Slashdot Mirror
Ask Slashdot: How To Deal With a DDoS Attack?
First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"
You just gave him $400 more than he had before, and he knows you're good for it.
What were you thinking?
Cloudflare are great, I use them on my sites and they can handle the traffic w/o issue.
Not a perfect solution, but it can help mitigate by blocking known compromised IP addresses.
Spend the 400$ on a computer-forensics investigator, find out who is doing this then contact law-enforcement.
I don't know the meaning of the word 'don't' - J
I don't know who you are. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my computerr go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.
Undetectable Steganography? Yep, there's an app fo
Hi first time accepted submitter!
You may want to check this Ask Slashdot.
There was a gambling site in Australia that got on the wrong side of a gambling gang (stealing customers, nothing they did specifically to attract ire). The DDoS took down Australia. Keeping your servers up when your link is flooded isn't too hard. Keeping your site up when the DDoS takes down your ISP and their ISP is a little harder. The "best" solution is to log all IPs and sue all local IPs for hacking. Get some old lady fined $1,000,000 for hacking and maybe people will figure out that they should secure it or turn it off. If there were no botnets, there would be fewer, if any, DDoS attacks.
Learn to love Alaska
Try buying fire insurance when your house is on fire. It's a risk pool. Duh.
With due respect, in my view, this is like trying to buy homeowner's insurance while your house is on fire, and complaining that they won't sell it to you.
Why is it unreasonable for you to pay more for "OMG I NEED IT RIGHT NOW!" service?
It's easier to do some prevention than to try to and figure out and control the problem WHILE it's happening. Also, why is it unreasonable for them to give someone who sees the need for some complicated traffic monitoring and filtering a discount for letting them set it up, y'know, during normal business hours with forethought and preparation and not as part of a crazy firedrill?
(no, I don't work for Rackspace)
Hi first time accepted submitter!
You may want to check out this Ask Slashdot.
Null route the ip being attacked, not the ip attacking. Of course this assumes you have a network consisting of more than a single ip. Anyway this is basically the best way to handle a DoS. Otherwise you basically need to have the bandwidth/resources to endure the attack. Many providers will allow either a remote-triggered black hole session to their BGP router or allow a burst rate above your committed bandwidth if the interface allows for it.
We employ a Rackspace IDS (Intrusion Detection System) which all our servers sit behind. We also have a firewall at Rackspace. The IDS detects sql injection attempts, brute forces, DDoS etc and stops them, alerts us and, in our case, we have a pre-arranged agreement for Rackspace to immediately block said IP in our firewall.
We can then determine whether or not that IP is malicious and remove it if necessary. I can't give you any prices, but for a stable and protected environment, it is a requirement these days.
If in the middle of an attack, check if you can still get an ssh onto the box. If so, netstat to find out what is hitting it (or look at the apache logs etc) and stick a block in the iptables to reject the request from said IP.
There is a number of other techniques that you can employ also if you are being attacked by bots (multiple IPs), but the IDS does a good job.
When all is said and done, nothing changes...
block the offending ip's
Cloudflare sounds like the perfect solution to me. All the other options you found are too expensive, and Cloudflare is free (I think they have some paid accounts for ~$20 / month). I've heard people have pretty good success with them too.
6000 USD? For that money, you could make a drone, mail it somewhere near Lebanon, pay someone to launch it, and kamikaze it with a molotov cocktail on that guy's address.
...would have been to ask him how much to get the name of the competitor. Would probably cost a bit, but documenting that exchange and turning it over to the FBI instead of just the DDoS info might have meant one fewer competitor...
Call the NOC of your provider and have them block the offending IPs at the router
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Step 1: find out which competitor it was.
Step 2: DoS their FACE with a 2x4.
I've used http://www.incapsula.com/ for general caching and ddos protection. Works great and is free for smaller sites.
The first mistake was paying, now your company is a known easy mark. When facing extortion your first reaction should have been to contact law enforcement. Maybe they do something, maybe not, but it's worth a try. After that, it depends on how much you are willing to spend.
A cheap solution is to put limiting rules in your firewall so after a few connection attempts from the same IP the connection is dropped. Another way to go is load balancing and multiple servers in the hopes your attacker gets bored before you lose money. Judging by the sound of the summary the company doesn't do a lot of business through their website, so why not just let the DDoS attack happen for a while? After a few days the guy will probably get bored and move on to someone else who might pay him.
A) Commercial migitation services:
- Okay. Expensive. Do work in my experience.
B) Mitigate yourself:
- I'd recommend AWS.
- You will want to have this prepared beforehand with load balancers and a virtually unlimited number of virtual servers to handle the requests.
- Also expensive, but usually less so than a commercial service.
- USE FILTERING AND FIREWALLING of the attacks at the lower network level possible. THIS is where you will save money. Try to identify and ignore the attacks.
If you think this is going to go on for a long time, hiring someone to look into the matter on a personal level may prove fruitful.
Option a) Your best bet is go strait to law enforcement. The FBI is actually very interested in these sorts of things even if you are small fry. This might not be a such a hot idea though if the group extorting you actually has some capability. Usually they will set up a string, and track the money when you pay.
Option b) Just shut up and pay up. Never taken this approach myself. I assume it makes the problem go away for a while anyway. I imagine said problems come back for another fix later, and I'd wonder if the attacker ever really had the capability.
Option c) pay the back bone provider, ie ATT&T or whoever is your ISPs, ISP for their DDOS protection services. They actually DO have the resources to protect you from a DDOS. Everything else anyone else is selling is just snake oil because a large enough botnet can simply use all the bandwidth weather you attempt to ack tarpit, or not; They unanswered SYNs alone will consume your entire pipe. This option is terribly expensive, might be worthwhile if you are running a large and inadequately distributed eCommerce site or similar.
Option d) Distribute the hell out of your site. This leads to all sorts of complexity around replication and have the big CDN providers host all your static content and resources. This may help depending on the type of attack. You will want make sure your DNS resources are also well distributed you will basically use fast-flux DNS yourself to stay ahead of your attackers. Essentially you keep changing IPs every 300 seconds or so. You will have challenges preserving sessions and for lots of services its not viable, for WWW it can be made to work. Again this is serious money and time. It might be cheaper than Option c, if you want you are trying to be available for is a small amount if high dollar transactions, as opposed to a higher volume smaller dollar situation.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
was RESPONDING to the guy. Even to say "no." It's like responding "unsubscribe" to a spammer.
What you've done by replying is telling him a.) you GOT his e-mail (not by any means a sure bet with spam filters), b.) you ARE IN FACT the people who own the site in question, and c.) the REASON you're not paying is that you believe he can't carry out his threat.
Let's say I'm this guy. I'm probably a script kiddie with a small botnet under control. I troll for small ecommerce sites (ones that are probably not profitable enough to have good defenses, but would be seriously impacted by a DDoS attack). I try to find some contact information. Again, I'm running some kind of script to troll for these, which means my sample isn't amazing and my data quality is probably questionable.
Then I send out hundreds of e-mails. Like a spammer, I'm going for quantity. Most of these probably disappear into the ether. Whatever - I only need a few to hit a target to get paid. A few people will actually pay up from the e-mail (probably not many, but hey). Some will ignore me (and be impossible to tell from the "disappeared" group. Then there's the lunkheads like you who confirm I sent the threat to the right person and I do feel vulnerable, but I doubt your ability to follow through.
Perfect! I train my botnet on that guy. I'm pretty much guaranteed money. The "someone offered me $600" is a bluff, of course - no one offered him anything, and it's all profit to him. But it sets a nice mental scale for you, so that you'll foolishly think you "got off easy" giving him $400 (when you could have given him $0).
Again, this is a VOLUME play. He has enough bots to DDoS SOMEONE, but not to DDoS EVERYONE. You were attacked for one reason - because you responded.
Sure, there was network engineering involved, but make no mistake - you got SOCIAL engineered here, first and foremost. Fix THAT, not your network.
Their service can be fairly expensive, but it's worth every penny. They can announce your routes and redirect all the flows through their many scrubbing centers, then forward you only clean traffic through a separate GRE tunnel. Or they can do simple DNS proxying, but if the attacker is even remotely clever they can defeat that pretty easily.
...but to be honest, Kuro5hin is paying us $1000 not to tell you. Perhaps if you would be willing to pony up $1500 we could do business.
There isn't much you can really do against a determined foe. There are just too many bot computers out there ready and willing to flood your servers with traffic. Huge companies with lots of staff, racks upon racks of servers, and really fat pipes have been hit with these attacks and failed to stop them.
Now there are a few things you can do to help... You'll note that these things are all extremely important for high-volume sites or major legit traffic spikes:
Have a switch in your website app that turns off all dynamic access, logins, session state, content generation, Ajax loading, etc and just serves static pages. This should also disable any kind of downloads unless you are already serving them from a CDN. If you are under attack (or just get featured on slashdot) throw the switch. Your website won't be terribly functional, but it will still be up. If you want to get fancy, have several levels of degradation where you can progressively turn features off to lighten database loads, etc. but without throwing up error pages or just having the site completely fall down. (ex if your sidebar typically shows recent comments via a database query, then just show a cached set of comments only updated once per day. Now every page access is using one less database query.) This is super critical because the first resource to be exhausted will be your database's ability to answer queries. The second will be your web server's ability to track session state and process requests. Especially if your site does anything even mildly complicated.
If your OS/Webserver/app support it, turn on kernel caching, install a cache plugin, etc. Especially make sure the parts of your pages, images, etc that can be cached are cached. If the under attack flag is set, vastly increase the cache timeouts. Make sure proxy caching is enabled too so any clients behind ISP proxies, etc don't hit your systems. Serve jQuery, fonts, etc from Google's CDN. That's just good practice anyway and free.
If possible, use a CDN for images and other content. CloudFlare is a good one. Companies like Dediserve offer cheap CDN. There are thousands of others. If the panic switch is set, you can even serve the static pages off the CDN if you structure things correctly. These help offset bandwidth saturation.
Take the time to setup a VM of at least your basic site and keep it on standby at Amazon/Azure. If you are under attack or heavy load, spin up a bunch of nodes using that VM image. If you leave your load balancing running on their systems 24/7 then it is trivial to add nodes to the pool. Running a bunch of extra servers for just a few minutes or hours shouldn't cost a ton and will encourage all but the most determined script kiddies to find an easier target once they see your site is still up.
The most common resources exhausted during an attack (in order):
1. Database servers
2. Web server CPU load or memory
3. Bandwidth
4. Load balancers
Again, like I said, none of this will stop a determined attacker with a million node DDoS botnet... But it will make you a less vulnerable target.
Natural != (nontoxic || beneficial)
You were blackmailed by someone claiming to be represent your competition and then by your service provider. Correct? There are two things you should consider, and do so quickly before you've completely hosed your server logs: Contact your local FBI field office and then contact US-CERT. Yes, I know - it's DHS, but they track this stuff and have access to tools/training they can provide.
Bark less. Wag more.
So you never bothered with DDoS prevention services for what is apparently a critical company web site, which would allow the provider to work pro-actively on protecting your assets. Then when your assets come under attack you expect your provider will just drop everything and tend to your immediate emergency without additional costs? Sounds like car insurance after the accident, or health insurance after you develop cancer.
It's 2012. DDoS are a real and credible threat today. 10 years ago, perhaps a passing thing, but today... do you not read the news?
Stipulating that your lack of preparedness is not your fault and over-sight, I want to address RackSpace's mitigation fees and perhaps defend your position at least a little. Being that it is 2012 and DDoS are a real and credible threat, depending on the costs of such protection, perhaps RackSpace (or another provider, free market thingie and all) could provide these mitigation services as standard for a bumped-up cost. Perhaps 400% mark-up is a little steep for immediate service when 200-300% might cover the costs of getting someone involved.
Nonetheless, my inclination is to side with RackSpace. When you work proactively, your provider can have technology in place and ready to go so that a DDoS doesn't affect you. But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.
No, you need to bite the bullet on this one and count it as a learning experience. And call your local and/or state authorities and start an investigation, since your costs will most likely be well over the threshold of damages necessary to start such an investigation.
Use CDNs where possible and use latency based routing for DNS like AWS route 53. In addition have capacity in multiple locations, either in active/active or active/passive so you have more than a single point of failure. Much harder to DDoS a distributed app.
Try contacting http://www.gigenet.com/ddos-protection/ as well. They specialize in this sort of stuff for some rather large sites.
If you're actually getting large DDoS regularly, there will be no cheap options, though.
I'm kind of shocked that the Slashdot audience is so clueless about DDoS.
CloudFlare is an excellent option...CDN is a good option generally speaking.
I know there are some cheap DDOS filtered services out there, e.g. buyvm.net offers DDOS filtered VPS's for $3 per month (it's an optional add-on to any of their regular VPS products, just check a box on the order form), capable of handling fairly heavy attacks. Obviously you can't host a Google-scale service on a cheap VPS, but they have more than enough capacity for a typical small business web site. I've seen their DDOS protection in action and it works. Disclosure: I'm a satisfied customer of theirs, with several VPS's that I use for various purposes, though I don't personally use the DDOS protection since I haven't needed it. I don't have any financial interest in the company.
Depending on the severity of the attack, CloudFlare may your cheapest option, but be aware that they are not interested in mitigating severe attacks.
A client of mine was DDOSed last year, and my ISP's (shall stay nameless) DDOS Mitigation service could not cope with the size of the attack.
I have briefly tried CloudFlare, but they turned us off within 20 minutes without any notice, and promptly refunded all the money.
Luckily, I had an old contact with DOS Arrest. It was a bit expensive to setup, but they quickly got us back online, so it was worth it in our case.
What makes you think they're going to keep their word? You're not signing a contract here, these are criminals! All you're doing is showing you're a soft touch. They'll be back, and they'll demand more money. They'll probably tell their friends, too. Not to mention the moral aspect that by giving in to these people you are directly funding crime.
No, you ignore them entirely. Don't even reply to the emails (but keep them safe). If they DDoS you, live with it. Remember that these guys rent their botnet from other criminals, so every second they're DDoSing you is costing them money. As soon as they realise that they're not going to get anything out of you they'll give up and move on to the next target. Yes, you'll probably be knocked offline for a while but (a) with a bit of marketing nous you can make this work for you, by issuing thundering press releases going on about not giving in the terrorist demands, issuing 'apologies' to your customers and giving them discounts to make up for it so driving sales, etc --- basically, free PR, make the most of it; and (b) your internet-facing servers should be coping anyway. Of course, given that they aren't, that last doesn't help right now. But beef them up because it'll help next time.
Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.
Next time, he won't settle for $400.
I mean, seriously. The DDoS and the "competitor" were probably the same guy. And next time, it will probably be the same guy again, even though it will look like this time he's Ivan from Russia instead of someone from Lebanon.
You've been played. Expect the price to climb.
Get 10 gbit connection, filter in iptables, watch attack stop and laugh.
Go Fishin'
Spend some time with your family.
Enjoy the wonders of nature.
Some TP IPS's have DDOS mitigation. Its really going to depend on how you are getting DDOS'ed (ACKs, application level, etc). Nature of most DDOS means he probably has zombies doing the work which could easily be out of the country... plus some DDOS can IP spoof, so don't recommend just setting a firewall rule on a block (unless you really observe that block to be nothing but attacks). Full disclosure, I work for them but my statements do not represent HP.
You can use iptables and conntrack to build a top layer anti-DDOS box for about $1500. I've used this approach in the financial services industry to deal with ddos attacks that utilized > 500Mb of bandwidth.
dont ever pay them, otherwise you are creating a market. Like in many country idiots create a market for hobos "looking" for your car.Anyway, why not putting them in the cloud, Amazon services? I bet it would be cheaper than paying Rackspace and their "security" services.
In turn, never negotiate with terrorists. You'll only encourage more acts against you.
Om, nomnomnom...
$800 ransom. And the site was taken down that easily?
And a "competitor" hired them for $400?
The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case.
Really? The site is soooo important that it needed to be up real quick? If that were the case, either the blackmailer is a real fool (I would have hit them up for at least a couple of thousand) or we're not haring the whole story here or all the above and some other combination.
If these people are really from Lebanon, then there is a high probability that these funds are going to finance terrorism.
Secondly, by paying those assholes, these assholes have encouraged this shit. What, these people can't sell whatever crap they're selling on the internet for a few hours? And if they are offering something more important than yet another internet shopping site, then they'd have a telephone # or some other contingency plan to deal with a service outage. So, what they're trying to do is find a bandaid solution for a poorly planed site.
If they actually contacted you, report that to the FBI. They're probably contacting other people, too. A pattern will emerge.
A useful technical solution that seems not to be used much is to make web site services "fair", rather than first-in, first out. If something has a queue, and you're handling an request from source X, take the next work item from a source other than X. The result is the volume of attacks coming from an individual IP address doesn't matter. Only the number of attacking IP addresses matters. Your real users will still get through, although there will be degradation in proportion to the number of hostile IP addresses.That really should be a feature in Apache.
We use this for a free API service we offer. If you make a request, it may either be satisfied immediately if we have the data available, or the request is queued for processing (this involves examining and rating a web site) and the caller gets a "try again later" status. The processing queue is "fair", so no single source can overwhelm it. (Once we rate a domain, we won't look at it again for 30 days, so our system can't be used to DDOS other web sites.)
We once had a user from an Italian university who was trying to request info on a huge number of web sites. He put over 100,000 requests into the queue, and it didn't hurt performance for other users. After a few days, though, we looked at the logs, and noticed that the requests that returned "try again later" were never being followed up with requests for the actual info. So it was all wasted work. I sent a note to the department chair of the university involved, indicating that we had no objection to their using our service, but that their client program was poorly written and wasn't doing anything useful. The traffic stopped.
Dig out the older thread for some useful insight.
Windows 2000 - from the guys who brought us edlin
I've worked with a couple of organization whose web presence was under a DDOS attack. We placed Cloudflare in front of their site and blocked all incoming traffic to the server to only the Cloudflare IP ranges. DDOS attack was abated immediately. I highly recommend the service..... If they would add load balancing with session persistence it would be perfect. -K
I know this will sound like shilling, but you might try another host. I've been pretty happy with BuyVM (nope, don't work for them); they offer a pretty nice DDoS mitigation service from Awknet for an extra $3/month (on top of their normal hosting prices, which are already very reasonable). They don't drop you / null-route you when you get hit, either. You can look around for yourself, but there are quite a few happy customers (so much so that they often don't have any VMs in stock; you might have to wait a few weeks until they restock).
But calling in when it's going on: first off, they have to deal with the increase in bandwidth, the abuse of the server, virtual service, or multi-hosted box you occupy and hence affects on other customers, getting someone or a team of someones involved to start the mitigation process and move your incoming traffic to the systems which perform this protection, amongst other issues.
Yes, but they're going to have to do this anyway. The DDoS won't affect just one customer, it'll affect lots of people at Rackspace, and will cost Rackspace money. Whether this one customer pays Rackspace or not won't make any difference to Rackspace's costs.
That's what makes Rackspace's behaviour here so dubious. Your example of it being like car insurance after the accident is invalid. It's more like a car accident that blocks the road. (Yes, yes, a car analogy on Slashdot, just deal with it, okay?) Whether you pay emergency services to move your car is irrelevant, because they either way they're still going to move it... because otherwise the road is blocked.
Try firehost.com, They have DDOS mitigation and secured firewalls built into their default package.
What an informative post! You provided so many answers to the asked question "How To Deal With a DDoS Attack" that we are all enlightened on how to protect our web sites! So much info on TCP SYN flooding, load balancing, dynamic routing, etc etc. This response should be archived as a guide for all future web development.
Never reward criminials by paying ransom. Your site is not worth what whatever your money could potentially be used for.
If it were me I would be polite but dumb, gullable and slow. Social engineer as much information you can out of your advasary then contact the authorities.
Separatly use technical means to analyze the nature of DDOS and implement countermeasure. It could be as simple as changing IP/DNS records or adding http redirect servers. If your link is being saturated with unacknowledged traffic contact your upstream ISP or hosting provider for assistance if you can't handle it yourself even if you have to pay more and the problem takes longer to resolve.
Well, I am going to shamelessly plug my cloud hosting company, DigitalOcean. =] We don't officially offer or advertise a DDoS mitigation service, but we do handle DDoS attacks and DO NOT charge for it. Just spoke to our Cloud Architect today and he informed me that he had to handle a DDoS attack today that took down someones site. We feel it is the right thing to do.
Imperva Cloud DDoS protection.
I'm curious if you can just block all the IPs the guy is using? For example, 100computers are attacking your site, block them all from access. Would be cool if you could reverse the ddos though =)
1) characterise the traffic. could be from a range of ip, targeting specific ip, targeting protocol x or y or having some id characteristic you can 'lock' onto.
2) install filter for such traffic UPSTREAM of you, at the isp. blocking once its crossed the wan to your site is obviously useless
that's it. block at the isp. get an isp that lets you install filters 'up there'.
can't help more than that. the devil is in the details.
--
"It is now safe to switch off your computer."
I imagine it's a bit like fire-suppression systems. They're way, way cheaper to have installed before your building catches on fire.
Log in or piss off.
These guys know each other (arthurpaliden (939626) and Nyder (754090)) and trolled everyone in their boredom...
You can try BlockDOS.net. They're a decent enough service for the price. You point your DNS at their proxy and then null-route anything not reaching your server from that proxy.
1st - YOU NEED THE BANDWIDTH to do it right... look @ AMAZON & MICROSOFT, they can withstand it, but, they can AFFORD it (the way THEY do it)...
Investing in one of THESE is a big help:
http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22DDos+Appliance%22&btnG=Search&gbv=1&sei=KYw7UI-4FsXs6wH3uIDoDw
Because DDoS/DoS CAN be stopped (Microsoft & Amazon are setup PERFECTLY vs. it in fact, read on below on that note)"
Protect Against SYN Attacks
FROM -> http://msdn.microsoft.com/en-us/library/ff648853.aspx
A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism. To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. This prevents other users from establishing network connections.
To protect the network against SYN attacks, follow these generalized steps, explained later in this document:
Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection
The named value to enable SYN attack protection is located beneath the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.
Value name: SynAttackProtect
Recommended value: 2
Valid values: 0, 1, 2
Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
Set SYN Protection Thresholds
The following values determine the thresholds for which SYN protection is triggered. All of the keys and values in this section are under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
These keys and values are:
Value name: TcpMaxPortsExhausted
Recommended value: 5
Valid values: 0?65535
Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
Value name: TcpMaxHalfOpen
Recommended value data: 500
Valid values: 100?65535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Value name: TcpMaxHalfOpenRetried
Recommended value data: 400
Valid values: 80?65535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Set Additional Protections
All the keys and values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters. These keys and values are:
Value name: TcpMaxConnectResponseRetransmissions
Recommended value data: 2
Valid values: 0?255
Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.
Value name: TcpMaxDataRetransmissions
Recommended value data: 2
Valid values: 0?65535
Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
Value name: EnablePMTUDiscovery
Recommended value data: 0
Valid values: 0, 1
Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack.
Specifying 0 forces the MTU of 576 bytes for con
Face it, you didn't get the joke, dumbass...
-- You are in a maze of little, twisty passages, all different... --
No one has really asked what this DDOS actually was. There are certainly attacks that could be quite difficult to control but in my experience a lot of this type of stuff is just something like script kiddies with Low Orbit Ion Cannon that the original poster could easily control themselves. With something like that you can take down a web site with a handful of clients but that means it is also pretty easy to put a stop to.
We had a customer come to us whose web site was being taken down on a fairly regular basis. Just a couple of fail2ban rules was enough to make it stop.
http://it.slashdot.org/comments.pl?sid=3228991&cid=41867815
* Since THAT truly IS, "how it's done"...
It's like that "old adage" (almost) - IF YOU WANT TO MAKE MONEY, YOU HAVE TO SPEND MONEY, albeit in THIS case IF HE WANTS TO KEEP MAKING MONEYONLINE, HE'LL HAVE TO SPEND SOME...
APK
P.S.=> Amazon & Microsoft are the "proof in the pudding", after all... Of course, they're Microsoft & Amazon (deep pockets for massively overbuilt infrastructure & bandwidth)
... apk
If you are high profile enough to be extorted, you need to control your own routing and have staff that's experienced in DDoS mitigation already on staff.
