LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 08-25-2009, 06:17 PM   #1
prudens
Member
 
Registered: Jul 2009
Posts: 52

Rep: Reputation: 15
DDoS solution


Hi,

I'm running a very simple webserver and would really appreciate any wisdom on how to prevent DDoS attacks.

Thanks in advance!
 
Old 08-25-2009, 07:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
As you maybe know DoS stands for "Denial of Service", using up a machines resources in a way it can no longer fulfill its purpose. Depending on how a machine is DoSsed you have a range of direct and indirect measures to try cope with increased or malicious traffic ranging from the SYN cookies sysctl (make the kernel deal with SYN flooding differently), rate limiting, tar-pitting and other packet filtering (let the firewall function as a revolving door of sorts), application level firewall (let mod_security determine if a request is valid), IDS (let an intrusion detection system like Snort or Prelude if traffic has a malicious payload) and (reverse) proxying (buffer traffic to filter and lighten load) to load balancing and multi-colocation (depending on the size of ones wallet). If none of the methods deployed can filter or slow down traffic in a way that the machine can deal with it then you can only route traffic away and sit it out. For a SOHO server that would mean firewalling it or shutting it down, in other situations it might require the ISP to temporarily route traffic to the bit bucket.

In DDoS the first d starts for "distributed" meaning the adversary has access to a structure, a "network inside a network" comprising of thousands to tens of thousands of machines (zombies) to perform the actual attack. In such situations the pressure will be on the ISP to work with routing peers to temporarily route traffic to the bit bucket because at that volume traffic threathens their infrastructure.

As such DDoS attacks can't really be "prevented", it more comes down to a form of "trying to cope with". What's often forgotten to mention is that prevention may well start by not publishing content that works like a red rag on a bull for certain groups (I'm thinking certain pr0n, 88, belief-related content or revisionism, not the average petty "I hate you" site), not bragging about or deliberately taunting people...

For more information about DoS and DDoS search LQ, The LQ Security references part about DoS and DDoS (http://www.linuxquestions.org/questi...579#post222579) and the SANS Reading Room (http://www.sans.org/reading_room/), they have gathered much material about different topics over the past years like http://www.sans.org/reading_room/whi...&cat=intrusion

HTH
 
Old 08-25-2009, 07:44 PM   #3
prudens
Member
 
Registered: Jul 2009
Posts: 52

Original Poster
Rep: Reputation: 15
Hmm, isn't there like a software that disables these constant "attacks"?
 
Old 08-25-2009, 07:49 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by prudens
Hmm, isn't there like a software that disables these constant "attacks"?
If it were that simple, we'd probably never have heard of DDoS. As mentioned, DDoS attacks are generally best managed somewhere upstream (i.e. by working with your ISP).
 
Old 08-25-2009, 07:52 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Quote:
Originally Posted by prudens View Post
Hmm, isn't there like a software that disables these constant "attacks"?
If there was, would I be trying to explain it in 300+ words instead of saying "use product X"?
 
Old 08-25-2009, 07:52 PM   #6
prudens
Member
 
Registered: Jul 2009
Posts: 52

Original Poster
Rep: Reputation: 15
How can I check for logs of constant bombardments of DDoS Attackers? I can just find their IP and ban right?

heh heh sorry i didn't mean to be rude.

Last edited by prudens; 08-25-2009 at 07:56 PM.
 
Old 08-25-2009, 08:09 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Quote:
Originally Posted by prudens View Post
How can I check for logs of constant bombardments of DDoS Attackers?
Let's try countering this with some questions: what would a "regular" request look like? In what ways would a DDoS request be different from a regular request?


Quote:
Originally Posted by prudens View Post
I can just find their IP and ban right?
OK, so you desperately try to telnet (uh) into your server, switch from your unprivileged account to root, try to bring up 'netstat' to get a display of all excessive traffic and all the while more and more requests come in. When you finally remember how to code a oneliner to grep for and drop IP addresses your server gives in and drops your connection... Now. What do you do?..
 
Old 08-25-2009, 08:14 PM   #8
prudens
Member
 
Registered: Jul 2009
Posts: 52

Original Poster
Rep: Reputation: 15
Heh so help me pls
 
Old 08-25-2009, 08:24 PM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,301

Rep: Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037Reputation: 2037
You can use fail2ban, but for a serious (as opposed to a few automated script-kiddy break-in attempts), contact your ISP.
It can't be dealt with at the endpoint.
 
Old 08-25-2009, 08:27 PM   #10
prudens
Member
 
Registered: Jul 2009
Posts: 52

Original Poster
Rep: Reputation: 15
my isp is sort of unmanaged heh heh
 
Old 08-25-2009, 08:27 PM   #11
mushroomboy
Member
 
Registered: Jan 2006
Distribution: Debian Testing ALWAYS!!!
Posts: 363

Rep: Reputation: 43
Once DDoS attacks start you really have to wait it out. I help a message board that is on an off shore account... It gets DDoS attacks a lot because of that, there is nothing we can do but wait... Think of a person getting screamed at by 100x people? Now if you were one of those people and you were trying to tell them to ignore everyone else how well do you think that would work? You might get their attention for a second and then it's lost, just like your connection to your server during a DDoS attack. Think of running a GeF 3 for todays video games, what happens? It locks up...


If a person can acquire more physical resources than your server can handle they can shut it down based off the principal that your server overloads. There are many ways to do DDoS attacks, and there are many ways to cause "less" damage. The reality is nothing can be done, even major websites today get shut down by DDoS attacks:

http://status.twitter.com/post/15719...service-attack

there have been a couple other DDoS attacks recently on major websites, but the sad reality is there is no prevention.
 
Old 08-25-2009, 08:38 PM   #12
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Quote:
Originally Posted by prudens View Post
Heh so help me pls
Quote:
Originally Posted by prudens View Post
my isp is sort of unmanaged heh heh
Dude, what do you want? So far, I'm guessing you're a dude running apache on his home server. If that's all you got, you have nothing to worry about.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Concerning DDoS attacks joji_in_changwon Linux - Security 13 11-27-2007 11:12 AM
DDOS Attack studiofos Linux - Security 3 09-12-2006 03:42 AM
ddos or hacked? Please help!! lucastic Linux - Security 8 12-16-2004 07:56 PM
Ddos Mag|c Linux - Security 2 08-16-2003 09:41 PM
ddos attack ashis Linux - Security 1 06-14-2001 02:31 AM


All times are GMT -5. The time now is 11:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration