Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Since last week, Our website [FQDN REMOVED BY MODERATOR] has been under DDOS (Distributed Denial Of Service) attack [REMOVED], Russia and he demanded $3,500 to stop the attack. We ignored him and decided to try Amazon Cloud Service.
Something that I have to address is, the bad guys could be in any countries though what we got here is someone called Ivan Ivanov from Russian. No offence to Russian people at all. We have got good response from West Union in Russia that they will report the case to the local police to investigate. I also searched the Internet for better ways to prevent DDOS ATTACK. All I got was 'prevention is better than cure'. It said that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. If there is any good idea, please tell me here
Last edited by ex2501; 08-15-2011 at 04:01 AM.
Reason: Focus on problem
Well, the first good idea would be to call the police.
The next good idea would be to not blame all Russians just because you were attacked by one Russian.
The third good idea would be to get some lessons about network security or hire a professional.
Well, the first good idea would be to call the police.
The next good idea would be to not blame all Russians just because you were attacked by one Russian.
The third good idea would be to get some lessons about network security or hire a professional.
I've removed the email address from your post (I've left the name, as it seems extremely likely that it's an alias). Let's keep the thread focused on technical issues (please don't post anymore information about the suspect's identity).
What are the symptoms of your attack? Is your bandwidth being exhausted or is it something else? Do you have log file samples that may illustrate what is happening? How about stats? Have you searched LQ for previous DDoS threads?
Quote:
Originally Posted by ex2501
It said that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network.
This is true sometimes, but not always.
Even without known software vulnerabilities, you're always vulnerable to bandwidth-based DDoS. Managing that risk requires quite a bit of cooperation with your ISP(s). Even the most powerful cyber-corporations have succumbed to the power of DDoS bandwidth attacks.
I've removed the email address from your post (I've left the name, as it seems extremely likely that it's an alias). Let's keep the thread focused on technical issues (please don't post anymore information about the suspect's identity).
What are the symptoms of your attack? Is your bandwidth being exhausted or is it something else? Do you have log file samples that may illustrate what is happening? How about stats? Have you searched LQ for previous DDoS threads?This is true sometimes, but not always.
Even without known software vulnerabilities, you're always vulnerable to bandwidth-based DDoS. Managing that risk requires quite a bit of cooperation with your ISP(s). Even the most powerful cyber-corporations have succumbed to the power of DDoS bandwidth attacks.
Hi, thanks for your attention. Meanwhile, the attacker is planning to start attack again...We decide to try Amazon Cloud Service for resistance. Still wait for their reply.
How do you know this? Also, we'd still love to see some hard evidence of what is taking place.
I know this because the hacker contacted me and demanded $4000 - even higher than before. Our IT dept. had analysed the data, the result was as attached. Since the 2nd term attack began, we had no other choice but set up Amazon Cloud account. Not sure whether this would be a good choice.
That file is just a list of IPs and countries. It doesn't really provide any significant insight into the attack. Do you have anything that will let us understand the type of attack traffic you're seeing, as well as the amount? Things like log file samples, packet dumps, system/network stats, etc.
I agree. From randomly checking some of these addresses I find one is part of .mil TLD (that itself is no guarantee but OK), there's some .ee, .id and .th and then there's Microsofts ASN and some other spiders. None are listed in Project honeypot, Dshield, Botscout, SRI, Cyber-TA, XBL etc, etc and when they are it's for something no more inconveniencing than being spiders or spammers. If you've got an US-registered business you prolly could file a complaint else you'll have to start reading. Lots of docs around, you could start with SANS Reading Room: A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment (PDF, 2003) and SANS Reading Room: Leveraging the Load Balancer to Fight DDoS (PDF, 2010), network service and router product vendors often have good resources too and also ask Amazon about what they can do for you. There can be no true "protection" server-side, only mitigation, because with DDoS the problem is the sources and you have no control over them.
That file is just a list of IPs and countries. It doesn't really provide any significant insight into the attack. Do you have anything that will let us understand the type of attack traffic you're seeing, as well as the amount? Things like log file samples, packet dumps, system/network stats, etc.
I've got some tcpdump data from the IT department, hope it'd be useful for your analysis. Since the file size is about 5 MB which goes beyond the Max Filesize limitation, so I have to share it through online file sharing site: https://www.onlinefilefolder.com/4sAUtTVdC5I82U
I agree. From randomly checking some of these addresses I find one is part of .mil TLD (that itself is no guarantee but OK), there's some .ee, .id and .th and then there's Microsofts ASN and some other spiders. None are listed in Project honeypot, Dshield, Botscout, SRI, Cyber-TA, XBL etc, etc and when they are it's for something no more inconveniencing than being spiders or spammers. If you've got an US-registered business you prolly could file a complaint else you'll have to start reading. Lots of docs around, you could start with SANS Reading Room: A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment (PDF, 2003) and SANS Reading Room: Leveraging the Load Balancer to Fight DDoS (PDF, 2010), network service and router product vendors often have good resources too and also ask Amazon about what they can do for you. There can be no true "protection" server-side, only mitigation, because with DDoS the problem is the sources and you have no control over them.
Thanks! It will take me some time to read over these posts and understand. :P
These are the hosts and the number of application bytes and SYN packets they sent to your web server in around a minute. The connections for the most part seem to be immediately terminated by the source. I'd say your IT staff is right about the DDoS attack.
These are the hosts and the number of application bytes and SYN packets they sent to your web server in around a minute. The connections for the most part seem to be immediately terminated by the source. I'd say your IT staff is right about the DDoS attack.
I see. They had tried out Amazon Cloud in the past two days, but it seems like very little progress had been made. The website is still unaccessible. And the attack goes on.
I see. They had tried out Amazon Cloud in the past two days, but it seems like very little progress had been made. The website is still unaccessible. And the attack goes on.
So now we have evidence of an attack. A lot of time people will come here and say they've been hacked and it turns out to be a false positive. Anyway, here are some things that you may be able to do... 10 DDoS Mitigation Techniques.
So now we have evidence of an attack. A lot of time people will come here and say they've been hacked and it turns out to be a false positive. Anyway, here are some things that you may be able to do... 10 DDoS Mitigation Techniques.
Thanks again for the useful document you shared. I also followed the author IntruGuard. This forum is AWESOME and full of great users like you! <3
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.