Re: [suse-security] Under DDoS Attack
Allen <gorebofh@comcast.net> 10/27/05 23:14 PM >>> On Thu, Oct 27, 2005 at 11:59:54PM +0200, b@rry wrote: As I said - its a root server. Nothing in front but the pure internet...
Why not have a firewall in front of it? Root server or no, something
i have heard of organizations/providers doing that. i have even had them DO IT. it depends on how many locations the DDoS bots are attacking from, are they on a certain AS (look up autonomous system if you don't know what an AS is, traceroute.org also has listings of various ASs by country) or from domains/IP blocks that will not excessively restrict access to the resource being hosted... this will work with blocks of IPs under the control of a certain authority, but again, it depends on how many places it is coming from. for example if your site is in X language and the attacks are coming from ASs from areas where Y language is generaly spoken, it may well be that your upstream provider/organization can block the address blocks (or some of them) and get rid of the load without seriously impacting the service you offer anymore than it already has been. there are also documented cases of universities and companies having some success with such a method. does this mean it will work in EVERY circumstance? no. sometimes the only way is to move services to another IP and sometimes that isn't practical either. that
can manage the connections to the box with relatively low connection
timeouts?
Maybe just maybe, because a firewall isn't going to do a THING against a DDOS attack? And for the other person who said call the ISP so they can "set the router to block the packets"..... Lol, if it was hat easy Yahoo, Microsoft and SCO wouldn't have been taken down. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Top posting itsn't cool. On Fri, Oct 28, 2005 at 12:12:59AM -0400, Timothy Hall wrote:
i have heard of organizations/providers doing that. i have even had them DO IT. it depends on how many locations the DDoS bots are attacking from, are they on a certain AS (look up autonomous system if you don't know what an AS is, traceroute.org also has listings of various ASs by country) or from domains/IP blocks that will not excessively restrict access to the resource being hosted... this will work with blocks of IPs under the control of a certain authority, but again, it depends on how many places it is coming from. for example if your site is in X language and the attacks are coming from ASs from areas where Y language is generaly spoken, it may well be that your upstream provider/organization can block the address blocks (or some of them) and get rid of the load without seriously impacting the service you offer anymore than it already has been.
there are also documented cases of universities and companies having some success with such a method. does this mean it will work in EVERY circumstance? no. sometimes the only way is to move services to another IP and sometimes that isn't practical either.
Not sure what country you're in but maybe a small wager in US dollars or euros? You give me an IP and fax me an OK from the owner of the IP signed by you and them, and we can test your theory that you can actually toss out unwanted packets. If you don't want to, then maybe this can help: The reason this won't work well, is because those packets have to be thrown out regaurdless of how or where, and no one does a DDOSattack with less than a GB or so of bandwidth at a time and nothing short of an OC line is going to stand upto it. I've been DDOSed and let me tell you, a router is great fun, but it's going to crash trying to keep up with the discarding of packets. You're essentially taking the attack away from the server, and onto your Router or firewall, which in turn, whacks your connection anyway. Like I said, the only ways to actually stop it is to switch IPs, or get a bandwidth company to help with the load like Microsoft did with those Worms a few years ago. But either way the traffic is still aimed at you. If a company as big as Microsoft or dumb as SCO.... Ok they aren't the best exmaple, But even Microsoft switched servers and IPs when it happened. I think THEY could make a phone call if that actually worked. And remember the attacks weren't even professional for them, it was a Worm working on Home machines and networks that weren't top of the line bandwidth. -Allen.
Allen <gorebofh@comcast.net> 10/27/05 23:14 PM >>> On Thu, Oct 27, 2005 at 11:59:54PM +0200, b@rry wrote: As I said - its a root server. Nothing in front but the pure internet...
Why not have a firewall in front of it? Root server or no, something that can manage the connections to the box with relatively low connection
timeouts?
Maybe just maybe, because a firewall isn't going to do a THING against a DDOS attack? And for the other person who said call the ISP so they can "set the router to block the packets"..... Lol, if it was hat easy Yahoo, Microsoft and SCO wouldn't have been taken down.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Allen -
Timothy Hall