Once DoS/DDoS attacks start, there is very little you can do to mitigate
them without the proper perimeter mitigation defense systems in place
(either by yourself - if the situation warrants, or by your service provider).
Speaking from extensive experience, short-term measure such as by
increasing the server horsepower, bandwidth connectivity, etc. is just that
- short term.
One of the most powerful devices we've seen working for port 80 (or any
other port, but only protects one port so far) attempts is the Foundry
Networks ServerIron 450 (also the ServerIron 400/800/850). It has something
called the Transaction Rate Limiting. Do read up on it - its perhaps one
unique embedded methodology in Foundry equipment for thwarting off DoS/DDoS
attacks.
Check with your ISP if they offer DoS/DDoS mitigation equipment. Some names
that come mind are Foundry (already mentioned - though it should not
specifically be considered an a DDoS/DoS mitigation tool per se), Top Layer
(their IPS 100 is economically priced), Riverhead Networks (now part of
Cisco Systems), Arbor Networks, Mazu Networks and Captus Networks and even
Juniper Networks/Netscreen Firewalls.
An excellent source for DoS/DDoS attacks is:
http://staff.washington.edu/dittrich/misc/ddos/
One (expensive) option is the use of CDNs (Content Delivery Networks),
Speedera and Akamai being at the forefront.
With all of such devices out there, you really have to be prepared that
packet choking does not happen on your inbound connection. Its very easy to
saturate a 100Mbps connection. GigE will help, but is expensive. Secondly -
do play close attention to the setup rates. When you have something between
4,000-10,000 setups per second, the lower end devices will sort of approach
their limits --- fast (they can only maintain so many open-connections).
When you hit setup rates like 50,000-75,000 per second, only the high-end
devices would be able to mitigate the in-flow.
Needless to say, your mileage may vary, but I hope the DDoS attack stops.
They are a nasty thing to deal with.
Faisal
At 12:41 AM 1/5/2005, Nigel Kukard wrote:
Hi Guys,
Here is the situation...
I have a dedicated server at ISP X, about 1 week after I signed up for the
service I received a DoS attack against my DNS service... the attack came
from over 10,000 IP addresses and tried to resolve the following domain
names...
leet.nexhost.org
ns1.nexhost.org
ns2.nexhost.org
floop.m33pm33p.info
irc.k1hosting.net
b0tn3t.elite-coders.org
I thought i would be clever and changed root.cache on my named service to
resolve all dns queries to 127.0.0.1, this seems to of worked for about
1hr. Next I get even more attacks on port 5556 which I don't even use and
basically by default drop everything to that port.
I have sent off abuse reports for over 10,000 IP's, grouping them by ISP
and sending 1 email per ISP.....
What to do? I've got a constant 200Kbps of traffic, and its kinda bugging
me...
Any help would greatly be appreciated. (btw, netsky.V uses port 5556)
Regards
Nigel Kukard
Faisal Khan, CEO
Net Access Communication
Systems (Private) Limited
________________________________
Network Security - Secure Web Hosting
Managed Internet Services - Secure Email
Dedicated Servers - Reseller Hosting
Visit www.netxs.com.pk for more information.