Between redundant links, selective route announcements, placing high profile targets on their own routable subnets and good cooperative relationships with your upstream providers, most attacks are survivable.
The initial response should be automated - limit route announcements to a subset designed to provide some level of business continuity, without the site being attached being publicly reachable. This gives the attacking botnet as well as some of your legitimate traffic a "no route to host" condition. From this point, your network engineers should go to work, selectively restoring the announcements with a focus on areas where your customers are - ie if you were a small local firm, your priority would be to be reachable for whatever internet providers exist in your area first, if you are a national firm, you'd focus on domestic connectivity first - chances are, the botnet being used for the DDoS isn't even in the country you are operating in, and you can be back up, even while appearing offline to the attacker and their botnet.
As you gradually allow traffic back in, you work with your upstream providers to isolate the DDOS traffic coming in as close to the source as possible. Within the first few minutes, by triaging who need to reach you the most, you've mitigated the worst of the impact, and are on track to completely nullify the attack.
Well, you got me to respond, AC. The poster answered his own question: RackSpace provides a DDoS mitigation service. But more to your critique of my response, since he took the extra effort to fold a statement into his question I naturally assumed that this might be part of his question and deserved a response. Sure, his primary point was how to deal with a DDoS, but perhaps he should have stuck to that point and not drifted off into a thinly-veiled rant against RackSpace.
If that was tl;dr, then perhaps "your mom" addresses your comment more in-line with your expectations.
Can this be accomplished using the arp command on a Windows system? It controls routing iirc. I know other Operating Systems of UNIX nature have the route command, but I am curious for Windows.
I just looked this up, but Amazon EC2 does not charge for INCOMING traffic. With a properly configured Webserver with security modules, the traffic comes in, but never goes out.
And no one is going to flood Amazon.com off the 'net.
Linux O Muerte!
I'd have a lot more sympathy if you would log in as APK again instead of AC.
... nobody questioned if there are any potential terrorist angles here ?
If you do this to enough businesses, even though the individual sums are mind it all adds up. Did your boss not stop to think me might have been aiding or abetting terrorism by sending money to Lebanon to pay off the extortionist?
I most western countries these days such actions can get you into real trouble. The ONLY correct thing would have been to get the FBI in and draw this sucker out.
Looks like your pointy-haired bosses need s to give things a bit more thought.
I posit that the car analogy is valid for the part of his question in which he denigrates RackSpace for charging for immediate service. In the sense that returning his web site (car) to a usable state (repair service) which would have normally incurred a nominal cost (insurance) but instead he addressed it after the DDoS (wreck) and wanted the mitigation to happen at a lower rate (paying the body shop for next-day service out-of-pocket versus letting the insurance cover it and pay for a rental.)
I like your pick-up on the effects on other customers and the wreck blocking the road. In terms of municipal services, the emergency responders are generally paid for by local taxes but services such as removal, repair of damage to public property, clean-up, and subsequent storage of the vehicle (if necessary) are all often billed to the party at fault.
* People here have told you to "shove off" before... why don't you take their advice???
Probably for the exact same reason YOU don't take our advice when we ask you to do exactly the same (meds included) or when we ask you to stop * YoUr weird => writing HABits
That being said, I have to admit this guy is even more annoying than you. This is my first time ... agreeing with you ... I feel dirty.
Rackspace has more than enough bandwidth to cover anything but the largest DDoS attacks. However, that doesn't mean that your individual rack's switch, your load balancers, your servers, or your services are designed to handle it. DDoS will pretty much just tickle a bit for Rackspace. It's going to kill your servers far before it kills their infrastructure.
Take a look at this product, easier to use than most of the other options out there. All you need to do is change you DNS and your done. http://www.winkstreaming.com/en/wink_shield/
Gamblers Forum
The customers paying $1500 are definitely being gouged because either:
1) $6000 is the whole cost of dealing with the attack, which means unless close to 1 in 4 sites get DDOSed you're paying too much for the insurance.
or
2) It costs more than $6000 to fix YOUR problem and everone else is subsidizing the OP's shortsighted stupidity.
WAH WAH WAH
How is this modded insightful? The OP mentioned it in the fucking summary. You don't even read that anymore and get an insightful mod? Fuck off
Idle curiosity: if you pay Rackspace $1500 for "DDOS mitigation services", and you still get successfully attacked, what is your recourse?
I have been happy with cloudflare but I am pretty unhappy with slashdot today. Other than cloudflare (which is free and pretty good but not the best) I have seen not one easily implementable solution. I am shocked that nobody here has much of a suggestion.
I may have been participating in a DDoS. UDP DNS requests were being made of my authoritative nameserver for domains in its bailywick, but I suspect the source IPs were spoofed victims and that the ANY record requests were designed to amplify the total data. These packets may be going out from a botnet and bouncing off legit DNS servers around the world, doubling or maybe octupling the data size, laundering the actual source IPs...
Any recommendations on how to handle this sort of thing?
I tell the boss there's a virus attack and am going to the hosting service to deal with it. Well, you know, play Halo.
Post the link to the website. Maybe if everyone on Slashdot has a look, we can figure this out.
Doesn't apply here, so why would I post about hosts files? Answer that please.
* Thank-You, since I feel that this particular article is of GREAT BENEFIT to others to learn by (I picked up "new tricks" in it myself, which is, of course, ALWAYS COOL!).
(In other words - Don't mess it up for others with your b.s. clotting the page here!)
APK
P.S.=> Seriously - I cannot figure out WHY you do this, unless it's your "geek angst" acting up again, lol... I mean, just how BADLY are your "poor little feelings hurt" since you do that, & I must've obviously have gotten the best of you so many times on debates on computer-technical material that your "geek angst" has you doing this?
You should seek somekind of professional psychiatric help, imo @ least... you need it, and to grow up!
... apk
It is wrong to put temptation in the path of any nation,
For fear they should succumb and go astray;
So when you are requested to pay up or be molested,
You will find it better policy to say: --
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that plays it is lost!"
