You are not logged in.
- Topics: Active | Unanswered
#1 2011-02-04 22:15:04
- ChojinDSL
- Member
- From: Germany
- Registered: 2010-11-30
- Posts: 64
- Website
How do you protect yourself against DDOS attacks?
I'm starting a new job soon for an employer who has had the occasional ddos attack against their website.
Anyways I was wondering, how do you guys protect yourselves against ddos attacks?
The way my employer fought against it last time was rather unelegant and a sort of lucky situation. They noticed that all the attacks came from IPs which where located in foreign countries, so they simply blocked entire ip ranges which werent from the country they were providing the service for.
This seems like quite a drastic measure to me. After all, one goal of my employer is to become more international, and even if you cater only to local clientele, plenty of legitimate users could be across the border.
Specifically protecting Apache against DDOS attacks is what I would be interested in.
Can anyone suggest some software or setup I should research for this?
Offline
#2 2011-02-04 22:29:41
- dyscoria
- Member
- Registered: 2008-01-10
- Posts: 1,007
Re: How do you protect yourself against DDOS attacks?
I think it's pretty damn hard (impossible?) to absolutely ensure any server is ddos proof.
You can limit connections per second or per whatever time using iptables. Instead of blocking entire ip ranges (which would clearly block lots of legitimate users too), you can block ip addresses on a temporary basis if they start making ridiculous numbers of request (such as during a ddos). There's plenty of other stuff you can do with iptables. Search google for "iptables dos". Creating your "perfect" iptables rule set takes alot of time and research though. This will also help to stop your server from crashing.
Also think about using other web servers such as nginx that use an asynchronous approach and also use much less memory. I'd imagine nginx would survive longer during a ddos, depending on how much memory the server has.
flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)
Offline
#3 2011-09-08 14:37:28
- ChojinDSL
- Member
- From: Germany
- Registered: 2010-11-30
- Posts: 64
- Website
Re: How do you protect yourself against DDOS attacks?
A colleague of mine recently had one of his own servers under a DDOS attack. Nginx helped out a bit. But the holy grail in this case was Fail2ban.
Now, usually a DOS would mean that massive requests are issued within a short time. Such behaviour is easily identified and blocked. But how do you react when its distributed and each individual node is issueing requests at a normal rate?
Well in my tests I came to the conclusion that its all about the difference in typical behaviour of legitimate visitors to a site and automated requests as in the case of a DDOS attack.
For example, while a DOS bot might not issue requests at an alarmingly high rate (slow and steady wins the race), but will continually issue requests for hours.
So rather than trying to catch "burst" behaviour with requests crossing a certain threshold in a short amount of time, I instead configured fail2ban to check for IPs which crossed a certain threshold after an hour, and then block that IP for 24hours.
It might take a while to find the sweet spot. And it wont be effective immediately. But with a little patience the blocklist started to fill up, and after a few hours the DDOS'ers seemed to have run out of IPs from which to attack.
It makes sense if you think about it. A legitimate human user, will go to a site, and spend most of their time reading content, rather than klicking links. Well, usually anyways.
Also, I've noticed that bots always seem to hit the same URL. Meaning, the main url of the site, and not selecting any links within the site. While I suppose that it would be trivial to configure a bot to act more legitimately and have it actually klick through all available links, I think it kind of defeats the purpose. Or at least most script kiddies won't go that far.
If you know your way around with REGEXP, I'm sure you could come up with some really nicely custom-tailored rules for fail2ban to use in identifiying and blocking ips. So for example, rather than simply counting ANY connection made in the http logs, you could concentrate on IPs which only and continually access the main the url, over and over again.
Legitimate users will most likely click on other links as well, so if you manage to exclude these kinds of accesses from Fail2ban's counting mechanism, you minimize the chance of locking out legitimate users.
Offline
#4 2011-09-08 23:22:53
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,237
- Website
Re: How do you protect yourself against DDOS attacks?
There's 2 (main) potential impacts of a DDOS:
1) Flooding of your uplink which will choke out legitimate traffic.
2) Overloading your server resources to prevent it from handling legitimate traffic.
Solving 1 will definitely require the assistance of your ISP since the effect is actually just outside of your control (on the ISP side of your uplink). The suggestions above are a good start for solving problem 2. I have successfully used iptables in the past to manage DDoS attacked against SMTP servers; the ipt_recent, limit, hashlimit and connection marking are useful for this. The added benefit of this approach is that it iptables is in kernel, so it's faster and uses a lot less resources that limiting etc in the server daemon or fail2ban.
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#5 2011-09-14 18:28:15
- ChojinDSL
- Member
- From: Germany
- Registered: 2010-11-30
- Posts: 64
- Website
Re: How do you protect yourself against DDOS attacks?
Fail2ban is only a script which runs iptables, wouldn't really say that it has performance issues.
Offline
#6 2011-09-14 23:09:24
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,237
- Website
Re: How do you protect yourself against DDOS attacks?
Fail2ban is only a script which runs iptables, wouldn't really say that it has performance issues.
a) Anything in User-space is going to be slower than in kernel.
b) It polls log files for it's monitoring, so there's HDD access required making it slower (assuming the kernel doesn't cache)
c) It's Python 
Don't get me wrong, I *do* use fail2ban myself for various services, but it's going to contribute to the problem in DDoS attack situation (using up system resources).
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#7 2011-09-14 23:10:14
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,237
- Website
Re: How do you protect yourself against DDOS attacks?
ChojinDSL wrote:Fail2ban is only a script which runs iptables, wouldn't really say that it has performance issues.
a) Anything in User-space is going to be slower than in kernel.
b) It polls log files for it's monitoring, so there's HDD access required making it slower (assuming the kernel doesn't cache the relevant files)
c) It's Python (ie, an interpreted language, not byte-code compiled)Don't get me wrong, I *do* use fail2ban myself for various services, but it's going to contribute to the problem in DDoS attack situation (using up system resources).
Last edited by fukawi2 (2011-09-14 23:10:31)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline