Slashdot Mirror
Ask Slashdot: Experience Handling DDoS Attacks On a Mid-Tier Site?
New submitter caboosesw writes "A customer of mine recently was hit by a quick and massive DDoS attack. As we were in the middle of things, we learned that there are proxy services of varying maturity to deal with these kinds of outbreaks from the small and mysterious (DOSArrest, ServerOrigin, BlackLotus, DDOSProtection, CloudFlare, etc.) to the large and mature (Prolexic, Verisign, etc.) Have you guys used any of these services? Especially on the lower price point that a small e-commerce (not pr0n or gambling) company could afford? Is a DDoS service really mandatory as Gartner now puts this type of service in the same tier as SEIM, firewalls, IPS, etc?"
There's two key strategies to avoid being DDoSed... first, have more processor, network speed, and disk I/O resources than you need for normal load so that the attacker can't fill one of your computers pipes. Then, host your server or servers at multi-connected datacenters which can cut off large users of your server before it reaches your NIC card. Firewalls at the server can't get back the bandwidth lost to needless connections, but firewalls at the datacenter entry points can. Basically, make sure none of your time-sensitive loads reach 100% and you're fine.
The load balancer to take the brunt of the attack and distribute traffic to multiple mirrors, and the sysadmin to watch the attack and start blacklisting IP ranges. Your service provider should have some kind of service in place unless you got the cheapest of cheap hosting solutions.
With that being said, hiring a third party ddos mitigator is entirely a cost benefit analysis that should be done on your end. Can whoever's providing your hosting now provision some extra servers and some harried sysadmins to keep you floating? See if you can ask for additional service support from your current provider.
If it helps against DDOS attacks, how is it stupid advice?
Because it doesn't really and you're just being a fanboi?
It was a lot cheaper to pay a third party proxy a $400/month rate for 45 days (until the asshats attempting the extortion got bored and went away) than it wold have been to provision more server horsepower, pay for the bandwidth, and pay T&M for the DC's NOC to help with firewalling. A quick DNS change, use the credit card, hold your breath until it stops. Quick, cheap, and you can go on to other things.
Don't disappoint your bird dog. Go to the range.
Yay. Someone finally got that right.
I'm interested in this. I'm in the process of launching a real-money gambling MMORPG, and gambling sites (well, so I've been told) tend to get extorted. I spoke to Prolexic today and was shocked at how expensive they are: $3000/month minimum, plus setup fees.
Have any fellow Slashdot readers tried running a gambling site without such protection? Is it reasonable to assume we'll be enough under-the-radar at first to avoid the attacks?
Remember this really cool slashdot story about a sysadmin on the receiving end of a DDOS?
http://slashdot.org/story/01/05/31/1330202/post-mortem-of-a-dos-attack
The original writeup link is dead but I found it here (warning: PDF). This was a really cool story.
http://www.stanford.edu/class/msande91si/www-spr04/readings/week1/grcdos.pdf
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
Manage your own IP ranges and disable any IPs that are not in use via your IP registry provider. You can run an IDS/IPS that can alert you to an attack in progress.
Have good upstream providers, preferrably ones that use the new DDOS prevention/detection appliances, and ones that can respond to block routing to attacked IPs temporarily if necessary.
That all these "services" are part of a protection racket?
"Oh...having DDOS problems? Just sign up with our service and we can help you out."
While not as crude as burning down building, DDOS attacks are a perfect persuader to grow your business.
I figure this is half tin foil hat and half probably real, given the things organized crime has been into in the past. It's perfect actually, you don't have to hurt people, the attacks can't be traced and your "protection" can be fine tuned to avoid looking suspicious.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
The mere question of how to mitigate a DDOS indicates a fundamental lack of understanding of how IP networking and DDOS works.
You (the ISP customer) have no ability to control what packets are sent to you over your uplink circuits. You can control what you send, but you have no ability to control what you receive.
Read the sentence above. Repeat as necessary.
Even if you knew with 100% certainty which packets were "bad" packets and which were "good" packets, if your uplink is saturated, dropping them on your edge router/firewall/whatever is 100% ineffective.
The best mitigating strategy is that you need to have an agreement with your ISP and plan in place prior to an attack. Identify the hostile addresses, give them to your ISP, and they will null-route those sources either within their core or even at the edges of their networks to prevent entry. Your ISP has the capacity to mitigate a DDOS attack, you as the little customer do not.
So, are you saying nginx will work when you receive more TCP requests than your server can handle? Or the upstream router? Or when evey page render is a database hit? Nginx is a lot faster than apache when serving static content, and at the cost of some flexibility. Guess what? Most of the web isn't static content, even if it appears so. Do you think sessions and agent info are logged into ether? Get real.
And yes, I DO use nginx, and it rocks. It's just not the silver bullet you're talking about.
You do realize that you can configure Apache to defend against DoS attacks, for example making the timeout threshold a shorter period of time.
If you are worried about bloat, why not go the whole nine yards and build your server from the ground up using Gentoo Linux or FreeBSD, compile everything from source and optimize binaries for the server's micro-architecture.
I'd suggest stop using a shared host, and looking for a real provider. Choose a dedicated server or colo solution (or AWS if you need the redundancy and HA), hire a good reputable company to set it up and mantain it for you. 3Gbps traffic is child's play even for small companies, and even if your dedicated server/colo is hit by this kind of stuff (3Gbps), I doubt it will be prejudicial to other clients.
Ignore this, since it wouldn't help all that much. I'd say that https://www.varnish-cache.org/ can help, but to be honest, if you want to be up, just stick them on Amazon Cloud services or something. They'll have a really hard time getting to that, and you'll leave all the defending and whatnot to be someone elses' job
Even if you knew with 100% certainty which packets were "bad" packets and which were "good" packets, if your uplink is saturated, dropping them on your edge router/firewall/whatever is 100% ineffective.
Your "best strategy" advice is very good, but it is not the "only strategy."
As others have said, you can also have multiple entry points all sharing the same back end. Each of these entry points can be on their own hosting provider. In principle, you can arrange for the front-end/back-end connection at your front-end provider to NOT share a physical wire with the "public" side of your front-end, so if it gets hit hard it crowd out traffic going to/from the back end.
Here's an example:
I run poormeddosvictim.com. I have servers at 3 sites around the country, 1.666.3.4 1.2.666.4, and 1.2.3.666.
For some reason, some mining company on Mars thinks I am evil so they keep DDOSing me.
Hosting provider A is widely connected. I advertise 1.666.3.4 so all but one of A's pipes see direct connections. I use A's remaining pipe to connect back to my back-end. I work with A so the traffic to the back-end never shares a wire or router with incoming traffic. Bang on A's incoming pipes all you want, I'll still be able to talk to my back end unless you crash me entirely.
I have similar arrangements with hosting providers B and C.
I put my back end at hosting provider D and, just for grins, have a backup back end on hosting provider E that syncs up regularly with the back-end on D.
It doesn't help against DDoS attacks. Not even remotely, not even a little bit. To put the advice to a metaphor, a DDoS attack is where there are so many people loitering in the front lobby of a business that people can't even get into the front door of a building. Using a different web server is like having a receptionist who speaks faster; it doesn't address the nature of the attack in the slightest way possible. These attacks are either driven by saturation of network links or by leveraging vulnerabilities in underlying database-driven applications (hint: a little-known SQL command called WAITFOR is often to blame); using nginx won't help in the slightest bit.
Christ...these attacks are over a decade old; read up or be quiet.
For your security, this post has been encrypted with ROT-13, twice.
Apache can be configured to drop sessions more quickly to get past the trauma, but the hosts need more configuration. Shortening TCP session duration is key, but so also is going to something else than BIND, which is also less survivable than other DNS servers, IMHO. There are some reasonable TOE card, router, and layer 2/3 switch configs that can also help cut down the pain.
Load balancing helps, watching syslogs for weird behavior and using a syslog manager to alert you when various events occur, all these do as much good as the expense of fortress-ware.
---- Teach Peace. It's Cheaper Than War.
You are partly correct but you are oversimplifying things.