MY OTHER COMMENTS
Comment removed based on user account deletion
No, all they will do is nullroute the site's IP till the attack subsides. If you want the site to stay up expect to pay for the mitigation service witch truly is more expensive to set up and be effective on demand after the attack has already begun. No price gouging here, just unrealistic expectations.
Comment removed based on user account deletion
Did they use a botnet that was scattered all over the world, or just a specific set of systems? I would recommend going through your logs to see what you can find out about the attack, there may be some patterns there that you can learn from.
That said, a lot of people suggest you contact the authorities. I would suggest that those people have probably never tried that themselves. The authorities - local or federal - generally don't give a shit about cyber crime. They give it some (virtual) lip service on their websites but when presented with actual cyber crime they always find something more interesting to do with their time. After all, you said the criminal was in Lebanon, and the FBI has no jurisdiction there. Even if you found an FBI agent who cared, he wouldn't be able to get interpol working on it before the (electronic) check is cashed and the culprit has cleaned up his tracks.
In other words, you have to do the work yourself. Maybe you can learn something from the logs, or maybe you'll need to look at distributed hosting to better prepare yourself for a potential future attack.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Those are who networking experts, please explain this. If enough packets sent to this person's web server were enough to take it down, why weren't those same packets enough to take down the routers along the way to his server? I would think that Rackspace would care about their routers to deal with the problem, and therefore not have to charge this person $6K to deal with it.
The most common way to take care of DDoS is to simply capture a list of the captured packets. Then reverse DNS the packets to find his ISP, then inform the local police. As for stopping him, that is best done at the router, and can be handled many ways.
One way would be to keep track of the number of packets received per time interval, if it's too high then just drop the extra packets. The disadvantage of this is that if you were to get a large load of customers then some customers would loose some packets.
Two keep track of the number of packets sent from each IP-per time interval. if its too high then just block the IP for a while.
Three block the block of address that the DDoS is coming in from, this method is the most all inclusive, but also has the possibility of blocking some real customers.
Note: while all of these are working methods to block the attack they all have the same problem. They rely that the number of messages received does not eat up the entirety of your bandwidth. If the attackers bandwidth is greater than yours then this will be unavoidable. The best place to have this protection is on your ISP's servers, because then they (the DDoS netwrok operators) need to have more bandwidth than your ISP which is unlikely, and if they do take you down then they are also taking down your ISP which means that it becomes the ISP's problem. So, in effect I recommend you switch to an ISP that does have this kind of protection. If for no other reason than to pass the buck to your ISP, making it their expense.
Lastly you can wait it out, while DDoS is annoying and costly, but it actually costs the attacker some resources to keep up. (mainly his network of computers, and their internet connections.) If attacking you is not profitable then he will remove you from his list and move on. Your paying him once has negated this effect as it is now profitable for him to attack you. If you don't somehow make it more costly to attack you then there is nothing stopping him from starting up the DDoS again and getting another $400+ from you. (Don't forget to make an attempt to track down who and where the you sent him $400 was picked up, this may aid you later.)
Another option though this one isn't strictly legal, you can hire an counter hacker to hack his system. If your lucky and the hacker is good enough then the hacker can break into his network ans steal his data. You may even get a list of the companies he's attacking and you can use that to jointly strike back, (Using the law or other means) and it's likely that if the hacker is good enough then he can take down the DDoS network. A good place to look for these hackers is to watch CTF (Capture the Flag) torments. (These are events where a group of hackers attempts to hack into and steal a "flag" from their opponents while protecting their own "flag". Warning there are games where the CTF term is used and means nearly the same thing, so you need to do a bit of research to make sure that it is the right kind of CTF your looking for.)
Honestly, you're better off if you don't respond to the communique. If the attacker isn't able to reach you, they'll move on.
The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future.
You are FINANCING the attacker, by agreeing to pay, without receiving anything in exchange other than "They won't do X".
This will encourage the attacker and their hacker buddies to do the same thing to others, and YOU in the future.
In a few months, the same attacker and/or their buddies may be back requiring $1,600, $3000, etc.
Purchasing a 3rd party anti-DDoS service or filtering service may be expensive, but at least you won't be contributing the problem you purport to be trying to solve.
If this article is written in the kind of english I got thrown into my head, then the answer is very easy: It may never happen because dinousaurs got extinct long ago. Sometimes even I forget I am a Computer Science Engineer. Must be the dinosaurs or Voldemort trying to come back...
Any respectable provider will help you address a dos attack without charging you 6 grand. While the method of attack can vary in complexity, we are talking about one of the most common problems a site/network admin has to face.
I'd ask myself why I'm paying Rackspace good money when even the most basic of support services are ala cart for such extreme prices. I'm sure you can find a competitor that is much more reasonable.
If he made an account, it would be permanently posting at -1, and he'd only be able to post with it twice a day. There would be no lulz to be had from that.
Before I found that there was a lot more money and a lost less hours and stress doing consulting than being a cubicle drone, I worked for a large hosting company.
Handling a DDOS attack is a piece of cake. We handled a few a week and this was in the early 2000s. We would watch the router traffic graphs and see a spike that might be eating 5% or 10% of our capacity and just grin. All you need is money. Your ISP needs giant pipes, spare server capacity distributed around the world and sharp network guys, and for the right price, they'll simply make the problem go away for you.
However the cost of doing this means that if $1500 to Rackspace sounds like a lot of money, you're not in this league.
If you're at the "less than $200/month" level for hosting, your best course of action is to not piss people off, and if you're attacked just hope you can wait it out.
The "up side" of having a small site with cheap hosting is that it probably won't actually do much damage to your business if it's down for a few days.
it's not necessarilly correct - nullrouting particular IP does not cost much in equipment/engineering time, etc. "protecting" the traffic on the other hand is completely different story. If customer does not pay for protection services and is under DDOS which affects other customers, he is being simply nullrouted.
they're well known by arge banks and ecomm as the market leader in DDoS prevention & mitigation - http://www.prolexic.com/
http://www.arbornetworks.com/products/peakflow
Sounds like it's time for people to be able to avail of some form of torrent based technology in a site i.e. one that is everywhere. If people pool together and have their data distributed then they have to go after everyone - i.e. go after the internet itself. It's a big idea, but really the government are already at that stage of going after the internet, so I don't see the problem with it.
