GoFuckYourself.com - Adult Webmaster Forum - View Single Post

ServerGenius · 07-04-2003, 04:17 AM

What SC is facing is known as a DDoS which means a Distributed
Denial of Service Attack. Anyone who thinks this is simple script
kiddies work is wrong.

I will try to outline in a simple way how a DDoS works and why it
is so hard to stop it.

First of all the attacker needs to hack 100's or 1000's of servers
in many different networks. Usually he picks servers that are
connected to large amounts of bandwidth. On each of the
machines he installs a server kind of program that listens to
commands from 1 central place and can launch any type of attack
on command. This can be simple webhits, or large packet streams
using multiple protocols, like ICMP, UDP or TCP/IP. For best effect
the attacker uses huge amounts of tiny packets as this causes
the maximum load possible on routers and servers.

Especially Cisco routers are known to have difficulties with HUGE
amounts of small non TCP packets. TCP/IP requires a handshake
protocol for communication whereas ICMP and UDP don't. So most
likely UDP or ICMP packet protocols are being used.

Once the attacker has a huge amount of these server type scripts
installed he can trigger all the nodes with 1 central script which will launch his attack simultaniously over all nodes. Since there are
so many nodes it's next to impossible to start blocking traffic with
a firewall. The nodes are all in different networks and use 10.000's of different IP's so it's virtually impossible to start
blocking IP's simply because there are too many. By blocking full
C-classes you will end up blocking half the internet so that's no
option either.

Using access-list filters on core routers is a bad idea because it
would create such a load that the routers will run out of memory
within seconds. Core routers switch gigabytes of traffic per
second so filtering it there is very bad idea. The router should
read each packet and compare it to a ruleset to see if it can be
forwarded or dropped.

The attack can be simple webpage hits, so it's very hard to
determine which packets are fraudulant and which not. With a
huge number of servers you can flood almost any server quite
easily.

The best way to handle DDoS attacks is with your upstream provider. Look at the traffic and write down from which core
networks the attacks are coming. Call those carriers and give
them the IP nets from which the attacks are coming. They can
either stop advertising those IP networks or contact RIPE/ARIN/SARIN to take action.

The solution in stopping the attack is not so much technical.
Understanding what's going on and determing where it comes
from and then getting up to the carrier that controls those IP nets
is where you can do something.

Mike I have a lot of experience with this stuff. I'm sure you have
really good people around you. In case you can use extra help
feel free to hit me up. As I tried to explain determing source nets
is the key to your problem.

DynaMite
UIN# 370820

07-04-2003, 04:17 AM
ServerGenius Confirmed User Join Date: Feb 2002 Location: Amsterdam Posts: 9,377	What SC is facing is known as a DDoS which means a Distributed Denial of Service Attack. Anyone who thinks this is simple script kiddies work is wrong. I will try to outline in a simple way how a DDoS works and why it is so hard to stop it. First of all the attacker needs to hack 100's or 1000's of servers in many different networks. Usually he picks servers that are connected to large amounts of bandwidth. On each of the machines he installs a server kind of program that listens to commands from 1 central place and can launch any type of attack on command. This can be simple webhits, or large packet streams using multiple protocols, like ICMP, UDP or TCP/IP. For best effect the attacker uses huge amounts of tiny packets as this causes the maximum load possible on routers and servers. Especially Cisco routers are known to have difficulties with HUGE amounts of small non TCP packets. TCP/IP requires a handshake protocol for communication whereas ICMP and UDP don't. So most likely UDP or ICMP packet protocols are being used. Once the attacker has a huge amount of these server type scripts installed he can trigger all the nodes with 1 central script which will launch his attack simultaniously over all nodes. Since there are so many nodes it's next to impossible to start blocking traffic with a firewall. The nodes are all in different networks and use 10.000's of different IP's so it's virtually impossible to start blocking IP's simply because there are too many. By blocking full C-classes you will end up blocking half the internet so that's no option either. Using access-list filters on core routers is a bad idea because it would create such a load that the routers will run out of memory within seconds. Core routers switch gigabytes of traffic per second so filtering it there is very bad idea. The router should read each packet and compare it to a ruleset to see if it can be forwarded or dropped. The attack can be simple webpage hits, so it's very hard to determine which packets are fraudulant and which not. With a huge number of servers you can flood almost any server quite easily. The best way to handle DDoS attacks is with your upstream provider. Look at the traffic and write down from which core networks the attacks are coming. Call those carriers and give them the IP nets from which the attacks are coming. They can either stop advertising those IP networks or contact RIPE/ARIN/SARIN to take action. The solution in stopping the attack is not so much technical. Understanding what's going on and determing where it comes from and then getting up to the carrier that controls those IP nets is where you can do something. Mike I have a lot of experience with this stuff. I'm sure you have really good people around you. In case you can use extra help feel free to hit me up. As I tried to explain determing source nets is the key to your problem. DynaMite UIN# 370820 __________________ \| http://www.sinnerscash.com/ \| ICQ: 370820 \| Skype: SinnersCash \| AdultWhosWho \|