DDOS / Computer Science / Forums

Forums

4hv.org :: Forums :: Computer Science

« Previous topic | Next topic »

DDOS

Move Thread

LAN_403

Thomas W

Mon Jun 04 2012, 01:24PM

Registered Member #3324 Joined: Sun Oct 17 2010, 06:57PM
Location:
Posts: 1276

hey guys,

im getting DDOS every now and again,
is there a VPN or simler that is good and will stop a 10 - 50GB/s STORM DDOS?

Pinky's Brain

Mon Jun 04 2012, 03:29PM

Registered Member #2901 Joined: Thu Jun 03 2010, 01:25PM
Location:
Posts: 837

If you have 10-50 GB/s incoming a VPN won't do much for you, unless you have an ungodly wide pipe to the internet ... your only option is to use a different ISP with a different IP until your old ISP fixes things (or the DDOS kiddy gets tired).

Thomas W

Mon Jun 04 2012, 07:35PM

Registered Member #3324 Joined: Sun Oct 17 2010, 06:57PM
Location:
Posts: 1276

yeh, say thanks to Devnull, its sold for about Â£30 but you can buy upgrades for up to 50Gb/s

it was created for lil kids who couldnt take being banned or kicked off a gmod server

Carbon_Rod

Fri Jun 22 2012, 06:48AM

Registered Member #65 Joined: Thu Feb 09 2006, 06:43AM
Location:
Posts: 1155

...or you could simply configure your firewall to "stealth" and rate-limit your web server (considered rude) with Geo-IP based blocking... and most open proxies limit bandwidth too...
Block lists are usually updated daily:

Security policies are always changing, and this group offers workshops for junior people:

Some search engine spiders are very aggressive, and "baidu" is known to poke around areas never publicly linked. Notably, this usually indicates a site will be added to a malware distributor network in a few weeks.

For fun, you should change your server signature to IIS7 if running an nGinx or Apache reverse load balancing proxy for dynamic cloud hybrid appliance instances on rackspace.com or amazon.

There are other responsive options, but usually the source IP are from some innocent individuals infected by a video-game or tool-bar.

If I recall, 4hv has policies against discussing these types if issues on the site.

Cheers,
Rod

Steve Conner

Fri Jun 22 2012, 07:43AM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

I haven't a clue what Rod is talking about so I can't say if it violates the site rules or not.

The easiest solution is to wait until your ISP bans you for bringing a massive DDOS on them, then find a new ISP.

Ash Small

Fri Jun 22 2012, 08:30AM

Registered Member #3414 Joined: Sun Nov 14 2010, 05:05PM
Location: UK
Posts: 4245

I'm not sure if this is any help or not:

Peer-to-peer attacks

"Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections per second before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the incoming connections.

While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses, there are other problems to consider. For instance, there is a brief moment where the connection is opened on the server side before the signature itself comes through. Only once the connection is opened to the server can the identifying signature be sent and detected, and the connection torn down. Even tearing down connections takes server resources and can harm the server.

This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited."

From Wikipedia

Hon1nbo

Fri Jun 22 2012, 11:08PM

Registered Member #902 Joined: Sun Jul 15 2007, 08:17PM
Location: North Texas
Posts: 1040

DDoS commonly uses one of two popular methods: malformed packets (which take more time and resources to processes, and hence can be easier for the attacker to execute), or just simple massive floods of the same requests.

Hardware firewalls have started including procedures for dealing with both of these. Floods of identical packets will start being dropped or limited by the firewall, and malformed packets designed to consume resources processing simply never make it to the server.

Of course, hardware firewalls cost money, and I personally don't know of a reliable software solution.

As mentioned try to make use of IP Blacklists, which will have a lot of botnet machines on them.

If you need any specific help and don't want to post details feel free to PM me. I actually help run a Security group at my university, and currently there is not much we are doing over this summer.

-Jimmy

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob