Home page logo

basics logo Security Basics mailing list archives

Re: any solutions against ddos attack??
From: Jon Kibler <Jon.Kibler () aset com>
Date: Wed, 11 Jun 2008 00:58:43 -0400

Hash: SHA1

MontyRee wrote:
Hello list.

I'm so sorry for insufficient information.
I added below.

What types of DDoS attacks? Protocol Attacks? Bandwidth Starvation
Attacks? Service Starvation Attacks?
There are various ddos attacks.
sometimes, syn flooding attack (over 700,000 pps, 45byte per packet) or udp flooding attack(over 5Gbps, 1500 byte per 
or lots of GET or POST flooding attack. 

Are the attacks against a single server or the entire organization? Is
it one site or multiple sites?
Usually against one site, for example http://www.example.com/ 

Okay, it looks like you are seeing a wide spectrum of attacks. Can you
determine why someone is attacking you? That is step one towards
preventing attacks. (For example, it is not uncommon for IRC servers to
be attacked because they are thought of as possibly being a competing
botnet's command and control center.) You really MUST first determine
WHY you are being attacked.

To minimize the impact of the types of attacks you described, the best
thing to do is to get the cooperation of your upstream service
providers. I am sure they would like to see such attacks stop because of
the impact on their resources.

One strategy that I have helped clients deploy is rate-limiting. With
this approach, all of your upstream ISPs implement rate-limits on
inbound traffic to your network such that the total inbound traffic to
your network never exceeds 80% of available bandwidth over a 5 minute

For example, if you have a single ISP, they would put in a router filter
that would normally allow bursts of 100% your available bandwidth for up
to a minute, then it would step down traffic (start randomly dropping
packets) to 90% for the next minute of high load, and step down to 80%
for the next minute, 70% for the next minute, and finally step down to
60% until load drops to the point that traffic is back to normal.

If you have two ISPs, the step downs are usually done faster, longer,
and deeper so that an attacker cannot simply switch paths to sustain a
high inbound data rate. Actual implementation details are somewhat more
complex, but I hope you get the idea.

The bottom line is that you want to push mitigation as far upstream as
possible. Also, these filters should be permanent. If all ISPs would
simply implement rate limiting for each customer, DDoS attacks would
loose their effectiveness.

On your local network there are also things you can do. As much of the
mitigation as possible should be pushed to the edge of your network,
meaning your border router and firewall.

You should have rate-limiting on your own border router, where you can
also rate-limit your traffic and do so by protocol (assuming you have a
reasonably up to date Cisco, Juniper, or other commercial grade router).
If your border router is Cisco, get the latest IOS and you can also
implement content inspection that will get rid of a lot of the malformed
 packets that are sent in DDoS attacks.

Your firewall should also do deep packet inspection and that should
eliminate even more garbage. If it does connection proxies (and it
really should!), then your servers will never see a lot of the DDoS
traffic. Also, make sure that all of your servers use private IP space
that is statically NATed, and that will provide another layer of defense.

At the server level, SYN-cookies, which were previously mentioned, will
provide some relief for SYN flood attacks. However, if your network is
set up right, your servers should NEVER see bogus SYN packets, as they
would be filtered by either your border router or your firewall. (If
your servers are getting SYN flooded, then you have SERIOUS network
architecture issues!!!!)

Dealing with UDP floods is a more complex problem. If they are attacking
a particular service, then that service should have some means of
rate-limiting beyond what the firewall does. (This will be service
specific.) If they are just flooding generic UDP, then your border
router or firewall should be dropping all the garbage before it ever
gets onto your internal network.

Depending upon your web server, there are a couple of different
approaches to take. How you would implement them is server dependent. (I
know you can do all of these with Apache, but I don't know about IIS.)
The first thing to do is connection rate-limiting -- limit how fast your
web server will accept and/or respond to new connections. The other
approach is to dynamically blacklist the IPs from which the bogus
connections are originating. (There are a bunch of tools that will
modify IPTABLES for you on the fly.)

I hope this helps. Without a lot more details about the attacker
profiles and having some idea why you are being attacked, this is about
the best advice I can give you.

Lots of luck!

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]