Slashdot Mirror
Ask Slashdot: Experience Handling DDoS Attacks On a Mid-Tier Site?
New submitter caboosesw writes "A customer of mine recently was hit by a quick and massive DDoS attack. As we were in the middle of things, we learned that there are proxy services of varying maturity to deal with these kinds of outbreaks from the small and mysterious (DOSArrest, ServerOrigin, BlackLotus, DDOSProtection, CloudFlare, etc.) to the large and mature (Prolexic, Verisign, etc.) Have you guys used any of these services? Especially on the lower price point that a small e-commerce (not pr0n or gambling) company could afford? Is a DDoS service really mandatory as Gartner now puts this type of service in the same tier as SEIM, firewalls, IPS, etc?"
There's two key strategies to avoid being DDoSed... first, have more processor, network speed, and disk I/O resources than you need for normal load so that the attacker can't fill one of your computers pipes. Then, host your server or servers at multi-connected datacenters which can cut off large users of your server before it reaches your NIC card. Firewalls at the server can't get back the bandwidth lost to needless connections, but firewalls at the datacenter entry points can. Basically, make sure none of your time-sensitive loads reach 100% and you're fine.
The load balancer to take the brunt of the attack and distribute traffic to multiple mirrors, and the sysadmin to watch the attack and start blacklisting IP ranges. Your service provider should have some kind of service in place unless you got the cheapest of cheap hosting solutions.
With that being said, hiring a third party ddos mitigator is entirely a cost benefit analysis that should be done on your end. Can whoever's providing your hosting now provision some extra servers and some harried sysadmins to keep you floating? See if you can ask for additional service support from your current provider.
If it helps against DDOS attacks, how is it stupid advice?
Because it doesn't really and you're just being a fanboi?
It was a lot cheaper to pay a third party proxy a $400/month rate for 45 days (until the asshats attempting the extortion got bored and went away) than it wold have been to provision more server horsepower, pay for the bandwidth, and pay T&M for the DC's NOC to help with firewalling. A quick DNS change, use the credit card, hold your breath until it stops. Quick, cheap, and you can go on to other things.
Don't disappoint your bird dog. Go to the range.
Remember this really cool slashdot story about a sysadmin on the receiving end of a DDOS?
http://slashdot.org/story/01/05/31/1330202/post-mortem-of-a-dos-attack
The original writeup link is dead but I found it here (warning: PDF). This was a really cool story.
http://www.stanford.edu/class/msande91si/www-spr04/readings/week1/grcdos.pdf
"You cannot find out which view is the right one by science in the ordinary sense." - C.S. Lewis on Intelligent Design
That all these "services" are part of a protection racket?
"Oh...having DDOS problems? Just sign up with our service and we can help you out."
While not as crude as burning down building, DDOS attacks are a perfect persuader to grow your business.
I figure this is half tin foil hat and half probably real, given the things organized crime has been into in the past. It's perfect actually, you don't have to hurt people, the attacks can't be traced and your "protection" can be fine tuned to avoid looking suspicious.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
The mere question of how to mitigate a DDOS indicates a fundamental lack of understanding of how IP networking and DDOS works.
You (the ISP customer) have no ability to control what packets are sent to you over your uplink circuits. You can control what you send, but you have no ability to control what you receive.
Read the sentence above. Repeat as necessary.
Even if you knew with 100% certainty which packets were "bad" packets and which were "good" packets, if your uplink is saturated, dropping them on your edge router/firewall/whatever is 100% ineffective.
The best mitigating strategy is that you need to have an agreement with your ISP and plan in place prior to an attack. Identify the hostile addresses, give them to your ISP, and they will null-route those sources either within their core or even at the edges of their networks to prevent entry. Your ISP has the capacity to mitigate a DDOS attack, you as the little customer do not.
So, are you saying nginx will work when you receive more TCP requests than your server can handle? Or the upstream router? Or when evey page render is a database hit? Nginx is a lot faster than apache when serving static content, and at the cost of some flexibility. Guess what? Most of the web isn't static content, even if it appears so. Do you think sessions and agent info are logged into ether? Get real.
And yes, I DO use nginx, and it rocks. It's just not the silver bullet you're talking about.
Even if you knew with 100% certainty which packets were "bad" packets and which were "good" packets, if your uplink is saturated, dropping them on your edge router/firewall/whatever is 100% ineffective.
Your "best strategy" advice is very good, but it is not the "only strategy."
As others have said, you can also have multiple entry points all sharing the same back end. Each of these entry points can be on their own hosting provider. In principle, you can arrange for the front-end/back-end connection at your front-end provider to NOT share a physical wire with the "public" side of your front-end, so if it gets hit hard it crowd out traffic going to/from the back end.
Here's an example:
I run poormeddosvictim.com. I have servers at 3 sites around the country, 1.666.3.4 1.2.666.4, and 1.2.3.666.
For some reason, some mining company on Mars thinks I am evil so they keep DDOSing me.
Hosting provider A is widely connected. I advertise 1.666.3.4 so all but one of A's pipes see direct connections. I use A's remaining pipe to connect back to my back-end. I work with A so the traffic to the back-end never shares a wire or router with incoming traffic. Bang on A's incoming pipes all you want, I'll still be able to talk to my back end unless you crash me entirely.
I have similar arrangements with hosting providers B and C.
I put my back end at hosting provider D and, just for grins, have a backup back end on hosting provider E that syncs up regularly with the back-end on D.
It doesn't help against DDoS attacks. Not even remotely, not even a little bit. To put the advice to a metaphor, a DDoS attack is where there are so many people loitering in the front lobby of a business that people can't even get into the front door of a building. Using a different web server is like having a receptionist who speaks faster; it doesn't address the nature of the attack in the slightest way possible. These attacks are either driven by saturation of network links or by leveraging vulnerabilities in underlying database-driven applications (hint: a little-known SQL command called WAITFOR is often to blame); using nginx won't help in the slightest bit.
Christ...these attacks are over a decade old; read up or be quiet.
For your security, this post has been encrypted with ROT-13, twice.
Apache can be configured to drop sessions more quickly to get past the trauma, but the hosts need more configuration. Shortening TCP session duration is key, but so also is going to something else than BIND, which is also less survivable than other DNS servers, IMHO. There are some reasonable TOE card, router, and layer 2/3 switch configs that can also help cut down the pain.
Load balancing helps, watching syslogs for weird behavior and using a syslog manager to alert you when various events occur, all these do as much good as the expense of fortress-ware.
---- Teach Peace. It's Cheaper Than War.
You are partly correct but you are oversimplifying things.
You assume that in a DDOS attack, your upstream capacity is 1) over-saturated and 2) the only thing that is over-saturated, or at least that nothing else would be saturated if your upstream capacity were bigger.
If your DDOS attack is not saturating your upstream, either a) you are successfully fending it off, or b) you are still suffering but increasing your upstream capacity is not the answer.
In the case of b), the suggestions you call irrelevant are worth looking at.
Remember, not all DDOS attacks are massively distributed. Sometimes it may be only 100 or 200 machines hitting you in a given moment. Sometimes it's 100 or 200 thousand machines or more trying to bang on your door. Sometimes it's in between.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I've lived through this (although in my case the twits doing it were holding us for ransom) Prolexic was the solution we went with and I endorse it. The economics of the situation strongly favor outsourcing to a third party. It's a service you'll likely need for a short period of time, provisioning it yourself would entail obtaining equipment and specialized expertise that you would have to commit to over a long period of time. A Prolexic can afford to obtain better equipment, and have specialized staff who can configure it to block the latest attack because they're dealing with it for clients constantly.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Instead of nginx, I'd use g-wan
It's very efficient, even more than nginx
Muchas Gracias, Señor Edward Snowden !
Posting AC as I would prefer not to expose my employer in anyway.
I went through this exact situation the week before last Thanksgiving last year. I work for a gifting retailer that makes all of its money in Q4. Not a good situation. We're a small - mid sized business with about $20 million in sales from our Ecommerce site.
We went the cheap route first. The proxy service cost about $500/month and guaranteed 10 Mbps clean traffic to the site. Our DNS was changed swinging our domains to the proxy service and ACLs put in place on the "backend" to only allow connections from our new gateway in the proxy.
Things were fine for about 24 hours when the attack was stepped up. The service was seeing 450 Mbps inbound to our main domain. That is not a mistake - 450 Mbps is easily attained using a botnet or simply focusing the attention of some lurkers on pastebin links. We now had to change DNS AGAIN to "upgrade" to their better platform that could handle this attack. As we started this work, we also began talking to a couple of the higher end services...
After the $500/month service capped out and blew a gasket, we made the tough decision to go with the Cadillac. It was costly and they had us over a barrel (day before Thanksgiving, cheap service not working out, "sure would hate to see your site go down on Black Friday" mob pressure). But we knew even half a day of lost demand would pay for the yearly service (yes, it is yearly - no month to month option).
The difference was amazing. As soon as we had swung our DNS over to the new guys, the attack was mitigated within 5 minutes and abated within 20. This, of course, leads the paranoid to wonder whether it was the service doing the attacking to begin with, but we are a high profile target in the minds of the Occupy movement, so it made sense (I do not share my employers sense of community - it is only a job).
We have been attacked since then and every time the attack was mitigated within 5 minutes. If you require this type of uptime, build this service into your budget from the beginning.
I used to run infosec for one of the mid-tier online gaming operations run out of the Caribbean. We got extorted by one of these gangs, and ended up paying Prolexic (they were Digidefense at the time) to solve this for us.
As for weather you can risk doing without it depends strongly on what your user tolerance for downtime is and how bursty your revenue stream is. The lower the tolerance and/or the more bursty the revenue stream the more vulnerable you are to these sort of attack methodology, as the opposition pays for the time they are actually attacking you, so if you can weather the attack they'll eventually give it up. If on the other hand they can cost you significant sums of cash by taking you out for 6 hrs (say sports betting, target the opening day games), that increases your susceptibility to these attacks.
Feel free to drop me a line if you have any more questions (my /. listed email will get to me).
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
I recommend Akamai's services as a CDN for static content (eliminates a lot of load from your own servers), a proxy for dynamic content (shield/reverse proxy effect services) as well as a protection against (D)DoS attacks. They have a number of great case studies ( http://www.akamai.com/html/customers/index.html ) which are well worth the time looking through, as they have successfully mitigated attacks against small, medium and large websites. Their (repackaged) Kona Security Services are surprisingly good.
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam.
1) A properly configured FreeBSD router/firewall will handle 200k+ connections per second
2) Configure the firewall to proxy TCP hand-shakes, so your web servers don't get flooded with syn packets unless the hand-shake actually finishes
3) Mid-grade nginx web server will handle 70k+ requests/sec
4) Setup your DNS to round-robin to several web servers
Between your firewall and your webserver rules, you should be able to filter most obvious DDOS's. That which you can't filter, you'll just have to brute-force it and suck it up.
Your web servers can handle more requests than you have bandwidth, the next bottle-neck is your database.
There is not "silver bullet" like you said, but a properly designed system should be robust enough to leave your bandwidth your bottle-neck Most web apps I see aren't designed to properly make use of SQL. It's like someone trying to shoe-horn procedural logic into a database. Gotta get your DB architect to work with the programmers.
A properly architected web app with a properly architected DB should be able to handle more requests than your bandwidth can handle.
The only real DDOS to worry about is a flood and you can't really stop that unless it's a simple up-stream change. Enough machines DDOS'n ping floods at you will take you down. Filter all you want at your router, you won't have the bandwidth. Would be too simple to filter up-stream. A bunch of random forged TCP packets will suck up your bandwidth. If the attack is well distributed, ain't not'n you can do about it.
There is not "Silver Bullet" like you said, but a properly designed system should have bandwidth as its bottle-neck
My take on this is that nginx is cool for static pages, we all should know that.... new optimisations in Apache 2.4 hope to address some of these and Apache is easier for me to configure for dynamic sites with controllers.
Regarding DDOS - neither of these will help... there are different types of DDOS attacks, sure. Any site that is dynamic in nature is screwed by any DDOS before it even saturates the entrance because an inability to disseminate requests in time causes the webserver to effectively stall. There are mitigations, one of the best is iptables rate limit for DOS attacks, of course defending DDOS attacks requires enough horsepower behind the scenes, so that when the entrance is saturated, requests can still be distributed usually by a load-balancer that places the bottleneck at the entrance alone - placing the site in the cloud with auto-scaling will solve this at a cost. Any type of DDOS attack that relies on an exploit though, requires a fix, removal or workaround before any horsepower mitigation can take place.
This is a discussion you need to take to the NANOG list. Don't ask the amateurs, ask the professionals. The answer will involve ACLs, BGP settings, and community strings. If you don't have your own ASN then you need to push the issue upstream and work with your provider. Period. If you do have your own ASN and are running BGP then you need to read the NANOG list (and learn to take shit from Randy Bush, et al. They know what they are talking about.) Asking on /. can only make things worse.
-- I have a private email server in my basement.
Amazon AWS bills you bandwidth directly. A DDoS could get very expensive.
#!/bin/csh cat $0
To most of the commenters: WTF? You have obviously never been involved in a DDOS attack. Here is why:
1) A typical DDOS attack in 2012 will send traffic measured in hundreds of MBPS/GBPS down your pipe. Not only is this a massive volume of traffic, but almost all of it is in the form of SYN/ACK packets (which are exponentially more difficult for your frontend servers to handle; especially when they are never followed by a FIN.) This is many orders of magnitude more difficult to deal with than what most sites are scoped for. You cannot just "handle it," we're talking about something that is often 7-8 standard deviations away from your "normal" peak traffic levels. In other words, your infrastructure cannot handle it. Because if you overbuilt your infrastructure to those levels, you are an idiot. DDoS protection services cost a fraction of what it would cost you to build a network that could handle that. /b/tards decided to DDoS us, but I took care of it 3 months ago."
2) Your normal DDOS doesn't come from one "large user." (hence, the first D in DDoS.) It comes from thousands (or hundreds of thousands) of IP addresses, all at once. Botnets? Yeah, they are real things, and they can be really destructive. And bad people control them, and you may have fired their mother at one point. Who knows why they have it in for you, but they probably will at some point.
3) Even if your infrastructure could handle an amount of legitimate traffic equal to the volume the DDoS will produce over the span of 6-12 hours, you would then have to pay for it. I promise you, you don't want to be in that position. Most hosting providers probably won't make you pay for all of it, but they will become real interested in what you're hosting that would make someone want to DDoS you in the first place. And your boss will probably make you find a proxy solution to solve the problem; so why not be proactive about it so you can say "Yeah, those
TL;DR: DDoS proxy services like CloudFlare exist for a reason: it's simply not economically feasible to overbuild your infrastructure to the point where you could survive such an attack. Pay the man, keep your site up, and ignore the punks smashing cars in the street because you have insurance, so fuck em.
1) Yeah, in test environments with empty or very very small packets. The truth is, PF isn't threaded, so not only you're bound by ethernet I/O, but also by core processing power. Also, there are open port limits, internal buffer limits, and actual traffic limits (data). If you're pulling your data from a cluster (shared storage, database, whatever), it usually translates to more tcp connections. For real workloads and usual datacenter limits (100Mbps or 1Gbps uplink), you won't get nowhere near that value, unless you have multiple servers and/or your own upstream.
2) TCP connection limits (which FreeBSD handles somewhat gracefully), and if you have a fast link, you'll probably have PF performance issues
3) Requests/s is only a part of the equation, and it is meaningless in a DDOS context. Imagine your server receive a flood of requests from another continent - the RTT alone for the 3-way TCP handshake will probably exaust the available ports. So again, yes, I highly doubt you get those numbers in real-world usage (70k requests of a 1Kb file will be real close to saturating a Gigabit link, and that's assuming it's an instantaneous process).
4) That is a good solution, but it's not really nginx-awesomeness related, is it?
What you describe are the usual steps when you have the money to do it, the infrastructure, and the staff to mantain it. Installing nginx as a way of solving DDOS is plain stupid, specially when most optimizations you can apply to nginx are also valid in apache, and the result will be the same - a properly configured environment will usually have - as you said - bandwidth as its bottleneck, regardless of the web technology used.
Yeah, but if you have reverse proxy or caching servers, you might as well skip nginx and use varnish, or any other specialized solution. Or even Apache (with the plus of having mod_security). It's not like nginx automagically now enables you to do stuff that wasn't possible before. I actually never used nginx as a reverse proxy, but I've read some comments from people that had some issues with it, and switched to varnish instead.
This was changed last year. AWS doesn't charge for inbound traffic. Amazon Web Services Pricing Changes Effective July 1, 2011