DDOS attack advice

A client of mine was attacked starting at 9:00 a.m. pst on Christmas Eve. The attacks crippled his site. We found out that it was done by one of his competitors. Wired Tree was able to get it under control somewhat but he has still lost thousands of dollars. The attacks are still happening and it's getting over 100 million queries, all from unique ips and they claim is the largest scale DDOS attack they have ever seen. Once company wanted $50k up front just to stop the attacks. I guess my question is, does anyone have any ideas about how to prevent this kind of thing from happening? Also, what would you do if someone attacked you this way?

It depends on what kind of attack it is, but I believe if it's a certain kind of ddos you can setup an iframe or something similar on your page so the competitor's site is hit by his own ddos. That'll stop them pretty fast, but you would also need to know which competitor it is.

Your best bet is to find a ddos protection provider, the ones I can think off the top of my head are staminus, gigenet, and dragonara.

unkn0wn uses x10hosting

A DDOS is not a DOS attack. It's flooding the connection is packets to overwhelm the network.

Elimination said:

unkn0wn uses x10hosting

Click to expand...

Yes this is true. http://unkx10.x10hosting.com/

Your best bet right now would be to shut down the server so his bots time out and disconnect. You can try blocking known DDoS IPs, there is iptables for that: http://hostechs.com/2008/09/dropping-a-ddos-attack-using-ttl-and-length-in-iptables/

But to be honest, there is practically no way to stop a DDoS attack if it's done properly and powerful enough.

here's my thread when it happened to me, some good info in there.


We moved the site to VPS (was on shared) with Servint, been working good since the move. They state they are good at filtering out DDOS attacks and all I can say is that since the move, all has been well.

I hav listened to a seminar on DDos attacks ..hope these counter measures might help
*It is difficult to block 'em without affecting regular traffic.. hence, separate critical services into compartments like separate email, ftp, etc
*Buy more bandwidth than required
*Disable publicly accessible services like(port scan systems)
*Balance traffic load on set of servers
*change user default ports

if its a http request then it is getting sent straight to the domain, if that is the case just redirect the domain to 127.0.0.1 and the bots will ddos themselves. If its syn/supersyn/udp/tcp etc.. then i would just turn of the server (just cause it takes a lot of money to stop it, plus the server wastes a shit load of bandwidth which you will be fined for by the hosting company)

Thanks for all the info guys. I should probably clarify one thing too. Now I don't know very much about all this because I do seo and NOT webhosting, BUT, according to Wired Tree, they are attacking the DNS and not the ip, so it doesn't matter if we balance the load or change servers, the attack will just follow.

I really like the iframe info. Do you know where I can find more info on that? I would love to turn it back on them.

SeoCompany said:

Thanks for all the info guys. I should probably clarify one thing too. Now I don't know very much about all this because I do seo and NOT webhosting, BUT, according to Wired Tree, they are attacking the DNS and not the ip, so it doesn't matter if we balance the load or change servers, the attack will just follow.

I really like the iframe info. Do you know where I can find more info on that? I would love to turn it back on them.

Click to expand...

Sorry SEO, I just happened to come across it once when I was researching this stuff. I'm no expert on ddos protection or attacks, but I'd guess it would only work on a relatively simple kind of attack. Whether it would work in this case, no clue, but I'm sure someone else here could tell you.

SeoCompany said:

Thanks for all the info guys. I should probably clarify one thing too. Now I don't know very much about all this because I do seo and NOT webhosting, BUT, according to Wired Tree, they are attacking the DNS and not the ip, so it doesn't matter if we balance the load or change servers, the attack will just follow.

I really like the iframe info. Do you know where I can find more info on that? I would love to turn it back on them.

Click to expand...

what iframe info? iframe wont do shit. the server will get ddosed even if you iframe google. What you need to do is go to the domain registrar and update the dns with 127.0.0.1. After 30 minutes, all the bots will be gone.

every type of attack is taken on a case by case basis, whatever you do, dont let the information about how the attack is going on public etc and get the fsck off of vps's, get yourself some nice dedi's to run it, depending on what the attack is i may be able to help out, obviously for a price though, but i have plenty of experience dealing with this garbage sigh

trophaeum said:

every type of attack is taken on a case by case basis, whatever you do, dont let the information about how the attack is going on public etc and get the fsck off of vps's, get yourself some nice dedi's to run it, depending on what the attack is i may be able to help out, obviously for a price though, but i have plenty of experience dealing with this garbage sigh

Click to expand...

