Slashdot Mirror

← Back to Stories (view on slashdot.org)

Solutions to Ease the DDOS Trickle-Down Effect?

Posted by Cliff on from the snowballing-traffic dept.

dealsites asks: "Recently, The Electorial Vote website run by Andrew Tanenbaum was hit with a triple-threat. Not only was it Slashdotted, it was hit with a DDOS attack in conjunction with the busiest normal traffic day, due to the election. Netcraft has an article detailing the steps taken to mitigate the traffic. Andrew's host provider is also the provider of my site. I'm sure were are on separate servers, him a dedicated server and semi-dedicated hardware for myself, but I noticed dramatic slowdowns of my site during this triple-threat traffic onslaught to Andrew's site. Are there any techniques other than throwing more CPUs and bandwidth at the problem to remedy this type of situation? I'm sure I can't be the only one that has noticed this. Any comments on other similar stories?"

15 comments

  1. one suggestion by everyplace · · Score: 1

    My favorite solution to this problem : Don't get your site posted on slashdot!

    Which, of course, I realize is a ridiculous statement, since it's usually both desirable, and out of your control. But still, its funny.

  2. Nice. by Dibblah · · Score: 3, Funny

    "Not only was it Slashdotted"... Twice. You evil, evil submitter.

  3. Not to advertise by ebrandsberg · · Score: 4, Informative

    But the company I work for provides products that help in situations like this, although pre-planning for such events is critical for surges like this to be handled cleanly. For anybody interested, check out http://www.netscaler.com/ for information. Some key things to look for:

    1) That your upstream provider has sufficient capacity to handle large surges in traffic to one part of their infrastructure
    2) If you expect to receive a large surge, to overprovision your upstream links
    3) Make sure to have a front-end device that can determine "legitimate" traffic from bad traffic such as syn floods, and deal with the capacity of the upstream links.
    4) Make sure you have the ability to cache hot content in case you max out your servers if you need too. You don't need to regenerate a page of voting information with every request if it only changes ever few minutes, cache it to reduce the server load.

    In many cases, people fail to insure they have enough bandwidth on their upstream connections, and then put firewalls on the other side of the connection. Firewalls will tend to die under a heavy syn flood, and if they don't if you don't have enough capacity, it won't help anyway.

    1. Re:Not to advertise by Curien · · Score: 1

      Heh, I use to work for a web server admin shop, and about six months ago, we were considering going with a NetScaler product. We ended up going with something from F5 instead for entirely non-technical reasons.

      I have since moved on to smaller and less-important things (but in Germany, and with higher pay), so I'm not sure how well it worked out.

      --
      It's always a long day... 86400 doesn't fit into a short.
  4. Site is under attack currently... by stienman · · Score: 2, Informative

    From the main page of electoralvote2.com:

    All the servers appear to be under attack now, also DNS. I added another large multiprocessor but it doesn't seem to help much. I don't this is going to work. Sorry.

    The remainder have older messages on them - not sure how or if they are being automatically synced.

    Bummer, but kindof expected. Seems that he's using only one provider...

    -Adam

  5. coral by comwiz56 · · Score: 4, Insightful

    auto redirect all hits to a coral cache

    and maybe slashdot could post coralized links the in the articles

    1. Re:coral by Kris_J · · Score: 1

      If the site itself redirects to coral, won't that screw up the copy?

    2. Re:coral by comwiz56 · · Score: 1

      Javascript and possibly http headers could take care of that.

  6. File size by jm92956n · · Score: 5, Informative

    If you know you're about to get hit, minimize the graphics and streamline the code; this guy's got a page that's just over 30 kb (including graphics). Provided the page isn't generated dynamically, it shouldn't be too tough for a decent server to handle.

    Throw in some flash and a bunch of fancy images and you've got a recipe for disaster.

