Hi there,
I may have posted this in the wrong section, I was hoping to speak to someone about what happens under ddos attack, like in beyond lamen terms as I am a techhy.
Just wandering if I could speak to someone tech so I can understand I wouldn't want methods as I appreciate they are NFO's own, but just to get an idea.
Unfortunately my requirement for a VPS is that it be based in EU.
Security issue
-
shadzy
- New to forums
- Posts: 5
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Mon Jul 08, 2013 2:43 am
Re: Security issue
We have a lot of information about ddos attacks here in our post from our CEO: http://www.nfoservers.com/forums/viewto ... =25&t=4931
<Spray> Please try locking your modem in a closet, or facing it towards the wall in the corner, so it knows its misbehaved
Re: Security issue
Thank you, I took a good read, just wanted to know a few things:
1.) If a ddos is higher than the capable handling, then the IP address is effectively nulled until its stopped??
2.) Can ddos protection happen as a process of port translation?? (i.e UDP port x, translates to tcp port x) or would this not be allowed because of their subtle difference in operation?
3.) Do you guys consider making software-based firewalls as a proxy, like on Linux with use of iptables and Serverark as to try to constructively limit traffic to and from servers?
4.) IF 3 is yes, does it work for you, even on windows machines?
5.) if 3 is no, what would you recommend for Windows based VPS's?
As mention in OP, im not after intentional detailed methods, just to get a feel and an idea, if I am thinking along the right lines or are there complete utter variables im not considering.
Many Thanks,
1.) If a ddos is higher than the capable handling, then the IP address is effectively nulled until its stopped??
2.) Can ddos protection happen as a process of port translation?? (i.e UDP port x, translates to tcp port x) or would this not be allowed because of their subtle difference in operation?
3.) Do you guys consider making software-based firewalls as a proxy, like on Linux with use of iptables and Serverark as to try to constructively limit traffic to and from servers?
4.) IF 3 is yes, does it work for you, even on windows machines?
5.) if 3 is no, what would you recommend for Windows based VPS's?
As mention in OP, im not after intentional detailed methods, just to get a feel and an idea, if I am thinking along the right lines or are there complete utter variables im not considering.
Many Thanks,
Re: Security issue
That is done on a case by case basis. However, null routing is never our first option. We always attempt to mitigate attacks and block them. Only when an attack is so big that is effects other customers and the location as a whole will we null route.1.) If a ddos is higher than the capable handling, then the IP address is effectively nulled until its stopped??
Not entirely sure on how port translation would fit into mitigation. Can you provide a bit more context on what you mean?2.) Can ddos protection happen as a process of port translation?? (i.e UDP port x, translates to tcp port x) or would this not be allowed because of their subtle difference in operation?
Software based firewalls are something we use internally here to block very small application specific attacks, yes. It is also a good way to block traffic to your server, yes. Each of our services excluding unmanaged dedis have a built in "Firewall" tab which allows you to block specific traffic to your server.3.) Do you guys consider making software-based firewalls as a proxy, like on Linux with use of iptables and Serverark as to try to constructively limit traffic to and from servers?
It does work on a Windows machine but the options are extremely limited due to limitation in Windows.4.) IF 3 is yes, does it work for you, even on windows machines?
@Kraze^NFo> Juski has a very valid point
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
@Juski> Got my new signature, thanks!
@Kraze^NFo> Out of context!
@Juski> Doesn't matter!
@Juski> You said I had a valid point! You can't take it back now! It's out there!
Re: Security issue
Apparently kraze and I were typing up answers simultaneously.
It is rare for us to come across an attack that causes us to null-route.
The "serverark" tool does things that are better performed through straight iptables rules. I posted those rules to the relevant server list before it was mentioned and talked about this afterward.
The filter might be more narrow than that, depending on the nature of the attack. Each has to be handled on a case-by-case basis.shadzy wrote:1.) If a ddos is higher than the capable handling, then the IP address is effectively nulled until its stopped??
It is rare for us to come across an attack that causes us to null-route.
We don't use port translation on our end. For encapsulated traffic, our router just sees everything according to what the outer envelope says it is.2.) Can ddos protection happen as a process of port translation?? (i.e UDP port x, translates to tcp port x) or would this not be allowed because of their subtle difference in operation?
We have applied advanced firewall rules and proxying systems in the past, yes. However, these techniques do not apply to most attacks.3.) Do you guys consider making software-based firewalls as a proxy, like on Linux with use of iptables and Serverark as to try to constructively limit traffic to and from servers?
The "serverark" tool does things that are better performed through straight iptables rules. I posted those rules to the relevant server list before it was mentioned and talked about this afterward.
Every situation is different, so you'll need to be more specific on the type of attack that you're trying to defend against for me to be able to say more about what you can do to block it.4.) IF 3 is yes, does it work for you, even on windows machines?
5.) if 3 is no, what would you recommend for Windows based VPS's?
Re: Security issue
Thank you both for replying, appreciate the reponse.
Its mainly synflood but it varies in magnitude from 500mbit to 2gbit.
Compromised botnets as I understand it.
Windows machine i am working with, do you think this is the job of a hardware firewall or can software help mitigate/absorb it???
The people doing it unfortunately are sour grapes so whenever i put something in place, they overcome it. Just thought there is a "grail" solution!
Its mainly synflood but it varies in magnitude from 500mbit to 2gbit.
Compromised botnets as I understand it.
Windows machine i am working with, do you think this is the job of a hardware firewall or can software help mitigate/absorb it???
The people doing it unfortunately are sour grapes so whenever i put something in place, they overcome it. Just thought there is a "grail" solution!
Re: Security issue
I'd need to see example traffic to know more. Many synfloods can be blocked using our filters, but those that can't would need to be handled by the target OS. Syncookies are built into every modern OS to deal with it.
Re: Security issue
When it happens again I will bring it here for you to look at.
Where would you need the traffic information from??
Where would you need the traffic information from??
Re: Security issue
Since we can't meet your needs right now, it might be better to wait and take a closer look at this after we open our Frankfurt location within the next couple of months.
Re: Security issue
Ok thanks ill wait patiently for this.
Close if neccessary!
Close if neccessary!