Security Incidents: Re: DoS attack... what to do?

[Faisal Khan <faisal () netxs com pk>]

Once DoS/DDoS attacks start, there is very little you can do to mitigate 
them without the proper perimeter mitigation defense systems in place 
(either by yourself - if the situation warrants, or by your service provider).
Speaking from extensive experience, short-term measure such as by 
increasing the server horsepower, bandwidth connectivity, etc. is just that 
- short term.
One of the most powerful devices we've seen working for port 80 (or any 
other port, but only protects one port so far) attempts is the Foundry 
Networks ServerIron 450 (also the ServerIron 400/800/850). It has something 
called the Transaction Rate Limiting. Do read up on it - its perhaps one 
unique embedded methodology in Foundry equipment for thwarting off DoS/DDoS 
attacks.
Check with your ISP if they offer DoS/DDoS mitigation equipment. Some names 
that come mind are Foundry (already mentioned - though it should not 
specifically be considered an a DDoS/DoS mitigation tool per se), Top Layer 
(their IPS 100 is economically priced), Riverhead Networks (now part of 
Cisco Systems), Arbor Networks, Mazu Networks and Captus Networks and even 
Juniper Networks/Netscreen Firewalls.
An excellent source for DoS/DDoS attacks is: 
http://staff.washington.edu/dittrich/misc/ddos/
One (expensive) option is the use of CDNs (Content Delivery Networks), 
Speedera and Akamai being at the forefront.
With all of such devices out there, you really have to be prepared that 
packet choking does not happen on your inbound connection. Its very easy to 
saturate a 100Mbps connection. GigE will help, but is expensive. Secondly - 
do play close attention to the setup rates. When you have something between 
4,000-10,000 setups per second, the lower end devices will sort of approach 
their limits --- fast (they can only maintain so many open-connections).
When you hit setup rates like 50,000-75,000 per second, only the high-end 
devices would be able to mitigate the in-flow.
Needless to say, your mileage may vary, but I hope the DDoS attack stops. 
They are a nasty thing to deal with.
Faisal



At 12:41 AM 1/5/2005, Nigel Kukard wrote:
> Hi Guys,
>
> Here is the situation...
>
> I have a dedicated server at ISP X, about 1 week after I signed up for the 
> service I received a DoS attack against my DNS service... the attack came 
> from over 10,000 IP addresses and tried to resolve the following domain 
> names...
> leet.nexhost.org
> ns1.nexhost.org
> ns2.nexhost.org
> floop.m33pm33p.info
> irc.k1hosting.net
> b0tn3t.elite-coders.org
>
>
> I thought i would be clever and changed root.cache on my named service to 
> resolve all dns queries to 127.0.0.1, this seems to of worked for about 
> 1hr. Next I get even more attacks on port 5556 which I don't even use and 
> basically by default drop everything to that port.
> I have sent off abuse reports for over 10,000 IP's, grouping them by ISP 
> and sending 1 email per ISP.....
> What to do? I've got a constant 200Kbps of traffic, and its kinda bugging 
> me...
> Any help would greatly be appreciated.  (btw, netsky.V uses port 5556)
>
>
> Regards
> Nigel Kukard


Faisal Khan,  CEO
Net Access Communication
Systems (Private) Limited
________________________________

Network Security - Secure Web Hosting
Managed Internet Services - Secure Email
Dedicated Servers - Reseller Hosting

Visit www.netxs.com.pk for more information.