You assume that in a DDOS attack, your upstream capacity is 1) over-saturated and 2) the only thing that is over-saturated, or at least that nothing else would be saturated if your upstream capacity were bigger.
If your DDOS attack is not saturating your upstream, either a) you are successfully fending it off, or b) you are still suffering but increasing your upstream capacity is not the answer.
In the case of b), the suggestions you call irrelevant are worth looking at.
Remember, not all DDOS attacks are massively distributed. Sometimes it may be only 100 or 200 machines hitting you in a given moment. Sometimes it's 100 or 200 thousand machines or more trying to bang on your door. Sometimes it's in between.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Recently a friends web-dev company was hit with a ddos over the course of a weekend to multiple sites across their hosting. Turns out that the ddos attack was actually testing for a point of php injection (or so they think), by the 3rd day the ddos had stopped. However all index.php, footer.php, header.php and some other common named files across many directories contained malicious code which rewrote this malicious code every time one of them was ran. Sure his above statement may not be totally correct, however ddos can equal a compromise (not that a 'secure connection' would stop php injection afaik).
I've lived through this (although in my case the twits doing it were holding us for ransom) Prolexic was the solution we went with and I endorse it. The economics of the situation strongly favor outsourcing to a third party. It's a service you'll likely need for a short period of time, provisioning it yourself would entail obtaining equipment and specialized expertise that you would have to commit to over a long period of time. A Prolexic can afford to obtain better equipment, and have specialized staff who can configure it to block the latest attack because they're dealing with it for clients constantly.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Instead of nginx, I'd use g-wan
It's very efficient, even more than nginx
Muchas Gracias, Señor Edward Snowden !
Question: How to protect against DDoS attacks without regard to the availability of the target of the attack Answer: If your carrier supports it, initiate an RTBH on the targeted IP. If not, contact the helpdesk and have them null route it.
NO. That is not a DDos protection strategy. That is a "white flag" strategy. It is essentially surrender, because you are intentionally making the attack succeed against the target then.
Posting AC as I would prefer not to expose my employer in anyway.
I went through this exact situation the week before last Thanksgiving last year. I work for a gifting retailer that makes all of its money in Q4. Not a good situation. We're a small - mid sized business with about $20 million in sales from our Ecommerce site.
We went the cheap route first. The proxy service cost about $500/month and guaranteed 10 Mbps clean traffic to the site. Our DNS was changed swinging our domains to the proxy service and ACLs put in place on the "backend" to only allow connections from our new gateway in the proxy.
Things were fine for about 24 hours when the attack was stepped up. The service was seeing 450 Mbps inbound to our main domain. That is not a mistake - 450 Mbps is easily attained using a botnet or simply focusing the attention of some lurkers on pastebin links. We now had to change DNS AGAIN to "upgrade" to their better platform that could handle this attack. As we started this work, we also began talking to a couple of the higher end services...
After the $500/month service capped out and blew a gasket, we made the tough decision to go with the Cadillac. It was costly and they had us over a barrel (day before Thanksgiving, cheap service not working out, "sure would hate to see your site go down on Black Friday" mob pressure). But we knew even half a day of lost demand would pay for the yearly service (yes, it is yearly - no month to month option).
The difference was amazing. As soon as we had swung our DNS over to the new guys, the attack was mitigated within 5 minutes and abated within 20. This, of course, leads the paranoid to wonder whether it was the service doing the attacking to begin with, but we are a high profile target in the minds of the Occupy movement, so it made sense (I do not share my employers sense of community - it is only a job).
We have been attacked since then and every time the attack was mitigated within 5 minutes. If you require this type of uptime, build this service into your budget from the beginning.
Actually it does, and that's one of the reason for using nginx as a proxy and cache server before the appache server.
No matter how many times I see it, my first thought on seeing "DOS attack" is that a virus downloaded MS-DOS onto a computer.
Which would almost be the worst thing to happen to a computer.
I recommend Akamai's services as a CDN for static content (eliminates a lot of load from your own servers), a proxy for dynamic content (shield/reverse proxy effect services) as well as a protection against (D)DoS attacks. They have a number of great case studies ( http://www.akamai.com/html/customers/index.html ) which are well worth the time looking through, as they have successfully mitigated attacks against small, medium and large websites. Their (repackaged) Kona Security Services are surprisingly good.