Ok, trying the change of dns right now. If that doesn't work, I will pm you and you can give me the details of what you will do and the costs involved.

*******Ok, have an important question. WiredTree is saying that if you change the dns, the site will be down. Ok, duh, I know that and that's the whole point, so that the bots can't hit it, BUT, after half an hour to an hour, can I change the dns back and everything will go back to normal without having to reupload the site?***************

SeoCompany said:

Ok, trying the change of dns right now. If that doesn't work, I will pm you and you can give me the details of what you will do and the costs involved.

*******Ok, have an important question. WiredTree is saying that if you change the dns, the site will be down. Ok, duh, I know that and that's the whole point, so that the bots can't hit it, BUT, after half an hour to an hour, can I change the dns back and everything will go back to normal without having to reupload the site?***************

Click to expand...

Changing the DNS is only pointing the site in another direction. Once you put the DNS back. Everything will be as it was minus the bots. I would recommend waiting atleast an hour. Then its back to business for you!

SeoCompany said:

Ok, trying the change of dns right now. If that doesn't work, I will pm you and you can give me the details of what you will do and the costs involved.

*******Ok, have an important question. WiredTree is saying that if you change the dns, the site will be down. Ok, duh, I know that and that's the whole point, so that the bots can't hit it, BUT, after half an hour to an hour, can I change the dns back and everything will go back to normal without having to reupload the site?***************

Click to expand...

Yes, the point of changing the dns to 127.0.0.1 is so the bots ddos themselves and ping out. After 1 hour or so, all the bots will just fuck themselves. The reason im telling you to do this is because you will get charged thousands or get kicked from teh hosting if you use too much bandwidth. So keeping the site offline for 1 hour or so wont hurt as much as paying back fines and getting your data to a new server and such.

DigitalAge said:

Yes, the point of changing the dns to 127.0.0.1 is so the bots ddos themselves and ping out. After 1 hour or so, all the bots will just fuck themselves. The reason im telling you to do this is because you will get charged thousands or get kicked from teh hosting if you use too much bandwidth. So keeping the site offline for 1 hour or so wont hurt as much as paying back fines and getting your data to a new server and such.

Click to expand...

you guys really have no clue, flooding 127.0.0.1 will do NOTHING to hurt the bots and changing the dns, they will track it, wait and see, been there, dealt with that, your about to create a few hours of downtime for no benefit

enjoy

trophaeum said:

you guys really have no clue, flooding 127.0.0.1 will do NOTHING to hurt the bots and changing the dns, they will track it, wait and see, been there, dealt with that, your about to create a few hours of downtime for no benefit

enjoy

Click to expand...

yea, i haz no clue..

Apparantly metasploit didnt have a clue when they redirected their servers to 127.0.0.1 when they were receiving 15mbs floods.

http://seclists.org/fulldisclosure/2009/Feb/144

okay thx bye.

haha obviously no-one heard that a little knowledge is a dangerous thing

OP there is not enough information here to help you out, just hope they are noobs and are doing something simple like a synflood etc and simply (i say that lightly) enable syn handshaking etc. the next step is to use a proxy between the net and your host, this way you can enable all sorts of anti-ddos measures also a decent hardware firewall is a good thing.. in short you cant stop it all you can do is change where it places the load, and moving it away from your actually webserver is usually the 1st step imho.

flame away

since when is 15mbit a strong attack? LOL

they pointed it to 127.0.0.1 and left it there so as the attack went nowhere, the site was DOWN for that time, how does that help a business?

if you have a good server you rarely need a hardware firewall and if you do you need something on the level of a cisco pix 515e or a juniper netscreen... i dont have the model number handy, either way, the shitty little firewalls that datacenters have normally wont cut it, they just overload and blow their guts all over the place and hey presto your site is down just like it was before the firewall was in place