1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DDOS attack advice

Discussion in 'BlackHat Lounge' started by SeoCompany, Dec 26, 2009.

Tags:
  1. SeoCompany

    SeoCompany Newbie

    Joined:
    Nov 28, 2009
    Messages:
    11
    Likes Received:
    4
    A client of mine was attacked starting at 9:00 a.m. pst on Christmas Eve. The attacks crippled his site. We found out that it was done by one of his competitors. Wired Tree was able to get it under control somewhat but he has still lost thousands of dollars. The attacks are still happening and it's getting over 100 million queries, all from unique ips and they claim is the largest scale DDOS attack they have ever seen. Once company wanted $50k up front just to stop the attacks. I guess my question is, does anyone have any ideas about how to prevent this kind of thing from happening? Also, what would you do if someone attacked you this way?
     
  2. tsincaat

    tsincaat Junior Member

    Joined:
    Apr 7, 2008
    Messages:
    102
    Likes Received:
    106
    It depends on what kind of attack it is, but I believe if it's a certain kind of ddos you can setup an iframe or something similar on your page so the competitor's site is hit by his own ddos. That'll stop them pretty fast, but you would also need to know which competitor it is.

    Your best bet is to find a ddos protection provider, the ones I can think off the top of my head are staminus, gigenet, and dragonara.
     
    • Thanks Thanks x 2
  3. Elimination

    Elimination Newbie

    Joined:
    Oct 10, 2009
    Messages:
    20
    Likes Received:
    15
    unkn0wn uses x10hosting
     
  4. thxflash

    thxflash Power Member

    Joined:
    Jan 20, 2009
    Messages:
    786
    Likes Received:
    131
    Location:
    Newport Beach, CA
    Home Page:
    A DDOS is not a DOS attack. It's flooding the connection is packets to overwhelm the network.
     
  5. thxflash

    thxflash Power Member

    Joined:
    Jan 20, 2009
    Messages:
    786
    Likes Received:
    131
    Location:
    Newport Beach, CA
    Home Page:
  6. Donnie Darko

    Donnie Darko Regular Member

    Joined:
    Aug 22, 2007
    Messages:
    229
    Likes Received:
    356
    Location:
    USA
  7. showbizvet

    showbizvet Power Member

    Joined:
    Oct 1, 2008
    Messages:
    795
    Likes Received:
    260
    Occupation:
    IM
    Location:
    Tennessee and around
    here's my thread when it happened to me, some good info in there.

    Code:
    http://www.blackhatworld.com/blackhat-seo/black-hat-seo/136607-my-main-clients-site-under-dos-attack.html
    We moved the site to VPS (was on shared) with Servint, been working good since the move. They state they are good at filtering out DDOS attacks and all I can say is that since the move, all has been well.
     
  8. mogambo

    mogambo Registered Member

    Joined:
    May 31, 2009
    Messages:
    96
    Likes Received:
    9
    I hav listened to a seminar on DDos attacks ..hope these counter measures might help
    *It is difficult to block 'em without affecting regular traffic.. hence, separate critical services into compartments like separate email, ftp, etc
    *Buy more bandwidth than required
    *Disable publicly accessible services like(port scan systems)
    *Balance traffic load on set of servers
    *change user default ports
     
  9. DigitalAge

    DigitalAge BANNED BANNED

    Joined:
    Dec 21, 2009
    Messages:
    19
    Likes Received:
    5
    if its a http request then it is getting sent straight to the domain, if that is the case just redirect the domain to 127.0.0.1 and the bots will ddos themselves. If its syn/supersyn/udp/tcp etc.. then i would just turn of the server (just cause it takes a lot of money to stop it, plus the server wastes a shit load of bandwidth which you will be fined for by the hosting company)
     
  10. SeoCompany

    SeoCompany Newbie

    Joined:
    Nov 28, 2009
    Messages:
    11
    Likes Received:
    4
    Thanks for all the info guys. I should probably clarify one thing too. Now I don't know very much about all this because I do seo and NOT webhosting, BUT, according to Wired Tree, they are attacking the DNS and not the ip, so it doesn't matter if we balance the load or change servers, the attack will just follow.

    I really like the iframe info. Do you know where I can find more info on that? I would love to turn it back on them.
     
