DDos Attacks

[.=QUACK=.Major.Pain]

Not knowing much about these, I had a question.

1) When under attack, is it generally from 1 source at the time it's happening?

2) When under attack, can the ip be identified?

3) If the attacker can be identified, legit or through proxy or whatever, could a host not have a program in place check all visitors?

eg. If your providing a service that hundreds of people use, and they all are performing generally the same actions, and say the bandwidth load for a general safe individual visitor was say a value of X, and the bandwidth load for a general DDos individual exceeds X greatly to the point of shutting down, or extremely harming the website, then could you not run a program that would monitor all visitors?

Say the monitoring program is setup to monitor each persons bandwidth load, and you have a safe max value of X. Where X is say 10% higher than the highest recommended safe bandwidth load.

Then you have checks like:

If visitor(a)-bandwidthload < X then visitor(a) is considered safe
elseif visitor(a)-bandwidthload > X then visitor(a) is considered DDos attacker and ip ban visitor for 24hrs.

Of course visitors would have to be rechecked every so many secs or minutes, and maybe have it setup so that they would have to exceed the limit 3 times before imposing a ban.

Sorry if some of the lines are long and winded. lol
When the fingers hit overdrive, I just keep on going.

[kraze]

1) When under attack, is it generally from 1 source at the time it's happening?

It depends on the type of attack. A Dos attack is from one source at a time while a DDos attack is from multiple sources. Usually with larger attacks you will notice that they are using spoofed or fake IP's to launch the attack.

2) When under attack, can the ip be identified?

Yes, our managed VDS and game servers include a new "Firewall" tab where you can grab traffic hitting your server and apply filters to block if needed. However I would be careful as applying the wrong filter can cause some issues.

3) If the attacker can be identified, legit or through proxy or whatever, could a host not have a program in place check all visitors?

In most cases if we can identify the type of attack we can block it. This is not always true for all of our locations since some include routers which allow us to do some advanced blocking. Along with this some OS(Linux) will allow for a wide variety of rules allowing us to filter an attack easier and better.

In extreme cases we have been known to move clients to a VDS and apply a whitelist rule, which will simply block all traffic except for legit users. This is somewhat of a last resort as it may not always be the best case.

eg. If your providing a service that hundreds of people use, and they all are performing generally the same actions, and say the bandwidth load for a general safe individual visitor was say a value of X, and the bandwidth load for a general DDos individual exceeds X greatly to the point of shutting down, or extremely harming the website, then could you not run a program that would monitor all visitors?
Say the monitoring program is setup to monitor each persons bandwidth load, and you have a safe max value of X. Where X is say 10% higher than the highest recommended safe bandwidth load.

Then you have checks like:

If visitor(a)-bandwidthload < X then visitor(a) is considered safe
elseif visitor(a)-bandwidthload > X then visitor(a) is considered DDos attacker and ip ban visitor for 24hrs.

Of course visitors would have to be rechecked every so many secs or minutes, and maybe have it setup so that they would have to exceed the limit 3 times before imposing a ban.

In theory you could but that would require an extreme amount of math and scripting. Such as what if this one time a client needed to send a very large packet, while others needed to send small packets..etc.

On top of this attacks are not always big. You will find some attacks which will flood servers with only a little bit of traffic 20mbps or less. Others will exhaust the resources of the machine it self.

So applying something like this wouldn't really help in all cases, now if you had an environment where no client should be sending more then this amount of data and the server wouldn't ask for more then that then yes it probably would work a little better.

We actually have some really good guides on attacks. They will explain some of the most common attacks and how to prevent/stop some as well, I would definitely consider giving them a once over.

http://www.nfoservers.com/forums/viewto ... =25&t=4931
http://www.nfoservers.com/forums/viewto ... =25&t=4960

Also if you are interested in the new "firewall" tab in your control panel there are some good FAQs located on that page and any staff member would be more then happy to walk you through the basics if you need some help.

[.=QUACK=.Major.Pain]

ok.

I was just curious because the site metabans.com went out of business because of this.

I had thought, that in their case, if all they are doing is streaming (or whatever it's called) to each server, the bandwidth load would probably be close to the same for each connection since the action is the same. I guess depending on the distance from server a to b, might change somewhat. Thinking that because of the same actions, there would be an actual value that would realistically be considered as a safe bandwidth value and anyone exceeding that value might be an attacker.

But I guess because of the variety of attack methods, it may stop some but not all.

[kraze]

ok.

I was just curious because the site metabans.com went out of business because of this.

I had thought, that in their case, if all they are doing is streaming (or whatever it's called) to each server, the bandwidth load would probably be close to the same for each connection since the action is the same. I guess depending on the distance from server a to b, might change somewhat. Thinking that because of the same actions, there would be an actual value that would realistically be considered as a safe bandwidth value and anyone exceeding that value might be an attacker.

But I guess because of the variety of attack methods, it may stop some but not all.

Yea unfortunately there is no feel proof way to stop an attack. Even companies which specialize in attack mitigation and prevention cannot stop everything. So if you are in a case where you are being hit 24/7 with all types of attacks you are looking at a lot of money just to be able to operate.

[untamed316]

I got an event saying a customer in Atlanta launched a DoS attack from their VDS yesterday afternoon. I was curious to know how you handle these troublemaker customers? It would be amazing if there is some existing global blacklist among server companies they could be added to.

[Edge100x]

There is not a global blacklist that I'm aware of.

In most cases, the customer's VDS has been compromised and some 3rd party is running the attacks.

[untamed316]

Oh ok that makes sense. I at first read it as the physical customer himself was the actual perpetrator when I actually know better. I wasn't thinking at all straight this morning.