How to prevent dos attacks?

T

Talkfreelance

New member
Hey everyone, earlier today my community recieved our first dos attack. This attack lasted most of the day (6-8 hours) and crashed the entire server. I'm wondering what precautions can be put in place to prevent this in the future? We have firewalls obviously, antidos etc but nothing seemed to stop it aside from banning all 1600+ IP's. :(

What software/hardware do you use to protected your services from dos attacks?
 
if your intrested in a Data centre that has an option for DDOS prevention you might want to check out ezzi.net, they offer Netscreen DOS protection for a small monthly fee. Hope I'v helped :)
 
Well if you use a datacentre like EV1 (we do on some of our boxes) they include Fireslayer that should prevent some attacks if they are located outside of the datacentre.

For internal attacks KISS or APF firewalls may help..

Although I believe the best way is to null route the IP thats being attacked.

Rob
 
Make sure you keep good communication with your NOC, and that they in turn communicate with their upstream(s). The further up the stream you can get, the more likely you are to have a positive outcome.

Before you worry about whether or not your box withstood the mayhem, you should ask whether your NOCs router and switch stayed up.

After that, there are some things that can be done to protect your box.

see for a general overview: http://silverwraith.com/papers/freebsd-ddos.php

Depending upon how big a DDoS you want to protect against, you could install a seperate firewall box with something like apf on it. This way the 'bad stuff' wouldn't get to your primary box.
 
robson it wasnt classed as a dos attack, Ive had it done to me but I know how they do it. Its those fake traffic sending tools such as i-faker but ran on more than 1 pc sending fake requests to your server causing it to crash. Or they run the program more than once on there pc opening lots of windows. I saw it on a hacking forum I visit, No I dont hack I just like to keep ontop of hackers and what there upto :)
 
The following is an extract from Ping! Zine if it's of any help to anyone :

Below you will find a simple SYN attack detection script that could be set to run every 5 minutes via a cronjob. In case of an attack you would receive and email with IP information; remember the IP information is usually spoofed.

Code: 
#!/usr/bin/perl -w
#Simple Script to monitor syn attacks.
$syn_alert=15;
$hostname=`hostname`;
chomp($hostname);
$num_of_syn=`netstat -an | grep -c SYN`;
if($num_of_syn > $syn_alert)
{
`netstat -an | grep SYN | mail -s
?SYN ATTACK DETECTED ON
$hostname? admin\@yourcompany.com`;
}
else {
}
exit;
 
I know a few people with BotNets. They are used to perform DDoS attacks. Basically what it is, is like a trojan but it connects the person infecteds computer to an IRCD server. The person with the BotNet can give it commands to do such as Ping the server ip. Normally botnets are several hundred people, maybe even thousands of people. The attacks from these can be devistating. I have seen a few servers become overwelmed and crash and not be back up for a few days because once the botnet starts a command it doesn't end untill they are all done so some times it last a few days and normally the Host will cancel your account. If anyone wants more info let me know i can get some more on botnets for ya.
 
You need to clarify the type of attack. A SYN flood requires a very different mitigation response than does a application attack.

For SYN floods with spoofed IP addresses, there is little you can do at the server level. Most of the recommendation you find on the net will do little to help you out. Syn cookies, back queues, tcp tuning, firewalls etc. may help but it does not take much bandwidth to DOS apache using a syn flood.

For application level attacks, firewalls, mod dosevasive, mod security and others can help.

You really need to understand the type of attack before an effective solution can be launched. This may require taking a packet capture for analysis. Only with the proper identificaiton of the attack method can you being to find a suitable response.
 
The first method of stopping a DoS attack is simply to drop all traffic related to the target hosts. This is a good tactic for a nonessential protocol, like ICMP (Internet Control Message Protocol), but dropping TCP or UDP (User Datagram Protocol) can impact legitimate traffic, such as HTTP or DNS. However, denying all traffic does keep the attack traffic from impacting the target; thus, in some cases (like a SYN flood), this is better than nothing.

If an attack is originating from one or small number of true hosts, as opposed to being randomly spoofed, a device that tracks source IP addresses will be able to home in on the specific offenders and drop all traffic from those hosts. This will effectively block the attack, earning a perfect mark for this review. However, tracking every unique source IP address is quite a processing feat, requiring large amounts of memory. Therefore, a few of the devices cut corners by dividing the Internet into smaller, more manageable chunks. While this lets the devices track the general origin of an attack, blocking chunks of the Internet -- particularly if they are big chunks or user-dense areas, like cable-modem segments or America Online user proxies -- hurts legitimate traffic. However, this still can be an effective form of attack mitigation.
 
prhost said:
The following is an extract from Ping! Zine if it's of any help to anyone :

Below you will find a simple SYN attack detection script that could be set to run every 5 minutes via a cronjob. In case of an attack you would receive and email with IP information; remember the IP information is usually spoofed.

Code: 
#!/usr/bin/perl -w
#Simple Script to monitor syn attacks.
$syn_alert=15;
$hostname=`hostname`;
chomp($hostname);
$num_of_syn=`netstat -an | grep -c SYN`;
if($num_of_syn > $syn_alert)
{
`netstat -an | grep SYN | mail -s
?SYN ATTACK DETECTED ON
$hostname? admin\@yourcompany.com`;
}
else {
}
exit;
Click to expand...

hello,

i am a starter and have a vps to run my forum,

how can i do this? is this a perl script, sorry for silly question :( but could you tell the way?

thanks...
 
You must log in or register to reply here.

Supporters

Back
Top