    --
    An effective signature identifies a particular user amongst a base of thousands.
    1. Re:File size by Kris_J · · Score: 3, Insightful

      That PNG map is two thirds larger than it needs to be. Less than a minute with pngout reduces it from 14,632 to 8,839. Also, it doesn't look like the page is being served gzipped. This can be done by creating a .gz copy and having the web server software hand out whatever the browser can handle, little or no cost to the CPU. All up, the site is probably serving 50% more traffic than it need serve.

  7. Deliberate troll... by Slime-dogg · · Score: 0, Troll

    It's just as well that his site is knocked off. His links are either pro-Kerry, Non-Partisan, or "Mixed." There are no pro-Bush links.

    I realize that he's got just as much of a right to say whatever he wants, but it troubles me that some people are looking to this as an authoritative source of information. IOW, he's biased.

    --
    You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
    1. Re:Deliberate troll... by Morosoph · · Score: 2, Insightful
      Maybe Non-Partisan means just that. He also clearly links to a pro-Bush site. From this page:
      I am a Kerry supporter. I am open about that. Despite my political preference, I have bent over backwards to be scrupulously honest about all the numbers, and have carefully designed the main page to be strictly nonpartisan. Only the third row of menu items below the map contains material that could be considered pro-Kerry (e.g., jokes about George Bush). If you are a Kerry supporter, an independent, a moderate Republican who is fed up with the President's fiscal and other policies or even a conservative Republican who feels betrayed and who has a sense of humor, you will probably enjoy them. If you want an election site that has a pro-Bush bias from beginning to end, including all over the main page, try www.electionprojection.com.
      --
      Wikileaks, no DNS
    2. Re:Deliberate troll... by dubl-u · · Score: 3, Insightful

      It's just as well that his site is knocked off.

      Yeah, that democracy stuff lets the wrong people have a say. Thank goodness there are script kiddies to prevent that. We should get together and buy a gift for them. How about some nice brown shirts?

      I realize that he's got just as much of a right to say whatever he wants, but it troubles me that some people are looking to this as an authoritative source of information. IOW, he's biased.

      Having an opinion doesn't mean that he's biased. Some people can separate the two. And he pretty clearly has.

      He's honest about his opinions, makes clear where he gets his data, and has a simple formula that he used to do the totals and the map. Out of the history I have in my RSS reader, his tally had Bush leading 14 times, Kerry leading 13 times, and them tieing once. As far as I can tell it's an honest effort to present the poll results in a useful format. He even provides the data as a CSV, so you can run the numbers as you please.

      So unless you have some proof that he's fudging the numbers, maybe you can lay off your apparently biased accusations of bias?

  8. Yes, there are tools that can help. by Anonymous Coward · · Score: 0

    Take a look here and here.

  9. There is a way... by Anonymous Coward · · Score: 0

    There are several things you can do to minimize or mitigate a DDOS attack, the first and most obvious method would be to host your server from two seperate hosting providors preferably in different geographic locations LA and NYC or Dallas and Seattle for example, have both IP's in dns with the same A record and it will be round-robined by DNS, so each visitor should be balanced between the two servers.

    Another cheap way is to deploy an inline IPS device which mitigates the attack in real-time. Some devices performance range drasticly with price.

    There are even some free ones such as OpenBSD' Packet Filter, this can supply advanced syn-flood protection, connection tracking and general packet scrubbing all within a low cost solution but with the lack of support and learning curve and completeness, so YMMV. I have tested several commercial devices and so far I am most impressed with the http://www.ddos.com/ guy's box it thoroughly kicks ass for the price.

    Anyways a couple of good sites to find more info on hardware, etc would be http://www.securityfocus.com/'s IDS mailinglist (yes all the IPS stuff goes here too) and also http://www.nss.co.uk/ who do alot of independent reviews of this kind of hardware. They charge for some of their reports but most of it can be found on their site for free.

    DDOS is a toughy, the best way is to keep a low profile :) if thats not an option, then your going to have to dish out some bucks to protect yourself. The Internet is the new Wild Wild West, there is no such thing as diplomacy.

    Good luck.