  11. tsincaat

    tsincaat Junior Member

    Joined:
    Apr 7, 2008
    Messages:
    102
    Likes Received:
    106
    Sorry SEO, I just happened to come across it once when I was researching this stuff. I'm no expert on ddos protection or attacks, but I'd guess it would only work on a relatively simple kind of attack. Whether it would work in this case, no clue, but I'm sure someone else here could tell you.
     
  12. DigitalAge

    DigitalAge BANNED BANNED

    Joined:
    Dec 21, 2009
    Messages:
    19
    Likes Received:
    5
    what iframe info? iframe wont do shit. the server will get ddosed even if you iframe google. What you need to do is go to the domain registrar and update the dns with 127.0.0.1. After 30 minutes, all the bots will be gone.
     
    • Thanks Thanks x 1
  13. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    every type of attack is taken on a case by case basis, whatever you do, dont let the information about how the attack is going on public etc and get the fsck off of vps's, get yourself some nice dedi's to run it, depending on what the attack is i may be able to help out, obviously for a price though, but i have plenty of experience dealing with this garbage sigh
     
  14. SeoCompany

    SeoCompany Newbie

    Joined:
    Nov 28, 2009
    Messages:
    11
    Likes Received:
    4
    Ok, trying the change of dns right now. If that doesn't work, I will pm you and you can give me the details of what you will do and the costs involved.

    *******Ok, have an important question. WiredTree is saying that if you change the dns, the site will be down. Ok, duh, I know that and that's the whole point, so that the bots can't hit it, BUT, after half an hour to an hour, can I change the dns back and everything will go back to normal without having to reupload the site?***************
     
    Last edited: Dec 27, 2009
  15. CYBERTRON

    CYBERTRON Regular Member

    Joined:
    Dec 19, 2009
    Messages:
    481
    Likes Received:
    269
    Occupation:
    CPA Network
    Location:
    USA / Indonesia
    Home Page:
    Changing the DNS is only pointing the site in another direction. Once you put the DNS back. Everything will be as it was minus the bots. I would recommend waiting atleast an hour. Then its back to business for you! :D
     
  16. DigitalAge

    DigitalAge BANNED BANNED

    Joined:
    Dec 21, 2009
    Messages:
    19
    Likes Received:
    5
    Yes, the point of changing the dns to 127.0.0.1 is so the bots ddos themselves and ping out. After 1 hour or so, all the bots will just fuck themselves. The reason im telling you to do this is because you will get charged thousands or get kicked from teh hosting if you use too much bandwidth. So keeping the site offline for 1 hour or so wont hurt as much as paying back fines and getting your data to a new server and such.
     
  17. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    you guys really have no clue, flooding 127.0.0.1 will do NOTHING to hurt the bots and changing the dns, they will track it, wait and see, been there, dealt with that, your about to create a few hours of downtime for no benefit

    enjoy
     
  18. DigitalAge

    DigitalAge BANNED BANNED

    Joined:
    Dec 21, 2009
    Messages:
    19
    Likes Received:
    5
    yea, i haz no clue..

    Apparantly metasploit didnt have a clue when they redirected their servers to 127.0.0.1 when they were receiving 15mbs floods.

    http://seclists.org/fulldisclosure/2009/Feb/144

    okay thx bye.
     
  19. linkme

    linkme Regular Member

    Joined:
    Oct 26, 2009
    Messages:
    422
    Likes Received:
    135
    Occupation:
    teh Internets (since 1998)
    Location:
    Online
    haha obviously no-one heard that a little knowledge is a dangerous thing :p

    OP there is not enough information here to help you out, just hope they are noobs and are doing something simple like a synflood etc and simply (i say that lightly) enable syn handshaking etc. the next step is to use a proxy between the net and your host, this way you can enable all sorts of anti-ddos measures also a decent hardware firewall is a good thing.. in short you cant stop it all you can do is change where it places the load, and moving it away from your actually webserver is usually the 1st step imho.

    flame away
     
  20. trophaeum

    trophaeum Senior Member

    Joined:
    Dec 21, 2007
    Messages:
    1,189
    Likes Received:
    706
    since when is 15mbit a strong attack? LOL

    they pointed it to 127.0.0.1 and left it there so as the attack went nowhere, the site was DOWN for that time, how does that help a business?

    if you have a good server you rarely need a hardware firewall and if you do you need something on the level of a cisco pix 515e or a juniper netscreen... i dont have the model number handy, either way, the shitty little firewalls that datacenters have normally wont cut it, they just overload and blow their guts all over the place and hey presto your site is down just like it was before the firewall was in place