Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: trainier@xxxxxxxxxx
  • Date: Mon, 31 Oct 2005 10:12:16 -0500
  • Message-id: <OF18658AB5.EDDCA30E-ON852570AB.005309EF-852570AB.0053799F@xxxxxxxxxxxxxxx>
Mitigating DDoS attacks is mostly contingent on the type of attack going
on.
Back in the older days, simple SYN cookies and proper load ballancing
could mitigate
most of the attacks going on.

Attacks are much more complicated these days. I've seen DDoS attacks in
the form of DNS requests.
You get 20k machines requesting queries from your DNS server, GOOD LUCK!

It's also worth noting that changing IP addresses works about as often as
the other criticized suggestions.
A large portion of the attacks going on these days, reflect what the
underground hackers are calling "DRDoS" attacks.

These attacks involve dropping uplink providers by overwhelming
border-gate routers and the likes.
Changing your ip address will have absolutely no effect in these cases.
It's hard to tell when these types of attacks are going on
because the gate router, doing its job, simply submits the traffic to the
entire subnet.

I've disassembled drone nets that exceeded 20k infected machines. Some of
them were dial-up accounts, most of them
were cable/dsl accounts.

Attacks don't need to be "professional" in any capacity. 20k dialup
connections is enough to do some sort of damage.

In most cases, packet throttling with QoS and Syn cookies, is a viable
means of mitigating attacks.

Of course it doesn't always work. I'm Joe Schmo sitting at home with $50
pseudo router.
But if you're running a business, on the internet, you need to have some
of these "best practices" ironed out.

Also, colocations (i think it was mentioned in an earlier posting) seems
to be quite productive in mitigating several forms
of DDoS attacks out there.

Tim Rainier
Information Services, Kalsec, INC
trainier@xxxxxxxxxx

"Carlos E. R." <robin1.listas@xxxxxxxxxx> wrote on 10/30/2005 07:16:40 AM:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> The Thursday 2005-10-27 at 18:09 +0200, media Formel4 wrote:
>
> > I don't think that works out. Whenever I might send a FIN - what
prevents my
> > Apache from being attacked from the same bot after seconds again?
>
> The script would have to do both things, close the connection in apache
> and lock the incoming IP. But, if those IPs are spoofed, as you think,
> chances are some will seem to come from your real clients sometime. Best

> thing would probably be a module in apache for ignoring empty requests.
> Is it doable?
>
> What about the MACs, can they be traced? Any matches there? Forgive me
if
> that's a novice like question.
>
> - --
> Cheers,
> Carlos Robinson
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQFDZLmztTMYHG2NR9URAuinAJ4rmdmf58Aa7QAx6RjuYs944Q58qQCdG5wP
> 8Ge19SbRy4DaVBB2M/jjfDo=
> =fbKO
> -----END PGP SIGNATURE-----
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


< Previous Next >
References