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam.
I have had a few large spikes and MaxCDN and CloudFlare have kept my site up with no issues, so the real answer is distributed caches and you get what you pay for. - HEX
Horror & SciFi Erotic Nudes
You do understand that there are different kinds of DDOS attacks and flooding the available bandwidth is just one of them?
In fact most DDOS attacks rely on causing heavy load on the server. Bringing down server like that requires much less resources of your own than flooding it with pure traffic.
Geez, slashdot, this is one of the fundamentals of DDOS attacks.
I've lost count of how many years I've been waiting for the Spoofarino utility
And I'm not alone, other people also been talking about that utility
http://www.spywarepoint.com/gibsons-spoofarino-utility-t54570.html
Muchas Gracias, Señor Edward Snowden !
I agree. It seems like your hosting was using the attack as an excuse to try shoving an upsell down your throat.
Any transaction that allows someone else to take advantage of your own misfortune should be viewed skeptically.
1) A properly configured FreeBSD router/firewall will handle 200k+ connections per second
2) Configure the firewall to proxy TCP hand-shakes, so your web servers don't get flooded with syn packets unless the hand-shake actually finishes
3) Mid-grade nginx web server will handle 70k+ requests/sec
4) Setup your DNS to round-robin to several web servers
Between your firewall and your webserver rules, you should be able to filter most obvious DDOS's. That which you can't filter, you'll just have to brute-force it and suck it up.
Your web servers can handle more requests than you have bandwidth, the next bottle-neck is your database.
There is not "silver bullet" like you said, but a properly designed system should be robust enough to leave your bandwidth your bottle-neck Most web apps I see aren't designed to properly make use of SQL. It's like someone trying to shoe-horn procedural logic into a database. Gotta get your DB architect to work with the programmers.
A properly architected web app with a properly architected DB should be able to handle more requests than your bandwidth can handle.
The only real DDOS to worry about is a flood and you can't really stop that unless it's a simple up-stream change. Enough machines DDOS'n ping floods at you will take you down. Filter all you want at your router, you won't have the bandwidth. Would be too simple to filter up-stream. A bunch of random forged TCP packets will suck up your bandwidth. If the attack is well distributed, ain't not'n you can do about it.
There is not "Silver Bullet" like you said, but a properly designed system should have bandwidth as its bottle-neck
My take on this is that nginx is cool for static pages, we all should know that.... new optimisations in Apache 2.4 hope to address some of these and Apache is easier for me to configure for dynamic sites with controllers.
Regarding DDOS - neither of these will help... there are different types of DDOS attacks, sure. Any site that is dynamic in nature is screwed by any DDOS before it even saturates the entrance because an inability to disseminate requests in time causes the webserver to effectively stall. There are mitigations, one of the best is iptables rate limit for DOS attacks, of course defending DDOS attacks requires enough horsepower behind the scenes, so that when the entrance is saturated, requests can still be distributed usually by a load-balancer that places the bottleneck at the entrance alone - placing the site in the cloud with auto-scaling will solve this at a cost. Any type of DDOS attack that relies on an exploit though, requires a fix, removal or workaround before any horsepower mitigation can take place.
Annoyingly we haven't had an attack since
What a coincidence eh?
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Requests for static content -- the only area where anyone can make any kind of semi legitimized claim about Nginx's performance -- are never going to be about causing load on the server but about flooding its bandwidth. Dynamic content is where most DDoS attacks are successful especially for prolonged periods of time (perhaps even simply increasing cost without directly affecting service). Most people's shitty drupal and wordpress site are going to crumble easily regardless of what httpd.
I want to see this website!
Actually, any website that is properly optimized is already serving most of it content as static. That is what caches are for. And yes, you can (and should) cache even parts of the page. However, even with dynamic content there is a very clear difference between serving with apache or nginx. Sure, someone who really knows Apache can maybe hack it to work as fast, but how many persons actually know? Let's be realistic here.
Most of the time just switching to nginx and properly caching your content can mitigate DDOS attacks. Sometimes you may need more, but the point is that you should fix these bottlenecks first anyway.
This is a discussion you need to take to the NANOG list. Don't ask the amateurs, ask the professionals. The answer will involve ACLs, BGP settings, and community strings. If you don't have your own ASN then you need to push the issue upstream and work with your provider. Period. If you do have your own ASN and are running BGP then you need to read the NANOG list (and learn to take shit from Randy Bush, et al. They know what they are talking about.) Asking on /. can only make things worse.
-- I have a private email server in my basement.
That's too generic. I manage a heavily dynamic site and so we use both, since page caching is a waste of time, the cache has to be a little further down and the impact of using any particular brand of webserver application will be held back by the processing behind the entrance point.
1) acquire a Gibson
2) change username/password of superuser account from 'god'
3) profit, since Gibsons easily survive ddos attacks/flooding as evidenced by the documentary released over a decade ago detailing attempts to hack a Gibson
Amazon AWS bills you bandwidth directly. A DDoS could get very expensive.
#!/bin/csh cat $0
Use a mirror in another data-center for your e-commerce website. Post link on the main website to the mirror or mirrors.
Update mirrors with a script.
The ideas (prejudices) of monarchy, monotheism, etc. are set firmly in our heads, but why your e-commerce should have only one and only URL? Let it have 2 or 3 URLs.
We use a mirror for the 4th year, and it is the 4th year of sanity for me.
You could server your site from multiple EC2 regions, and use anycasting if you don't need to manage state server-side. You're going to pay out the nose for traffic and instance time, but Amazon's AWS should have *more* that enough capacity to server as a sink for all but the largest of attackers.
To most of the commenters: WTF? You have obviously never been involved in a DDOS attack. Here is why:
1) A typical DDOS attack in 2012 will send traffic measured in hundreds of MBPS/GBPS down your pipe. Not only is this a massive volume of traffic, but almost all of it is in the form of SYN/ACK packets (which are exponentially more difficult for your frontend servers to handle; especially when they are never followed by a FIN.) This is many orders of magnitude more difficult to deal with than what most sites are scoped for. You cannot just "handle it," we're talking about something that is often 7-8 standard deviations away from your "normal" peak traffic levels. In other words, your infrastructure cannot handle it. Because if you overbuilt your infrastructure to those levels, you are an idiot. DDoS protection services cost a fraction of what it would cost you to build a network that could handle that. /b/tards decided to DDoS us, but I took care of it 3 months ago."
2) Your normal DDOS doesn't come from one "large user." (hence, the first D in DDoS.) It comes from thousands (or hundreds of thousands) of IP addresses, all at once. Botnets? Yeah, they are real things, and they can be really destructive. And bad people control them, and you may have fired their mother at one point. Who knows why they have it in for you, but they probably will at some point.
3) Even if your infrastructure could handle an amount of legitimate traffic equal to the volume the DDoS will produce over the span of 6-12 hours, you would then have to pay for it. I promise you, you don't want to be in that position. Most hosting providers probably won't make you pay for all of it, but they will become real interested in what you're hosting that would make someone want to DDoS you in the first place. And your boss will probably make you find a proxy solution to solve the problem; so why not be proactive about it so you can say "Yeah, those
TL;DR: DDoS proxy services like CloudFlare exist for a reason: it's simply not economically feasible to overbuild your infrastructure to the point where you could survive such an attack. Pay the man, keep your site up, and ignore the punks smashing cars in the street because you have insurance, so fuck em.
Nginx is not really going to help if you are getting DDOSed and your incoming pipes are full.
The problem isn't at the web server layer, it's at the network layer.
"They do wierd things like load web pages repeatedly while never loading images/running javascript/loading CSS stylesheets."
Just saying-- so do the blind....
every day http://en.wikipedia.org/wiki/Special:Random
Agreed. I've personally stopped DDoS attacks (the attack was coming from many sources - and therefore was distributed, and was stopping the customer's web server from responding - and therefore was a denial of service) by running Squid as a reverse proxy in front of the web server. In this case it was IIS which was being brought down by just 10Mb of malicious traffic. Yes, running a reverse proxy or changing Apache to nginx isn't going to solve 40Gb/s traffic hitting your 1Gb/s interface, but it may well fix a small attack which is depleting resources.
1) Yeah, in test environments with empty or very very small packets. The truth is, PF isn't threaded, so not only you're bound by ethernet I/O, but also by core processing power. Also, there are open port limits, internal buffer limits, and actual traffic limits (data). If you're pulling your data from a cluster (shared storage, database, whatever), it usually translates to more tcp connections. For real workloads and usual datacenter limits (100Mbps or 1Gbps uplink), you won't get nowhere near that value, unless you have multiple servers and/or your own upstream.
2) TCP connection limits (which FreeBSD handles somewhat gracefully), and if you have a fast link, you'll probably have PF performance issues
3) Requests/s is only a part of the equation, and it is meaningless in a DDOS context. Imagine your server receive a flood of requests from another continent - the RTT alone for the 3-way TCP handshake will probably exaust the available ports. So again, yes, I highly doubt you get those numbers in real-world usage (70k requests of a 1Kb file will be real close to saturating a Gigabit link, and that's assuming it's an instantaneous process).
4) That is a good solution, but it's not really nginx-awesomeness related, is it?
What you describe are the usual steps when you have the money to do it, the infrastructure, and the staff to mantain it. Installing nginx as a way of solving DDOS is plain stupid, specially when most optimizations you can apply to nginx are also valid in apache, and the result will be the same - a properly configured environment will usually have - as you said - bandwidth as its bottleneck, regardless of the web technology used.
Yeah, but if you have reverse proxy or caching servers, you might as well skip nginx and use varnish, or any other specialized solution. Or even Apache (with the plus of having mod_security). It's not like nginx automagically now enables you to do stuff that wasn't possible before. I actually never used nginx as a reverse proxy, but I've read some comments from people that had some issues with it, and switched to varnish instead.
Not to mention the bill for disk reads/writes. Staying up under a DDoS on ec2 could be the worst thing that ever happened to you. It could even be worse than bidding high on a spot instance and surviving a ridiculous rate spike.
If you mod me down the terrorists will have won
This was changed last year. AWS doesn't charge for inbound traffic. Amazon Web Services Pricing Changes Effective July 1, 2011
There are several available solutions, depending on your budget. You could opt for a cloud hosting solution (AWS, GoGrid, etc) so your cluster could scale dynamically according to demand. You could roll your own solution (and there are several options with different price ranges, from simple web cluster to redundant replicated clusters in different datacenters), preferably with a provider that won't panic over 3Gbps traffic. You could use a proxy service like those mentioned in the article.
:D
To put it in perspective, many modern datacenters have 10G pipes to the rack. A modern server can handle 10G traffic with iptables (assuming somewhat simple rules) without issues. A midrange NAS probably can pull out more than 3Gbps of data.
The problem is, a DDOS targets resources. If your provider doesn't have the pipes to handle it, it won't even get close to your server, and all their infrastructure will probably drown. If the provider can handle it, then you can actually try to do something about it - front-end caching servers with round-robin DNS, firewalling and/or segment blackholing (some providers can easily configure AS blocking), and a scalable multi-tier architecture, so you don't get offline by TCP resource starvation, database or I/O overload. There are some nifty appliances for web filtering (like Citrix NetScaler or whatever is called), but I have no experience with them. They seem to work for big companies, so it may be an option.
Oh, and 100Mbps won't cut it (specially if it's those 10Mbs burstable to 100Mbps). I probably could DoS your server with my internet connection alone
Obvious solution. You will have invented the reverse slashdot effect .
Futurist Traditionalism
Don't pay any heed to what the likes of gartner say, none of these things are "mandatory", they are all a factor of risk vs benefit vs cost...
If your running a webserver, it only has tcp/80 open and nothing else... Then you add a firewall which sits infront and only allows 80/tcp, what have you gained? You may have an extra point of monitoring, and mitigation against outbound traffic *if* the box gets compromised... But if someone exploits a vulnerability on port 80 it's not going to help you (and there was never anything else to exploit). On the other hand, your costs have now increased (Cost of firewall, + cost of management, + power/hosting costs), you now have an extra point of failure, an extra target for hackers and potentially reduced performance (increase risk of ddos) because the firewall device does far more processing per packet than your host does, and has a slower cpu.
Same with an IDS/IPS, cost of the device, cost of monitoring it (after all its largely pointless if not monitored), risk of false positives causing disruption with an IPS etc.
Similarly when it comes to risk of ddos, are you hosting anything thats likely to be a target? If someone does take your site down, what will it cost you for it to be down?
Also consider extra capacity to handle unusual loads (eg a link from slashdot), is the extra cost worth it to handle the 0.01% of the time you get that much traffic?
And most importantly, when you read advice from the likes of gartner take it all with a pinch of salt... Ask yourself this, who pays their wages? You will find that a lot of their funding comes from the very vendors that sell these products they are now claiming to be "mandatory"... Do you really think they are in any way impartial?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Security by obscurity. The more obscure your website becomes, the less chance of a DDOS attack!
The question is..
Did the attacker throw 3gbps at it because that's all they had, or because that's all that was needed to do the job?
It's not uncommon for multiple colo customers to be on a shared switch with 1gb uplink especially when each individual customer only has a 100mbit port, a 3gbps attack will take all of those offline even if it doesn't harm the colo provider a a whole.
Also the isp has to pay for the bandwidth usage that hits them, even if most of it never actually reaches the end customer... A sustained 3gbps attack could become quite expensive if it lasts long enough to push their 95th percentile billing up. If their average customer only uses 1mbps, chances are they don't have an especially high commit rate.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It's not uncommon for multiple colo customers to be on a shared switch with 1gb uplink especially when each individual customer only has a 100mbit port
Yes, you are right, but if you have DDNS worries, you'll keep away from those providers, and/or opt for a beefier connection. Many of them will happily provide you with detailed information regarding network structure, so you can be aware of what you are actually paying. Also, many of those "cheaper" providers have somewhat frequent DoS attacks inside their own network (some machines get compromised, and then try to scan/infect everybody else), so, again, handling/filtering a 3Gbps attack isn't usually a big deal.
Also the isp has to pay for the bandwidth usage that hits them, even if most of it never actually reaches the end customer...
That's the ISP's problem, and I seriously doubt that the pricing doesn't reflect these "hidden costs".
So, being aware that are issues when using nginx as a reverse proxy instead of varnish, is useless? And those comments were made here, on slashdot, so god forbid you use a search engine to confirm what issues are those...
> In fact most DDOS attacks rely on causing heavy load on the server.
If that's the case you are far worse off using nginx. 'Untuned' apache will limit your poor webserver to 256 running threads. With defaults nginx will start 1000 processes, which makes your site four times as dead. And if you are clueless but know how to google you can easily get at 10.000.
The kind of attack that relies on high load preys on clueless admins who think that 'tuning a webserver' is maxing out all limits.
When my company's software got DoS'd, we looked for areas that we could provide performance enhancements either in the database of application. A lot of times, you can handle tons more traffic by making sure that everything in the application is performing as well as possible. Also, traffic shapers couldn't hurt, since they give you a way to automatically monitor for DoS style attacks and block them. Just my 2 cents.
this is not true anymore, amazon does not charge for inbound traffic.
If your hosting service doesn't have an Anti-DDoS tier or option available, the people at blockdos.net were able to help in a pinch. If your host can change your IP address, you'll get the best results. You point your domain at the BlockDoS provided IP and then set your firewall (or server if firewall not an option) to block any inbound traffic not coming from a second BlockDoS provided IP. The downside is that you lose a lot of request header information and your server logs show all requests coming from a small set of IPs. (Using external services such as Google Analytics still works fine though.)
It seems Slashdot stopped notifying me of AC replies, weird :P
If you don't have the infrastructure and/or the staff, outsourcing DDOS protection seems a good choice. Trying to protect against the 3Gbps mark is a bit silly, since next time you may get hit by 10x that traffic. It is important to learn the nature of the attack (are we talking about hundreds of ip addresses, or a dozen? are they "residential connections" or compromised servers? is it a TCP handshake attack, or requests to specific pages? do those pages exist, or is the fancy 404 rewrite eating up resources by pulling the page from the database?), and probably some optimizations can be made to your ecommerce platform (such as reducing requests, pulling images from CDNs, etc - check tools.pingdom.com for basic hints) so that the traffic spent with legitimate customers can be lowered.
Ask yourself this: how much do you lose for each day your ecommerce platform is down? Since you seem to have a single-server solution, if you consider let's say, 5 days of downtime per year, how much would you lose? Do the losses are greater than 50% of cost of a fancy redundant infrastructure? If so, upgrade immediately.
Since you say you are from the UK (hi neighbour, I'm from Portugal), you may also want to check available other providers such as Rackspace. They probably have some cloud-based solution that may fit your budget.
There is an interesting presentation made by Mayhem a couple of years ago (mostly touting OpenBSD's awesomeness) regarding a DDOS case (also "small" traffic), and how they handled it. You can read the pdf at http://2009.confidence.org.pl/materialy/prezentacje/alessio_pennasilico_bakeca_ddos_confidence_2009.pdf
You're a bit off. nginx by default has 1 thread per core. 4 core cpu is 4 threads. It never has more than those 4 threads. nginx uses async IO, apache uses threads.
"PF isn't threaded"
I don't know for sure myself, but I recently saw a benchmark by Intel using FreeBSD and their main claim was making use of multiple cores. They had a FreeBSD box pushing 20Gb/sec of routing for with 1500byte packets and it could still handle over 10Gb/sec with 64byte packets.
One of the biggest changes for FreeBSD9 was the extra threading their network stack does, it is suppose to help dramatically with the stateful firewall.
"most optimizations you can apply to nginx are also valid in apache"
The biggest thing I like about nginx is not its great out of box speed, but how it scales past its peak. nginx is fairly async and when you get past peak performance, it only has mild negative scaling. Apache, on the other hand, has horrible negative scaling under load. Heck, properly programmed async IIS web apps are almost near perfect and just plateau once peak performance is reached.
Not true. A number of DDoS attacks are screens for penetration actions. If security is more important than uptime, pull the plug. If uptime is more important than security, then get any of the expensive anti-DDoS boxes, and work with your provider.
Learn to love Alaska
I guess you are confusing the FreeBSD TCP stack optimizations with stateful packet inspection - routing, by default, does not touch firewalling.
But hey, straight from the horse's mouth: http://www.openbsd.org/faq/pf/ru/perf.html . That's why there's a new (NetBSD) project called NPF, that aims the creation of a more sofisticated and scalable packet filter.And, afaik, FreeBSD 9.0 TCP optimizations relate to congestion algorithms, not necessarily firewalling.
I often see these misconception of trying to translate internal/testing/development benchmarks into real-case usage. Just because a piece of software measured 100k connections/s on a controlled environment and selected hardware, it doesn't mean it will perform similarly on your machine. Local network application tests are done with clean, well-formed, unrouted traffic. In internet-facing production servers, you'll get all kinds of garbage. The real amount of hits/s you'll get will depend of a plethora of factors, such as average content size, network latency, I/O latency, design of the application, quality of the hardware, quality of the drivers, etc. The choice of webserver is relevant, but not that much. TCP attacks can drown your machine (by network exaustion) long before you see any real advantage of using Nginx regarding DDOS scenarios. It is also very common to see people switching to nginx and being forced to learn what they are doing, so the idea they have of apache is "all modules loaded" and some random options on a control panel.
I use both webservers, for different applications. Nginx is faster in static content, and seems to handle stress very well. Apache is feature-complete with a plethora of third-party modules (such as mod_security) and behaves very well as a general-purpose server (I actually use a lot mpm_itk, so every vhost has its own uid/gid). Sometimes you can squeeze extra performance by trading Apache for Nginx, sometimes it will break your app (complex mod_rewrite rules, for example). But that's relevant for legitimate users - if your network pipes are clogged by requests, both webservers will appear unavailable.