How do you stop dos attacks?

[Marcus]

My site is down because of a dos attack, nothing I can do, just sit here and wait for the noc to handle it...but it made me wonder, can these attacks be stopped?

If it happened to ebay and yahoo then theres really nothing anyone can do to stop it while it's happening, right?

[twistyneck]

Usually they just go away after a day or two. I don't think there is much you can do.

[footguy]

there's a couple things you can do.

If you are using a Unix based system you can track the "offender" and use the routeadd command and send him off into space.....
This takes about 25 seconds to do..... don't know how windows accomplishes this.....

Second, as the ISP to route all traffic from that IP into "space"

Thrid, get someone who knows what he is doing and tell them to make it so the server doesn't respond to ping requests.....
There are other forms of DOS attack, granted.... but I have seen machines get "pinged" to death as well.

All in all, DOS attacks suck eggs.

[dickblast]

if u have logs ISP/host might block at a router level - all net traffic - but i wouldn't count on it

you could request an ip change also unlikely

next time download the java file from thecrack.net b4 u download and save urself some trouble!

[ServerGenius]

The solutions above all work if the attack is coming from a single
or a few IP's if the attack comes from 1000's of IP addresses all
in different netblocks it gets a bit tougher.

"Pro" attacks always come from many different networks....
and use multiple attack methods like ICMP / UDP /Connection
floods...and sadly most ISP's do not know how to handle these.

Hope that a backbone provider gets notified and takes measures.

DynaMite

[priest]

The worse scenario and sadly the one I run into more are Ddos or Distrubited Denial of Service attacks.

Hackers basically have trojan's sitting on many machines and then attack your server from multiple locations.

I'm actually surprised your hosting company didn't contact you and try to resolve the issue on their end as well as your end.

[dickblast]

Quote:

Originally posted by DynaSpain
The solutions above all work if the attack is coming from a single
or a few IP's if the attack comes from 1000's of IP addresses all
in different netblocks it gets a bit tougher.

"Pro" attacks always come from many different networks....
and use multiple attack methods like ICMP / UDP /Connection
floods...and sadly most ISP's do not know how to handle these.

Hope that a backbone provider gets notified and takes measures.

DynaMite

changing ip of ur server to a different block = only sure fire method

unless the packit kiddie notices and dns'es ur site again lol

no hiding if the dood knows ur sites

[ServerGenius]

Quote:

Originally posted by dickblast


changing ip of ur server to a different block = only sure fire method

unless the packit kiddie notices and dns'es ur site again lol

no hiding if the dood knows ur sites

In theory yes.....but there are 2 downsides to this....

1: Pro attacks are network based and not targetted at 1 IP
which takes multiple servers or worse the whole ISP/router
down.

2: Changing the IP requires change in DNS which takes 2 day
before the the new DNS is picked up....so really this isn't much
help either

DynaMite

[RMG]

sigh

sigh

sigh

sigh

sigh




sigh


sigh

There goes my traffic =(

[pr0]

Lube up your ass & stop pissing off hackers

[RMG]

sitting here thinking about it, I wonder who my host pissed off and how long this attack will continue...basically we are at their mercy it would seem. This attack has gone on for around 5 hours so far and has cut my traffic in half. I'm extremely pissed at the moment. So much for quitting smoking today....it'll have to wait.

[ServerGenius]

Are you on elitehost maybe? I heard more stories today.....and
noticed more sites down.....well at least good I know...I won't
delete the trade if it continues....if it takes longer than 24h (which
I don't hope) let me know when it's up again since then I will have
set our trade to innactive (www.cyberpimp.net / www.gspotters.com)

Goodluck man.....I know this sucks...

DynaMite

[El Demonio]

I've developed my own program for dealing with this early this year, since then, i don't suffer attacks anymore, and when someone dares it gets very pissed off, very quickly.

I call my script BEOWULF, as in the old nordic myth.

I basically have the whole list of free proxies aorund the world, now every time a DOS attacks comes in the program detects it and blocks the Ip at router level and voila!, attack smoked.

The real important part is that beowulf is PROACTIVE, you see, they never come up with just one IP, there are 1000's, if you block one, that doesn't matter, there are many more and they do that simultaneously, so Beowulf consults its huge Ip database whenever it detects an attack pattern, if the Ip is in the database, it raises up a 'shield' in this form:

on your .htaccess:

deny from 1.1.1.1

on every Ip in the DB, what the hackers sees, is that all his attack is falling down, hitting a concrete wall and he just desists.

now there are some new IP's, then beowulf learns them by adding them to its database, and it becomes more harder to even start an attack every time. For the hard hitting IP's )more than 50 tries) Beowulf blocks then at router level to prevent a DOS

Sometimes, rightful users are blocked, then my 403 goes to a page that needs the user to authenticate using his user/pass only 3 attemps and it lifts the ban in that IP.

