|
How do you stop dos attacks?
My site is down because of a dos attack, nothing I can do, just sit here and wait for the noc to handle it...but it made me wonder, can these attacks be stopped?
If it happened to ebay and yahoo then theres really nothing anyone can do to stop it while it's happening, right? |
Usually they just go away after a day or two. I don't think there is much you can do.
|
there's a couple things you can do.
If you are using a Unix based system you can track the "offender" and use the routeadd command and send him off into space..... This takes about 25 seconds to do..... don't know how windows accomplishes this..... Second, as the ISP to route all traffic from that IP into "space" Thrid, get someone who knows what he is doing and tell them to make it so the server doesn't respond to ping requests..... There are other forms of DOS attack, granted.... but I have seen machines get "pinged" to death as well. All in all, DOS attacks suck eggs. |
if u have logs ISP/host might block at a router level - all net traffic - but i wouldn't count on it
you could request an ip change also unlikely next time download the java file from thecrack.net b4 u download and save urself some trouble! :1orglaugh |
The solutions above all work if the attack is coming from a single
or a few IP's if the attack comes from 1000's of IP addresses all in different netblocks it gets a bit tougher. "Pro" attacks always come from many different networks.... and use multiple attack methods like ICMP / UDP /Connection floods...and sadly most ISP's do not know how to handle these. Hope that a backbone provider gets notified and takes measures. DynaMite |
The worse scenario and sadly the one I run into more are Ddos or Distrubited Denial of Service attacks.
Hackers basically have trojan's sitting on many machines and then attack your server from multiple locations. I'm actually surprised your hosting company didn't contact you and try to resolve the issue on their end as well as your end. |
Quote:
unless the packit kiddie notices and dns'es ur site again lol no hiding if the dood knows ur sites |
Quote:
1: Pro attacks are network based and not targetted at 1 IP which takes multiple servers or worse the whole ISP/router down. 2: Changing the IP requires change in DNS which takes 2 day before the the new DNS is picked up....so really this isn't much help either DynaMite :winkwink: |
sigh
sigh sigh sigh sigh sigh sigh There goes my traffic =( |
Lube up your ass & stop pissing off hackers :thumbsup
|
sitting here thinking about it, I wonder who my host pissed off and how long this attack will continue...basically we are at their mercy it would seem. This attack has gone on for around 5 hours so far and has cut my traffic in half. I'm extremely pissed at the moment. So much for quitting smoking today....it'll have to wait.:mad:
|
Are you on elitehost maybe? I heard more stories today.....and
noticed more sites down.....well at least good I know...I won't delete the trade if it continues....if it takes longer than 24h (which I don't hope) let me know when it's up again since then I will have set our trade to innactive (www.cyberpimp.net / www.gspotters.com) Goodluck man.....I know this sucks... DynaMite |
I've developed my own program for dealing with this early this year, since then, i don't suffer attacks anymore, and when someone dares it gets very pissed off, very quickly.
I call my script BEOWULF, as in the old nordic myth. I basically have the whole list of free proxies aorund the world, now every time a DOS attacks comes in the program detects it and blocks the Ip at router level and voila!, attack smoked. The real important part is that beowulf is PROACTIVE, you see, they never come up with just one IP, there are 1000's, if you block one, that doesn't matter, there are many more and they do that simultaneously, so Beowulf consults its huge Ip database whenever it detects an attack pattern, if the Ip is in the database, it raises up a 'shield' in this form: on your .htaccess: deny from 1.1.1.1 on every Ip in the DB, what the hackers sees, is that all his attack is falling down, hitting a concrete wall and he just desists. now there are some new IP's, then beowulf learns them by adding them to its database, and it becomes more harder to even start an attack every time. For the hard hitting IP's )more than 50 tries) Beowulf blocks then at router level to prevent a DOS Sometimes, rightful users are blocked, then my 403 goes to a page that needs the user to authenticate using his user/pass only 3 attemps and it lifts the ban in that IP. I don't sell nor disclose my code, but i can give you the IP database so you may construct your own BEOWULF hope it helps. |
Quote:
Dyna yep elitehost...I'll be sending a mass msg to all my traders once this is resolved. Add me to icq 141823362 |
I'll forward this thread to my host and maybe it'll help. thanks all
no i didn't piss off any hackers, I dont know any. |
Quote:
I'd love for my sys admin to have that code, but maybe I'm a little slow on this . . . I have tried and then been told that I can't allow/disallow IP/Domain names while at the same time as allowing un/pw's. .htaccess can only do one or the other. Have I been told wrong? I know I've tried to make it work myself but couldn't. :stoned vik |
Quote:
a nice approach....my compliments :thumbsup DynaMite |
Ok, in about 10 mins i'll be uploading the proxy list to one junior site: http://www.bulkporn.com/plist.txt
So everyone can get it. On vik, YES YOU CAN!, on Unix, the instruction reads as: /sbin/route -n add -host x.x.x.x -gateway y.y.y.y -reject x.x.x.x is your target IP to be blocked y.y.y.y is a null or void IP and in the .htaccess file: deny from x.x.x.x now you can grab the file plist.txt and add it at the end of your .htaccess file and that will solve the immediate problem, check your error log for heavily repeating IP's and get those blocked with the route instruction above. I strongly believe in the sense of 'collective', but i wont release my code to anyone, some hacker can be reading this and can reverse engineer my code and find a loophole. |
|
Quote:
Although, the webserver doesn't seem like the place to block a dos to me. Even a firewall doesn't help much if they're filling your pipe with inbound traffic. (I once had to deal with 75 mbit/sec inbound traffic - didn't hurt the servers, but filled the pipe so nobody could reach them) |
Quote:
|
apache can!, it should look like this:
ErrorDocument 404 /404.htm ErrorDocument 401 /401.htm ErrorDocument 403 /403-ip.htm #Access to XXX Members AuthType Basic AuthUserFile /your/htpasswd/file AuthName "Members Access" <Limit GET POST> require valid-user deny from 1.1.1.1 .. . . . . deny from x.x.x.x |
I'm using freeBSD, if you have something for this, i'm willing to hear.
