Please help with our DDOS situation

ex2501 · 08-12-2011, 04:09 AM

Since last week, Our website [FQDN REMOVED BY MODERATOR] has been under DDOS (Distributed Denial Of Service) attack [REMOVED], Russia and he demanded $3,500 to stop the attack. We ignored him and decided to try Amazon Cloud Service.

Something that I have to address is, the bad guys could be in any countries though what we got here is someone called Ivan Ivanov from Russian. No offence to Russian people at all. We have got good response from West Union in Russia that they will report the case to the local police to investigate. I also searched the Internet for better ways to prevent DDOS ATTACK. All I got was 'prevention is better than cure'. It said that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. If there is any good idea, please tell me here

TobiSGD · 08-12-2011, 04:35 AM

Well, the first good idea would be to call the police.
The next good idea would be to not blame all Russians just because you were attacked by one Russian.
The third good idea would be to get some lessons about network security or hire a professional.

Also a good idea would be not to try to hijack this totally unrelated thread with your issues.

ex2501 · 08-12-2011, 04:47 AM

Quote:

Originally Posted by TobiSGD

Well, the first good idea would be to call the police.
The next good idea would be to not blame all Russians just because you were attacked by one Russian.
The third good idea would be to get some lessons about network security or hire a professional.

Also a good idea would be not to try to hijack this totally unrelated thread with your issues.

Thanks for your reply & suggestions. But it is strange that I couldn't start a new post unless I reply to existing posts :'( Sorry

win32sux · 08-12-2011, 10:11 AM

I've removed the email address from your post (I've left the name, as it seems extremely likely that it's an alias). Let's keep the thread focused on technical issues (please don't post anymore information about the suspect's identity).

What are the symptoms of your attack? Is your bandwidth being exhausted or is it something else? Do you have log file samples that may illustrate what is happening? How about stats? Have you searched LQ for previous DDoS threads?

Quote:

Originally Posted by ex2501

It said that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network.

This is true sometimes, but not always.

Even without known software vulnerabilities, you're always vulnerable to bandwidth-based DDoS. Managing that risk requires quite a bit of cooperation with your ISP(s). Even the most powerful cyber-corporations have succumbed to the power of DDoS bandwidth attacks.

ex2501 · 08-12-2011, 11:03 AM

Quote:

Originally Posted by win32sux

I've removed the email address from your post (I've left the name, as it seems extremely likely that it's an alias). Let's keep the thread focused on technical issues (please don't post anymore information about the suspect's identity).

What are the symptoms of your attack? Is your bandwidth being exhausted or is it something else? Do you have log file samples that may illustrate what is happening? How about stats? Have you searched LQ for previous DDoS threads?This is true sometimes, but not always.

Even without known software vulnerabilities, you're always vulnerable to bandwidth-based DDoS. Managing that risk requires quite a bit of cooperation with your ISP(s). Even the most powerful cyber-corporations have succumbed to the power of DDoS bandwidth attacks.

Hi, thanks for your attention. Meanwhile, the attacker is planning to start attack again...We decide to try Amazon Cloud Service for resistance. Still wait for their reply.

win32sux · 08-12-2011, 10:37 PM

Quote:

Originally Posted by ex2501

the attacker is planning to start attack again.

How do you know this? Also, we'd still love to see some hard evidence of what is taking place.

ex2501 · 08-13-2011, 05:46 AM

Quote:

Originally Posted by win32sux

How do you know this? Also, we'd still love to see some hard evidence of what is taking place.

I know this because the hacker contacted me and demanded $4000 - even higher than before. Our IT dept. had analysed the data, the result was as attached. Since the 2nd term attack began, we had no other choice but set up Amazon Cloud account. Not sure whether this would be a good choice.

win32sux · 08-13-2011, 09:33 AM

That file is just a list of IPs and countries. It doesn't really provide any significant insight into the attack. Do you have anything that will let us understand the type of attack traffic you're seeing, as well as the amount? Things like log file samples, packet dumps, system/network stats, etc.

unSpawn · 08-13-2011, 09:59 AM

I agree. From randomly checking some of these addresses I find one is part of .mil TLD (that itself is no guarantee but OK), there's some .ee, .id and .th and then there's Microsofts ASN and some other spiders. None are listed in Project honeypot, Dshield, Botscout, SRI, Cyber-TA, XBL etc, etc and when they are it's for something no more inconveniencing than being spiders or spammers. If you've got an US-registered business you prolly could file a complaint else you'll have to start reading. Lots of docs around, you could start with SANS Reading Room: A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment (PDF, 2003) and SANS Reading Room: Leveraging the Load Balancer to Fight DDoS (PDF, 2010), network service and router product vendors often have good resources too and also ask Amazon about what they can do for you. There can be no true "protection" server-side, only mitigation, because with DDoS the problem is the sources and you have no control over them.

ex2501 · 08-13-2011, 11:35 AM

Quote:

Originally Posted by win32sux

That file is just a list of IPs and countries. It doesn't really provide any significant insight into the attack. Do you have anything that will let us understand the type of attack traffic you're seeing, as well as the amount? Things like log file samples, packet dumps, system/network stats, etc.