I don't sell nor disclose my code, but i can give you the IP database so you may construct your own BEOWULF

hope it helps.

[RMG]

Quote:

Originally posted by El Demonio
I've developed my own program for dealing with this early this year, since then, i don't suffer attacks anymore, and when someone dares it gets very pissed off, very quickly.

I call my script BEOWULF, as in the old nordic myth.

I basically have the whole list of free proxies aorund the world, now every time a DOS attacks comes in the program detects it and blocks the Ip at router level and voila!, attack smoked.

The real important part is that beowulf is PROACTIVE, you see, they never come up with just one IP, there are 1000's, if you block one, that doesn't matter, there are many more and they do that simultaneously, so Beowulf consults its huge Ip database whenever it detects an attack pattern, if the Ip is in the database, it raises up a 'shield' in this form:

on your .htaccess:

deny from 1.1.1.1

on every Ip in the DB, what the hackers sees, is that all his attack is falling down, hitting a concrete wall and he just desists.

now there are some new IP's, then beowulf learns them by adding them to its database, and it becomes more harder to even start an attack every time. For the hard hitting IP's )more than 50 tries) Beowulf blocks then at router level to prevent a DOS

Sometimes, rightful users are blocked, then my 403 goes to a page that needs the user to authenticate using his user/pass only 3 attemps and it lifts the ban in that IP.

I don't sell nor disclose my code, but i can give you the IP database so you may construct your own BEOWULF

hope it helps.

nice.

Dyna yep elitehost...I'll be sending a mass msg to all my traders once this is resolved. Add me to icq 141823362

[Marcus]

I'll forward this thread to my host and maybe it'll help. thanks all

no i didn't piss off any hackers, I dont know any.

[vik]

Quote:

Originally posted by El Demonio
I've developed my own program for dealing with this early this year, since then, i don't suffer attacks anymore, and when someone dares it gets very pissed off, very quickly.

I call my script BEOWULF, as in the old nordic myth.

I basically have the whole list of free proxies aorund the world, now every time a DOS attacks comes in the program detects it and blocks the Ip at router level and voila!, attack smoked.

The real important part is that beowulf is PROACTIVE, you see, they never come up with just one IP, there are 1000's, if you block one, that doesn't matter, there are many more and they do that simultaneously, so Beowulf consults its huge Ip database whenever it detects an attack pattern, if the Ip is in the database, it raises up a 'shield' in this form:

on your .htaccess:

deny from 1.1.1.1

on every Ip in the DB, what the hackers sees, is that all his attack is falling down, hitting a concrete wall and he just desists.

now there are some new IP's, then beowulf learns them by adding them to its database, and it becomes more harder to even start an attack every time. For the hard hitting IP's )more than 50 tries) Beowulf blocks then at router level to prevent a DOS

Sometimes, rightful users are blocked, then my 403 goes to a page that needs the user to authenticate using his user/pass only 3 attemps and it lifts the ban in that IP.

I don't sell nor disclose my code, but i can give you the IP database so you may construct your own BEOWULF

hope it helps.

El D,

I'd love for my sys admin to have that code, but maybe I'm a little slow on this . . . I have tried and then been told that I can't allow/disallow IP/Domain names while at the same time as allowing un/pw's. .htaccess can only do one or the other. Have I been told wrong? I know I've tried to make it work myself but couldn't.



vik

[ServerGenius]

Quote:

Originally posted by El Demonio
I've developed my own program for dealing with this early this year, since then, i don't suffer attacks anymore, and when someone dares it gets very pissed off, very quickly.

I call my script BEOWULF, as in the old nordic myth.

I basically have the whole list of free proxies aorund the world, now every time a DOS attacks comes in the program detects it and blocks the Ip at router level and voila!, attack smoked.

The real important part is that beowulf is PROACTIVE, you see, they never come up with just one IP, there are 1000's, if you block one, that doesn't matter, there are many more and they do that simultaneously, so Beowulf consults its huge Ip database whenever it detects an attack pattern, if the Ip is in the database, it raises up a 'shield' in this form:

on your .htaccess:

deny from 1.1.1.1

on every Ip in the DB, what the hackers sees, is that all his attack is falling down, hitting a concrete wall and he just desists.

now there are some new IP's, then beowulf learns them by adding them to its database, and it becomes more harder to even start an attack every time. For the hard hitting IP's )more than 50 tries) Beowulf blocks then at router level to prevent a DOS

Sometimes, rightful users are blocked, then my 403 goes to a page that needs the user to authenticate using his user/pass only 3 attemps and it lifts the ban in that IP.