The use of Ipchains is very tricky and the use of route for generating a dead end had no effect in the performance of the server when taking heavy attacks, i remember one of almost 12000 IPs at time and the server load topped 1.2 I talking from my experience, not theory, also i have 14 years experience on every flavor of Unix known to man, (Even UNICOS - old CRAY Unix), but again, Unix is so wonderful and vast, that sure i can miss something and if you can teach me something knew, i'll be glad. In fact, if you do, i'll give you my BEOWULF code. |
|
Quote:
work but allowing the packets to get in means your machine is still dealing with the packets.....ipchains imho should be better if you do not have access to a router. Especially .htaccess I would never unless you have there is no other option let .htaccess control ips that I need to get blocked. webserver is the weakest part in the chain when it comes to attacks or handling packets. What's tricky about ipchains? I use it for all my firewalling and if setup properly it's very easy.....even easier than route to maintain a ruleset file......quite similar to cisco's access-list DynaMite |
Quote:
|
This time people that are not responsible for anything have to deal with others shits. What you are doing affects a lot of webmasters and it's unfair. Hit me on icq 142032164 now and let's talk.
|
Quote:
Crazy. |
Depends on what kind of attack that is launched against you. If the attackers does it right a DDOS attack is nearly impossible to stop.
Anyway, if the attack isn't using spoofing (the source ip of the attack is random/forged/faked) + you're running linux and got root you could just block the offending ip with the builtin linux firewall: ipchains -A input -j DENY -p all -l -s 1.1.1.1/32 -d 0.0.0.0/0 Would stop all traffic from IP 1.1.1.1. Another example: ipchains -A input -j DENY -p all -l -s 1.1.1.1/24 -d 0.0.0.0/0 Would stop all traffic comming from 1.1.1.* (1.1.1.1 - 1.1.1.255) This is usefull for totally blocking all traffic from a certain ip ... your box will seem totaly nonexistant to the blocked ip. If you're getting attacked with a PINGflood from many diff IPs You can block it with (again, for linux roots): echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all (any fool with linuxroot could easily launch an pingattack with "ping -f <your ip>". Ping wont fake the sourceIP though so You can easily see where the attack is comming from). If You're attacked with the classic synflood (eating CPU with halfopen TCP connections) enabling syncookies could help: echo 1 > /proc/sys/net/ipv4/tcp_syncookies The good thing with the above methods is that they are fairly easy to take. The bad thing is that they will only stop the traffic Out from your box .. . the bandwdith the DOSattack eats going Into your Networkcard/Box cant be stopped this way. For that you have to contact your ISP and tell them a DDOS attack is going on... maybe they can filter the attack in their routers. So, always contact your uplink/isp. Hope some of this helps.. (also posted in "Topic: If you're site was ddos'd..........."). |
Quote:
|
I am new in here, and wanted to throw my hat in the ring. I am a former NE for Sprint and dealt with this issue many times. The only true way to stop a DoS attack is to have your ISP place fliters and routing tables on their access router. This is easier said than done. Sprint I know will only add 25 lines of code to their routers. A good filter is at least 40+ lines of code. Now some providers have a 800 number you can call if a DoS attack starts and they will place some temp fliters on to try to prevent them, but in my opinion this is a short term solution to a long term problem. One thing that can be done on the end user side is some sort of friewall. A Cisco PIX box has some real nice features and can help a lot with issues of this nature. The kicker is that a PIX box does not come cheap. Also for it to work you have to block all UDP traffic which is a pain in the ass. I hope this helps you out a bit.
|
| All times are GMT -7. The time now is 08:22 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123