I've got some tcpdump data from the IT department, hope it'd be useful for your analysis. Since the file size is about 5 MB which goes beyond the Max Filesize limitation, so I have to share it through online file sharing site: https://www.onlinefilefolder.com/4sAUtTVdC5I82U

Thanks win32sux in advance

ex2501 · 08-13-2011, 11:41 AM

Quote:

Originally Posted by unSpawn

I agree. From randomly checking some of these addresses I find one is part of .mil TLD (that itself is no guarantee but OK), there's some .ee, .id and .th and then there's Microsofts ASN and some other spiders. None are listed in Project honeypot, Dshield, Botscout, SRI, Cyber-TA, XBL etc, etc and when they are it's for something no more inconveniencing than being spiders or spammers. If you've got an US-registered business you prolly could file a complaint else you'll have to start reading. Lots of docs around, you could start with SANS Reading Room: A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment (PDF, 2003) and SANS Reading Room: Leveraging the Load Balancer to Fight DDoS (PDF, 2010), network service and router product vendors often have good resources too and also ask Amazon about what they can do for you. There can be no true "protection" server-side, only mitigation, because with DDoS the problem is the sources and you have no control over them.

Thanks! It will take me some time to read over these posts and understand. :P

OlRoy · 08-13-2011, 02:06 PM

These are the hosts and the number of application bytes and SYN packets they sent to your web server in around a minute. The connections for the most part seem to be immediately terminated by the source. I'd say your IT staff is right about the DDoS attack.

Code:

