[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Under DDoS Attack



Top posting itsn't cool.

On Fri, Oct 28, 2005 at 12:12:59AM -0400, Timothy  Hall wrote:
> i have heard of organizations/providers doing that.  i have even had
> them DO IT.  it depends on how many locations the DDoS bots are
> attacking from, are they on a certain AS (look up autonomous system if
> you don't know what an AS is, traceroute.org also has listings of
> various ASs by country) or from domains/IP blocks that will not
> excessively restrict access to the resource being hosted...  this will
> work with blocks of IPs under the control of a certain authority, but
> again, it depends on how many places it is coming from.  for example if
> your site is in X language and the attacks are coming from ASs from
> areas where Y language is generaly spoken, it may well be that your
> upstream provider/organization can block the address blocks (or some of
> them) and get rid of the load without seriously impacting the service
> you offer anymore than it already has been.
> 
> there are also documented cases of universities and companies having
> some success with such a method.  does this mean it will work in EVERY
> circumstance? no.  sometimes the only way is to move services to another
> IP and sometimes that isn't practical either.

Not sure what country you're in but maybe a small wager in US dollars or
euros? You give me an IP and fax me an OK from the owner of the IP signed
by you and them, and we can test your theory that you can actually toss out
unwanted packets.

If you don't want to, then maybe this can help:

The reason this won't work well, is because those packets have to be thrown
out regaurdless of how or where, and no one does a DDOSattack with less
than a GB or so of bandwidth at a time and nothing short of an OC line is
going to stand upto it.

I've been DDOSed and let me tell you, a router is great fun, but it's going
to crash trying to keep up with the discarding of packets. You're
essentially taking the attack away from the server, and onto your Router or
firewall, which in turn, whacks your connection anyway.

Like I said, the only ways to actually stop it is to switch IPs, or get a
bandwidth company to help with the load like Microsoft did with those Worms
a few years ago. But either way the traffic is still aimed at you.

If a company as big as Microsoft or dumb as SCO.... Ok they aren't the best
exmaple, But even Microsoft switched servers and IPs when it happened. I
think THEY could make a phone call if that actually worked.

And remember the attacks weren't even professional for them, it was a Worm
working on Home machines and networks that weren't top of the line
bandwidth.

-Allen.

 
> 
> >>> Allen <gorebofh@xxxxxxxxxxx> 10/27/05 23:14 PM >>>
> On Thu, Oct 27, 2005 at 11:59:54PM +0200, b@rry wrote:
> > >As I said - its a root server. Nothing in front but the pure
> internet...
> > 
> > 
> > 
> > Why not have a firewall in front of it? Root server or no, something
> that
> > can manage the connections to the box with relatively low connection
> 
> > timeouts?
> 
> Maybe just maybe, because a firewall isn't going to do a THING against a
> DDOS attack? And for the other person who said call the ISP so they can
> "set the router to block the packets"..... Lol, if it was hat easy
> Yahoo,
> Microsoft and SCO wouldn't have been taken down.
> 
> 
>  
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 
> 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here