your connection... Now. What do you do?..

prudens 08-25-2009 08:14 PM

Heh so help me pls :D

chrism01 08-25-2009 08:24 PM

You can use fail2ban, but for a serious (as opposed to a few automated script-kiddy break-in attempts), contact your ISP.
It can't be dealt with at the endpoint.

prudens 08-25-2009 08:27 PM

my isp is sort of unmanaged heh heh

mushroomboy 08-25-2009 08:27 PM

Once DDoS attacks start you really have to wait it out. I help a message board that is on an off shore account... It gets DDoS attacks a lot because of that, there is nothing we can do but wait... Think of a person getting screamed at by 100x people? Now if you were one of those people and you were trying to tell them to ignore everyone else how well do you think that would work? You might get their attention for a second and then it's lost, just like your connection to your server during a DDoS attack. Think of running a GeF 3 for todays video games, what happens? It locks up...


If a person can acquire more physical resources than your server can handle they can shut it down based off the principal that your server overloads. There are many ways to do DDoS attacks, and there are many ways to cause "less" damage. The reality is nothing can be done, even major websites today get shut down by DDoS attacks:

http://status.twitter.com/post/15719...service-attack

there have been a couple other DDoS attacks recently on major websites, but the sad reality is there is no prevention.

karamarisan 08-25-2009 08:38 PM

Quote:

Originally Posted by prudens (Post 3657510)
Heh so help me pls :D

Quote:

Originally Posted by prudens (Post 3657522)
my isp is sort of unmanaged heh heh

Dude, what do you want? So far, I'm guessing you're a dude running apache on his home server. If that's all you got, you have nothing to worry about.


All times are GMT -5. The time now is 11:40 PM.