$ perl tcpdump.pl tcpdump.txt
ppp-61-90-71-57.revip.asianet.co.th                    70 Kb   syns: 3655
83.238.5.206                                           66 Kb   syns: 1190
localhost                                              64 Kb   syns: 3321
bzq-79-181-97-78.red.bezeqint.net                      44 Kb   syns: 2704
c-24-11-152-48.hsd1.mi.comcast.net                     39 Kb   syns: 1530
118.175.190.16                                         38 Kb   syns: 834
118.173.43.233.adsl.dynamic.totbb.net                  36 Kb   syns: 2418
41.227.210.87                                          33 Kb   syns: 1484
125.26.134.44.adsl.dynamic.totbb.net                   33 Kb   syns: 790
77.31.21.132                                           33 Kb   syns: 1405
41.224.197.52                                          33 Kb   syns: 1569
178.90.104.76                                          31 Kb   syns: 1535
dsl88-247-61805.ttnet.net.tr                           31 Kb   syns: 1514
host86-134-8-226.range86-134.btcentralplus.com         30 Kb   syns: 917
95.56.116.171                                          30 Kb   syns: 1439
14.139.221.178                                         29 Kb   syns: 1553
245.subnet125-164-220.speedy.telkom.net.id             28 Kb   syns: 1313
82.131.72.100.cable.starman.ee                         27 Kb   syns: 1573
82.131.5.102.cable.starman.ee                          27 Kb   syns: 1459
92.47.97.168                                           26 Kb   syns: 927
118.175.120.114                                        26 Kb   syns: 726
178.125.69.47                                          25 Kb   syns: 904
82.131.93.200.cable.starman.ee                         24 Kb   syns: 1127
bband-dyn132.178-41-68.t-com.sk                        23 Kb   syns: 934
75-130-211-182.dhcp.stls.mo.charter.com                23 Kb   syns: 979
ABTS-North-Dynamic-026.11.68.182.airtelbroadband.in    23 Kb   syns: 959
125.24.247.109.adsl.dynamic.totbb.net                  22 Kb   syns: 761
62.65.216.98.cable.starman.ee                          22 Kb   syns: 1575
41.211.129.18                                          21 Kb   syns: 941
168.167.94.136                                         21 Kb   syns: 914
95.57.175.17                                           21 Kb   syns: 1347
cpe-76-186-38-239.tx.res.rr.com                        21 Kb   syns: 992
82.114.91.211                                          21 Kb   syns: 1260
223.146.86.109.triolan.net                             21 Kb   syns: 1483
27.3.33.182                                            21 Kb   syns: 745
62.231.119.212                                         20 Kb   syns: 933
186-45-68-55.dynamic.tstt.net.tt                       19 Kb   syns: 1325
41.203.232.246                                         19 Kb   syns: 939
117.195.211.101                                        19 Kb   syns: 575
95.56.41.244                                           19 Kb   syns: 815
adsl-99-30-169-136.dsl.sfldmi.sbcglobal.net            19 Kb   syns: 1009
cpe-098-024-118-162.carolina.res.rr.com                19 Kb   syns: 1623
115.86.155.124                                         19 Kb   syns: 1035
112-105-106-101.adsl.dynamic.seed.net.tw               19 Kb   syns: 899
adsl.hnpt.com.vn                                       19 Kb   syns: 964
cpe-107-10-146-73.columbus.res.rr.com                  18 Kb   syns: 1012
95.57.105.233                                          18 Kb   syns: 899
175-180-233-234.adsl.dynamic.seed.net.tw               18 Kb   syns: 1040
wimax.dandaro.fa0-1.336.shaped.ai.co.zw                18 Kb   syns: 718
mx-ll-223.207.194-135.dynamic.3bb.co.th                17 Kb   syns: 917
178.91.65.148                                          17 Kb   syns: 811
132.115.in-addr.arpa                                   16 Kb   syns: 726
118.173.47.182.adsl.dynamic.totbb.net                  16 Kb   syns: 688
115.124.71.197                                         16 Kb   syns: 772
193.111.115.242                                        16 Kb   syns: 789
ool-44c44ff7.dyn.optonline.net                         16 Kb   syns: 686
host-static-92-115-22-99.moldtelecom.md                15 Kb   syns: 751
122.224.114.210                                        15 Kb   syns: 933
cliadsl141-228-191.tdm.co.mz.228.138.41.in-addr.arpa   15 Kb   syns: 887
69.63.69.58                                            15 Kb   syns: 742
61.47.9.177                                            14 Kb   syns: 857
dsl-243-47-120.telkomadsl.co.za                        14 Kb   syns: 581
116.12.154.155                                         13 Kb   syns: 698
61.7.177.186                                           13 Kb   syns: 811
72.240.53.74                                           13 Kb   syns: 938
lan-214-152.32.tartu.stv.ee                            13 Kb   syns: 783
82-200-130-62.telecom.kz                               13 Kb   syns: 775
178.152.89.253                                         13 Kb   syns: 594
87-126-181-101.btc-net.bg                              13 Kb   syns: 677
212-165-129-58.reverse.newskies.net                    13 Kb   syns: 953
178.90.83.21                                           12 Kb   syns: 755
host.17.static.csscorp.com                             12 Kb   syns: 784
94-159-144-1.orange.net.il                             12 Kb   syns: 728
65.255.57.215                                          12 Kb   syns: 817
203-113-18-22.revip.tot.co.th                          12 Kb   syns: 21
mx-ll-223.204.83-85.dynamic.3bb.co.th                  12 Kb   syns: 501
41.221.177.179                                         11 Kb   syns: 704
92.47.238.136                                          11 Kb   syns: 723
113.53.78.26                                           10 Kb   syns: 681
182.178.244.254                                        10 Kb   syns: 817
c-98-227-58-157.hsd1.in.comcast.net                    10 Kb   syns: 765
93-138-66-177.adsl.net.t-com.hr                        9 Kb   syns: 817
223.29.235.49                                          9 Kb   syns: 732
p25205-ipngn502marunouchi.tokyo.ocn.ne.jp              8 Kb   syns: 861
pc-boris1.srce.hr                                      7 Kb   syns: 414
wbs-196-2-126-173.wbs.co.za                            7 Kb   syns: 193
117.199.146.230                                        6 Kb   syns: 394
59.92.94.122                                           6 Kb   syns: 753
46.21.88.70                                            4 Kb   syns: 94
92.85.147.170                                          4 Kb   syns: 284
92.46.230.83                                           4 Kb   syns: 292
193.188.86.199                                         4 Kb   syns: 561
mx-ll-223.206.242-122.dynamic.3bb.co.th                4 Kb   syns: 345
95.56.109.2                                            3 Kb   syns: 174
213.202.71.226                                         3 Kb   syns: 212