I don't sell nor disclose my code, but i can give you the IP database so you may construct your own BEOWULF

hope it helps.

You should lease the usage of the script.....very interesting and
a nice approach....my compliments

DynaMite

[El Demonio]

Ok, in about 10 mins i'll be uploading the proxy list to one junior site: http://www.bulkporn.com/plist.txt

So everyone can get it.

On vik, YES YOU CAN!, on Unix, the instruction reads as:

/sbin/route -n add -host x.x.x.x -gateway y.y.y.y -reject

x.x.x.x is your target IP to be blocked
y.y.y.y is a null or void IP

and in the .htaccess file:

deny from x.x.x.x

now you can grab the file plist.txt and add it at the end of your .htaccess file and that will solve the immediate problem, check your error log for heavily repeating IP's and get those blocked with the route instruction above.

I strongly believe in the sense of 'collective', but i wont release my code to anyone, some hacker can be reading this and can reverse engineer my code and find a loophole.

[El Demonio]

BTW:

The full proxy list collect for more than 18 months is here:

http://www.bulkporn.com/fdip.db

[CowboyAtHeart]

Quote:

Originally posted by vik

El D,

I'd love for my sys admin to have that code, but maybe I'm a little slow on this . . . I have tried and then been told that I can't allow/disallow IP/Domain names while at the same time as allowing un/pw's. .htaccess can only do one or the other. Have I been told wrong? I know I've tried to make it work myself but couldn't.



vik

Vik: apache anyway, can allow/deny access very flexibly. ie: deny rom 1.1.1.1 unless there is a proper user/pass, and stuff. With a little bit of perl/php you can do even more. (mod_perl access handlers are nice)

Although, the webserver doesn't seem like the place to block a dos to me. Even a firewall doesn't help much if they're filling your pipe with inbound traffic. (I once had to deal with 75 mbit/sec inbound traffic - didn't hurt the servers, but filled the pipe so nobody could reach them)

[CowboyAtHeart]

Quote:

Originally posted by El Demonio
Ok, in about 10 mins i'll be uploading the proxy list to one junior site: http://www.bulkporn.com/plist.txt

So everyone can get it.

On vik, YES YOU CAN!, on Unix, the instruction reads as:

/sbin/route -n add -host x.x.x.x -gateway y.y.y.y -reject

x.x.x.x is your target IP to be blocked
y.y.y.y is a null or void IP

and in the .htaccess file:

deny from x.x.x.x

now you can grab the file plist.txt and add it at the end of your .htaccess file and that will solve the immediate problem, check your error log for heavily repeating IP's and get those blocked with the route instruction above.

I strongly believe in the sense of 'collective', but i wont release my code to anyone, some hacker can be reading this and can reverse engineer my code and find a loophole.

My manpages on route specifically state that it should not be used for firewalling. I would think ipchains/iptables(linux) or whatever command is used on your particular system would be a better way, just drop the packet coming in rather than try to reply to it and fail a route lookup, generating a host-unreachable error and all that. Also, adding records on the webserver is kinda pointless if the machine can't be reached anyway, or am I missing something?

[El Demonio]

apache can!, it should look like this:

ErrorDocument 404 /404.htm
ErrorDocument 401 /401.htm
ErrorDocument 403 /403-ip.htm

#Access to XXX Members
AuthType Basic
AuthUserFile /your/htpasswd/file
AuthName "Members Access"
<Limit GET POST>
require valid-user

deny from 1.1.1.1
..
.
.
.
.
deny from x.x.x.x

[El Demonio]

I'm using freeBSD, if you have something for this, i'm willing to hear.

The use of Ipchains is very tricky and the use of route for generating a dead end had no effect in the performance of the server when taking heavy attacks, i remember one of almost 12000 IPs at time and the server load topped 1.2

I talking from my experience, not theory, also i have 14 years experience on every flavor of Unix known to man, (Even UNICOS - old CRAY Unix), but again, Unix is so wonderful and vast, that sure i can miss something and if you can teach me something knew, i'll be glad.

In fact, if you do, i'll give you my BEOWULF code.

[pine]

I found this fairly interesting:

http://grc.com/dos/drdos.htm

[ServerGenius]

Quote:

Originally posted by El Demonio
I'm using freeBSD, if you have something for this, i'm willing to hear.

The use of Ipchains is very tricky and the use of route for generating a dead end had no effect in the performance of the server when taking heavy attacks, i remember one of almost 12000 IPs at time and the server load topped 1.2

I talking from my experience, not theory, also i have 14 years experience on every flavor of Unix known to man, (Even UNICOS - old CRAY Unix), but again, Unix is so wonderful and vast, that sure i can miss something and if you can teach me something knew, i'll be glad.