The question is, do we have the technology to deploy a distributed data pool. (only as backup!! mind you) I think it would be too dangerous to have one big distributed data pool.
It could be tiered for different bandwidth plans. Websites could classify themselves according to their bandwidth plans / needs and pool themselves into tiers.
Somebody wake up Bram Cohen!
Now I know the guy who took my cut..
You gave a terrorist money..... it's like giving a monkey food. They'll come back for more and if you don't give it freely next time they will bite.
I use cloudflare successfully. You could have just spend the $20/month and had DDoS protection (as well as acceleration / CDN) for a very long time for those $400.
All those moments will be lost in time, like tears in rain... time... to... die...
I leave to the fellow readers the care of commenting whether you should or should not answer these e-mails. And I do believe you should contact your local authorities immediately to report this. I also understand that most of the business don't think they'll ever be victim of a DDoS attack.
Concerning the DDoS in itself, for me the most important is to understand what was exhausted first: is it a compute resource (CPU, Memory, HDD space), a network device resource (CPU, Memory, Number of sessions) or a bandwidth issue. Based on those findings, you may be able to take steps to harden your infrastructure and be better prepared for the next time.
If you need help with this, feel free to contact me off-line.
The age old problem of Danegeld... They keep coming back for more. http://en.wikipedia.org/wiki/Danegeld
We just launched myracloud which is an IaaS for protecting sites from DDoS attacks.
This is a very affordable solution which proxies your website, and we filter out all bad traffic.
Compared to Verisign/Prolexic/Akamai this is a very affordable solution which offers even more fantastic features. E.g. InstantDisplay delays executing Javascript (inline+external) until the page has rendered.
No changes necessary, we do all the hard work.
Check out myracloud.com DDoS protection.
>They proceeded to tell me that they have 'DDoS mitigation services,'
>but they cost $6,000 if your site is under attack at the time you use the
>service. Once the attack was over, the price dropped to $1500. (Nice
>touch there Rackspace, so much for Fanatical support; price gouging
>at its worst).
a) Ok. so now you could get it for $1500. The buy it. $1500 are roughly 18h of my time (as a consultant), so even the smalles action you coud do exceeds this. IFF you believe that this solves the problem then just do it and dont touch the rest. The advertisement on their web site sounds promising, bu did not test it.
b) Price gouging? No, it is reasonable, for several reasons. Doing the DDoS protection uses resources, which are allocated, but (according to your definition unsused). Why on earth should customers wise enough to see the necessity of a immediate reaction, which pay for this service provide the support, upkeep and unallocated ressources for the others? Such a service is like an insurance. In average you can offer it for a certain price, but if you know the risk hits, its not an insurance any more. Moreover: The service seems to be based on detecting deviations in the traffic patterns. If the attack is ongoing there is no way to detect the "ground truth" = the normal operation automatically. Which in turn will require *much* more human attention.
Sorry for the shameless plug, but I've been a customer of Steadfast Networks for years now and they're the best hosts I've ever known. Excellent customer service, uptime, good value pricing, and they're had DDoS protection since 2007. If you're willing to be hosted in Chicago or New York, I'd go with them.
== Jez ==
Do you miss Firefox? Try Pale Moon.
DDOS attacks are hard to stop because of the nature of the attack (multiple IPs hitting you). One solution I found was a simple, free script that you can run as a cron job named DDOS-Deflator. Here is the link: http://deflate.medialayer.com/. I am currently working on a C version of the script which responds much quicker. You can check my blog. I should have it available very soon as we are in final stages of testing http://www.sandidog.com./ As I said, DDOS is hard to stop until but the simple script has helped with some of the lamer DDOS/DOS attempts that I've seen in the past.
Their blog post is *about* the DNS amplification DDoS that they're being attacked with.
I was helping someone diagnose why their network was going to shit a few times a day. It turned out that they had recursive DNS still enabled. Watching the traffic, it looked like Cloudflare was attacking. In reality, it was spoofed traffic slamming them.
I locked down that network, and had a nice conversation with one of their techs about it. Since the network I was working on has no business relationship with Cloudflare, we mutually decided to block the traffic.
The attack is still ongoing. The logs are full of blocked DNS requests "from" Cloudflare. that's one of the pesky problems with spoofed traffic. The attacker doesn't know when the intermediary has blocked it, so they just keep attacking.
I hadn't heard of them before, but I did a little looking. From what I could see from the outside, they have a pretty robust network.
One place I worked was under constant DDoS attacks also. I couldn't even guess at how many attackers there were. They were all using different methods, from all over the world. We protected ourselves the best we could, dropping all unwanted traffic, and dynamically dropping networks based on current attacks. That was years ago, and we had multiple GigE circuits around North America. Since 90% of our traffic was legitimate outbound traffic, we had plenty of room to work with incoming DDoS. Basically, we handled it by having enough gear and bandwidth deployed, so it simply didn't matter. Attacks were a curiosity that we watched, not a catastrophic threat.
Serious? Seriousness is well above my pay grade.
My hosting has DDOS protection built in and it dont cost anything extra. Get your account now: https://www.rapidvps.com/?vps=21125 They are excellent support too. Just tell them Dave from listbuilderdirect sent you. Super Dave
"..To be fair, the Danegeld supported the Danelaw, which was far superior to the religious laws of England..."
The Danelaw does not refer to a legal system - it refers to that part of England which the Danes held, and which was therefore under their jurisdiction. If you do not understand this period of history, you should not be writing about it... although, I suppose, this IS slashdot...
It has been a good read, the comments and story, so far. But I am minded of the game Uplink where hackers (script kiddies) get paid to do nasty things to competitors and so on. DDoS is not one of them. Instead destroying R&D, stealing corporate secrets, and hacking people's bank accounts are as creative as the game's designers could get. It's a fun game, but I must consider a world where this kind of activity grows and prospers.
It would have two beneficial effects which I can think of: One it provides much needed jobs to highly skilled people, and a desire to become more skilled. The economy has always been built upon this principle, and the people who enslave us with money need more wastes of time and useless shit for people to do in return for the magic paper that permits us to get the necessities of life.
In addition, having more incentive to perpetrate such crimes and more perpetrators incentivized to do so will create a real and genuine need for better security and defense against these attacks. I have read too often about terrible security leading to really easy hacks causing complete catastrophic chaos with systems responsible for millions or billions in revenue. Cite the playstation network for example. Those who work to secure these systems deserve a raise, more resources, and more colleagues in training to do this.
The advancement in IT will only come from adversity. Comfort breeds no development.
While I am not actually advocating paying a bunch of people to attack our cyber infrastructure, I do wish to bring up the idea and cause a discussion on the matter.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
... offered him $1200 for sufficient information to be able to sick the cops on your competitor.
http://www.prolexic.com/
Don't know how much they cost, but they do damned good work in DDOS mitigation.
M.
Yeah, because a US judge is going to believe a "Lebanese hacker" who won't even come out from behind his seven proxies, much less show up in person, who's admitting that you bribed him to testify against your competitor instead of attacking you, because the fact that you had to bribe him to rat out the person who allegedly paid him indicates that he's entirely trustworthy. Even if it's entirely true and the judge believes it, it's not up to the standards of proof it would take to find for you and against your competitor or do any more than give them a restraining order against doing it again.
About the only way you're going to accomplish anything is to pay him with some traceable payment system and follow the money. If he takes credit cards, you can maybe trace it to some hawalladar that's handling them for him, but it's unlikely that you'll get more than a burner bank account or a corner store, and get Visa to cancel the store's merchant account, which might annoy the attacker the next time some sucker tries to pay him.
The best extra-legal counter-attack I've seen was the one in Cheswick and Bellovin's original firewall book. They'd tracked down the attacker, who was a teenage kid in the Netherlands, where there wasn't any computer-hacking law yet, so "we did the next best thing - we called his mom."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Oh, no, if you want to get that $600 into the country, you're going to have to register your bank account with the Ministry of Finance, and here's the phone number for the minister, Jonathan Goodluck!
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You can only distribute your services and hope some survive. Anycast may be an option (some of your servers will be visible by parts of the world). But it's all about firepower and you will never be big enough.
There are really many ways to DDoS. (The obvious and less obvious ones)
To reduce the options given to criminals, AS should filter spoofed IPs (ie: drop inside messages that are not emanating from an inside IP, outside messages that are emanating from an inside IP). But doing this is expensive so they mostly don't.
1. Identify attack
2. Null route boxes current ip's and get new ip's
3. Engage cloudflare "im under attack!" setting
4. ?????
5. Profit!
Or if they are http flooding using your domain name as a point of refrence, redirect your domain to something creative.
As the Sys-Admin for a relatively large e-commerce provider we have had our share of DDoS attacks. The first thing, is don't negotiate. Cut your losses and take the site down for a bit if you need to, regroup.
After that... switch your site to Cloudflare or a similar service.
After that... investigate if you want to continue using Rackspace for services. I suggest contacting me directly if you have questions, but suffice it to say we moved away from Rackspace because they and their data-center kept getting VERY large profile DDoS attacks which we were sometimes affected by even if we weren't directly targeted. We have had several months of service that they ended up paying for, for instance. Essentially Rackspace recently (at least their colo stuff) has not been providing 'superior' services.
http://it.slashdot.org/comments.pl?sid=3228991&cid=41867815
* Since THAT truly IS, "how it's done"..... apk
Windows registry keys? How would changing Windows registry keys mitigate a flood DDOS that saturates your provider's inbound bandwidth?
We have our dedicated server colocated (5U, ~$400 a month) at a nice, relatively small colocation datacenter (SMALL, less than 100,000 sq ft, not Rackspace, and definitely much better overall IMO) in the midwest, and they offer DDoS handling services FREE. On demand, too. If we are being DDoS'd, chances are they know about it before we do and are already handling it.
It's happened before. We were down for about 2 minutes, I think, before somebody noticed and shut it down. In 99% of the cases, it is more important to the data center to handle the excessive hits than it is to let them flow into their network unchecked. Chances are they don't want to deal with the overhead of a DDoS anyway, and will have it cut off at their top peering node at earliest notice possible.
There are two answers that come to mind. A) Use a "middleware-network", like CloudFlare. As others have mentioned, they are specialized in DDoS mitigation, advanced heuristics to find bots, and cache content. Most of the service is free, and you can crank it up at any time (I believe) to get more serious features (like when you're under attack). Look into this.
B) Buy your own DDoS migitation device. Either go for a UTM and/or a WAF (Web Application Firewall) so you can also be protected from most of the HTTP exploits (oftentimes a DDoS is there just to sneak an actual exploit in by overloading the IPS). But those are costly, and it's costly to pick the right one (you'll need professional tools to test them under stress, like Spirent's Avalanche or Ixia's Ix Load, and their services cost like $10,000/week).
I guess there's a C), which would be a cloud-based host. I'm pretty sure their DDoS protection is built-in since they can't have one website under attack without impacting the rest of the architecture - you might want to check that.
Been using them for a couple web applications now, and quite happy with the results. If I've been attacked, I didn't know about it ;-)
Only downside to CloudFlare is that they have to host your DNS, and my biggest app already is under contract with another company. So for cost reasons I'm stuck either living with dual-invoices for another ten months, or living with a website that doesn't have the caching and IDS/DDoS gizmos offered by CloudFlare.
"The mind is a terrible thing to, um, uh, oh bollocks." -- Me
Look at the settings used that are suggested by Microsoft and what they do versus for example SYN-ACK DoS/DDoS.
See subject-line above, & "shoo", little troll... grow up!
APK
P.S.=> How unbelievably droll & ironic (as well as utterly STUPID of you too), that YOU would call ME a troll, & yet YOU are off-topic, a classic "troll sign" if EVER there was one...
... apk
As most noted, contact the police.
The poster whom mentioned the BGP is great.
1) A good router configured correctly will help a lot.
2 ) A good cisco smart switch configured correctly will provide a great second line of defense.
3) Finally, use sysctl to set you fundamental network settings on the server or VM correctly (see IBM's security doc on this settings). You could probably change similar settings in huk...Win Servers. (a fundamentally a poor OS for the internet)
These three items set even halfway properly will mitigate any DDOS in the future.
Mark V.