client-178-16-35-162.inturbo.lt                        3 Kb   syns: 3
mail.recordmocambique.co.mz                            3 Kb   syns: 203
95.56.10.232                                           3 Kb   syns: 249
194.89.203.129                                         3 Kb   syns: 39
vc-cpt-41-2-225-193.umts.vodacom.co.za                 3 Kb   syns: 429
92.47.85.90                                            2 Kb   syns: 77
41.206.13.3.vgccl.net                                  2 Kb   syns: 145
195.117.40.23                                          2 Kb   syns: 87
b3091211.crawl.yahoo.net                               2 Kb   syns: 13
91.185.9.38                                            2 Kb   syns: 62
pep1.shopwiki.com                                      1 Kb   syns: 2
wblv-ip-pcache-7-vif1.telkom-ipnet.co.za               1 Kb   syns: 43
125.167.166.5                                          1 Kb   syns: 472
117.21.241.205                                         1 Kb   syns: 530
172-95.dsl.iskon.hr                                    1 Kb   syns: 3
202.12.74.161                                          1 Kb   syns: 1091
95.59.72.162                                           1 Kb   syns: 219
crawl-66-249-67-179.googlebot.com                      1 Kb   syns: 12
109.110.96.16                                          1 Kb   syns: 173
msnbot-207-46-204-190.search.msn.com                   1 Kb   syns: 4
wblv-ip-pcache-5-vif0.telkom-ipnet.co.za               1 Kb   syns: 39
118.172.181.27.adsl.dynamic.totbb.net                  1 Kb   syns: 101
41.92.145.59                                           0 Kb   syns: 19
msnbot-207-46-12-236.search.msn.com                    0 Kb   syns: 1
125.27.227.14.adsl.dynamic.totbb.net                   0 Kb   syns: 130
2.26.11.200                                            0 Kb   syns: 11
41.177.52.174                                          0 Kb   syns: 3
117.224.141.121                                        0 Kb   syns: 23
cpe-24-27-111-41.tx.res.rr.com                         0 Kb   syns: 10
wblv-ip-pcache-5-vif1.telkom-ipnet.co.za               0 Kb   syns: 37
41.206.13.5.vgccl.net                                  0 Kb   syns: 116
42.117.228.4                                           0 Kb   syns: 43
inet-emmc01-o.oracle.co.uk                             0 Kb   syns: 5
95.59.69.3                                             0 Kb   syns: 17
178.88.23.89                                           0 Kb   syns: 4
host86-180-54-217.range86-180.btcentralplus.com        0 Kb   syns: 1
95-80-147-141.maxnet.ir                                0 Kb   syns: 115
220.181.94.225                                         0 Kb   syns: 4
92.89.5646.static.theplanet.com                        0 Kb   syns: 8
87-194-203-92.bethere.co.uk                            0 Kb   syns: 5
msnbot-207-46-12-240.search.msn.com                    0 Kb   syns: 7
202.52.244.214                                         0 Kb   syns: 19
world-getman.voks.ua                                   0 Kb   syns: 102
ppp-115-87-158-58.revip4.asianet.co.th                 0 Kb   syns: 56
mx-ll-49.49.105-222.dynamic.3bb.co.th                  0 Kb   syns: 17
41.206.13.7.vgccl.net                                  0 Kb   syns: 43
msnbot-207-46-199-40.search.msn.com                    0 Kb   syns: 1
ip545713ed.direct-adsl.nl                              0 Kb   syns: 15
201.45.2.4                                             0 Kb   syns: 3
94-193-168-154.zone7.bethere.co.uk                     0 Kb   syns: 4
crawl-66-249-71-131.googlebot.com                      0 Kb   syns: 3
ppp-58-9-203-215.revip2.asianet.co.th                  0 Kb   syns: 112
msnbot-207-46-204-230.search.msn.com                   0 Kb   syns: 6
cpc3-nwrk4-2-0-cust204.12-1.cable.virginmedia.com      0 Kb   syns: 5
msnbot-65-52-110-79.search.msn.com                     0 Kb   syns: 6
223.146.86.109.triolan.net.novell-lu6                  0 Kb   syns: 3
host217-39-60-214.range217-39.btcentralplus.com        0 Kb   syns: 2
no-dns-yet.demon.co.uk                                 0 Kb   syns: 6
118.172.104.130.adsl.dynamic.totbb.net                 0 Kb   syns: 26
95.149.180.159                                         0 Kb   syns: 6
ppp-124-120-128-72.revip2.asianet.co.th                0 Kb   syns: 4
llf320079.crawl.yahoo.net                              0 Kb   syns: 8
27.109.117.96                                          0 Kb   syns: 30
dynamicip-188-235-131-164.pppoe.saratov.ertelecom.ru   0 Kb   syns: 8
wblv-ip-pcache-7-vif0.telkom-ipnet.co.za               0 Kb   syns: 34
41.72.22.212                                           0 Kb   syns: 299
msnbot-207-46-204-231.search.msn.com                   0 Kb   syns: 8
123.119.65.81                                          0 Kb   syns: 5
b3091329.crawl.yahoo.net                               0 Kb   syns: 10
113.53.197.70                                          0 Kb   syns: 19
c-24-11-152-48.hsd1.mi.comcast.net.novell-lu6          0 Kb   syns: 3
llf320015.crawl.yahoo.net                              0 Kb   syns: 2
user.152.126.222.zhong-ren.net                         0 Kb   syns: 4
msnbot-207-46-204-237.search.msn.com                   0 Kb   syns: 1
194.83.57.1                                            0 Kb   syns: 3
78.96.109.184                                          0 Kb   syns: 74
msnbot-65-52-108-60.search.msn.com                     0 Kb   syns: 5
115.86.155.124.novell-lu6                              0 Kb   syns: 3
msnbot-65-52-110-23.search.msn.com                     0 Kb   syns: 2
msnbot-65-52-110-13.search.msn.com                     0 Kb   syns: 5
msnbot-65-52-110-143.search.msn.com                    0 Kb   syns: 1
5e0ef7f9.bb.sky.com                                    0 Kb   syns: 6
cpe-76-186-38-239.tx.res.rr.com.novell-lu6             0 Kb   syns: 3
157.55.16.57                                           0 Kb   syns: 2
host217-36-217-85.in-addr.btopenworld.com              0 Kb   syns: 5
114.98.97.182                                          0 Kb   syns: 5
msnbot-65-52-110-189.search.msn.com                    0 Kb   syns: 1
server15-brickagent.it.net                             0 Kb   syns: 3
msnbot-65-52-108-150.search.msn.com                    0 Kb   syns: 8
crawl-66-249-71-242.googlebot.com                      0 Kb   syns: 2
82.192.74.4                                            0 Kb   syns: 5
msnbot-65-52-110-78.search.msn.com                     0 Kb   syns: 5
b3091309.crawl.yahoo.net                               0 Kb   syns: 15
msnbot-65-52-110-66.search.msn.com                     0 Kb   syns: 5
cpe-098-024-118-162.carolina.res.rr.com.novell-lu6     0 Kb   syns: 1
CPE-144-137-6-169.lns11.lon.bigpond.net.au             0 Kb   syns: 5
ppp-58-8-5-97.revip2.asianet.co.th                     0 Kb   syns: 0
193.111.114.11                                         0 Kb   syns: 1