In fact, if you do, i'll give you my BEOWULF code.

I agree...using route or worse .htaccess for firewalling might
work but allowing the packets to get in means your machine is still dealing with the packets.....ipchains imho should be better if you do not have access to a router.

Especially .htaccess I would never unless you have there is no
other option let .htaccess control ips that I need to get blocked.
webserver is the weakest part in the chain when it comes to
attacks or handling packets.

What's tricky about ipchains? I use it for all my firewalling and if
setup properly it's very easy.....even easier than route to
maintain a ruleset file......quite similar to cisco's access-list

DynaMite

[Mr Cheeks]

Quote:

Originally posted by El Demonio
Ok, in about 10 mins i'll be uploading the proxy list to one junior site: http://www.bulkporn.com/plist.txt

So everyone can get it.

On vik, YES YOU CAN!, on Unix, the instruction reads as:

/sbin/route -n add -host x.x.x.x -gateway y.y.y.y -reject

x.x.x.x is your target IP to be blocked
y.y.y.y is a null or void IP

and in the .htaccess file:

deny from x.x.x.x

now you can grab the file plist.txt and add it at the end of your .htaccess file and that will solve the immediate problem, check your error log for heavily repeating IP's and get those blocked with the route instruction above.

I strongly believe in the sense of 'collective', but i wont release my code to anyone, some hacker can be reading this and can reverse engineer my code and find a loophole.

god damn hella mothefucka ill feelin good post... god job kid

[Theo]

This time people that are not responsible for anything have to deal with others shits. What you are doing affects a lot of webmasters and it's unfair. Hit me on icq 142032164 now and let's talk.

[Juge]

Quote:

Originally posted by pine
I found this fairly interesting:

http://grc.com/dos/drdos.htm

"By the time the attack ended, Verio's router had discarded more than one billion (1,072,519,399) malicious SYN/ACK packets."

Crazy.

[extreme]

Depends on what kind of attack that is launched against you. If the attackers does it right a DDOS attack is nearly impossible to stop.

Anyway, if the attack isn't using spoofing (the source ip of the attack is random/forged/faked) + you're running linux and got root you could just block the offending ip with the builtin linux firewall:

ipchains -A input -j DENY -p all -l -s 1.1.1.1/32 -d 0.0.0.0/0

Would stop all traffic from IP 1.1.1.1.

Another example:

ipchains -A input -j DENY -p all -l -s 1.1.1.1/24 -d 0.0.0.0/0

Would stop all traffic comming from 1.1.1.* (1.1.1.1 - 1.1.1.255)

This is usefull for totally blocking all traffic from a certain ip ... your box will seem totaly nonexistant to the blocked ip.

If you're getting attacked with a PINGflood from many diff IPs You can block it with (again, for linux roots):

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

(any fool with linuxroot could easily launch an pingattack with "ping -f <your ip>". Ping wont fake the sourceIP though so You can easily see where the attack is comming from).

If You're attacked with the classic synflood (eating CPU with halfopen TCP connections) enabling syncookies could help:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

The good thing with the above methods is that they are fairly easy to take. The bad thing is that they will only stop the traffic Out from your box .. . the bandwdith the DOSattack eats going Into your Networkcard/Box cant be stopped this way. For that you have to contact your ISP and tell them a DDOS attack is going on... maybe they can filter the attack in their routers. So, always contact your uplink/isp.

Hope some of this helps..

(also posted in "Topic: If you're site was ddos'd...........").

[fiveyes]

Quote:

Originally posted by DynaSpain

...
2: Changing the IP requires change in DNS which takes 2 day
before the the new DNS is picked up....so really this isn't much
help either
...

Not so, it's the change of a name server that is required to propagate and takes 2 days or so. A change of the IP at the name server level is a more of a matter of minutes. If a browser is using a cached version of the IP it might initially fail to find the server but a reload of the page usually results in a new query to the name server, which is then cached when the site responds successfully.

[brently27]

I am new in here, and wanted to throw my hat in the ring. I am a former NE for Sprint and dealt with this issue many times. The only true way to stop a DoS attack is to have your ISP place fliters and routing tables on their access router. This is easier said than done. Sprint I know will only add 25 lines of code to their routers. A good filter is at least 40+ lines of code. Now some providers have a 800 number you can call if a DoS attack starts and they will place some temp fliters on to try to prevent them, but in my opinion this is a short term solution to a long term problem. One thing that can be done on the end user side is some sort of friewall. A Cisco PIX box has some real nice features and can help a lot with issues of this nature. The kicker is that a PIX box does not come cheap. Also for it to work you have to block all UDP traffic which is a pain in the ass. I hope this helps you out a bit.