Code:

#!usr/bin/perl
use warnings;
use strict;
# Bytes per host
open(FH, '<', "$ARGV[0]");

my %syns;
my %bytes;

while(my $line = <FH>) {
	if ($line =~ / (\S+) > .+http: (\w+) \d+:\d+\((\d+)\)/) {
		my @syns = split(/\./, $1);
		my $tcpflag = $2;
		my $bytes = $3;

		pop(@syns);
		my $ip = join('.', @syns);
		$syns{$ip}++ if $tcpflag eq 'S';
		$bytes{$ip} += $bytes;
	}
}

foreach my $ip (keys %bytes) {
	$syns{$ip} = 0 if !defined $syns{$ip}
}

foreach my $ip (sort{$bytes{$b} <=> $bytes{$a}} keys %bytes) {
	my $kb = $bytes{$ip} / 1024;
	printf("%-54s %d kB   syns: %d\n", $ip, $kb, $syns{$ip})
}

ex2501 · 08-14-2011, 02:19 AM

Quote:

Originally Posted by OlRoy

These are the hosts and the number of application bytes and SYN packets they sent to your web server in around a minute. The connections for the most part seem to be immediately terminated by the source. I'd say your IT staff is right about the DDoS attack.

I see. They had tried out Amazon Cloud in the past two days, but it seems like very little progress had been made. The website is still unaccessible.

And the attack goes on.

OlRoy · 08-14-2011, 05:08 AM

Quote:

Originally Posted by ex2501

I see. They had tried out Amazon Cloud in the past two days, but it seems like very little progress had been made. The website is still unaccessible.

And the attack goes on.

So now we have evidence of an attack. A lot of time people will come here and say they've been hacked and it turns out to be a false positive. Anyway, here are some things that you may be able to do... 10 DDoS Mitigation Techniques.

ex2501 · 08-14-2011, 07:26 AM

Quote:

Originally Posted by OlRoy

So now we have evidence of an attack. A lot of time people will come here and say they've been hacked and it turns out to be a false positive. Anyway, here are some things that you may be able to do... 10 DDoS Mitigation Techniques.

Thanks again for the useful document you shared. I also followed the author IntruGuard. This forum is AWESOME and full of great users like you! <3