Question

Can I use captcha to hold off a DDos?

Asked by: Igiwwa

** this is very urgent, please respond as soon as possible

One of my sites is under a DDos attack, the hosting company does not really have any solution besides just saying that we should get more powerful server to handle the additional requests, I do not think that makes sense because even if I get a more powerful server, the DOS attack could just be ratcheted up and then the new server will get overloaded.

The hosting company also says that they cannot filter out the traffic because the connections are coming from different ips and there is no pattern to the ips nor are they coming from a clustered location (which we could just block).

They also say that each IP address is making just one connection so if I put in a script to say that it should block all IPs with one connection, then i will end up blocking legitimate traffic too.

I could move the site under attack to a different server with a different IP but I am guessing that the attack will still continue because the attackers will just locate that the domain has moved to a different IP address. They are probably attacking the domain name rather than the ip address the domain resides on.

i was also thinking that i could upload static html versions of my pages (the total # of pages is like 7000) and i have the static pages but the problem is the file names do not have the same name as the urls on my site. To make the urls the same I will have to rename the file names to include slashes (/) in multiple places but you can't have a / in the file name so this is not working either.

also i spoke to the guy who runs this site, ypigsfly.com, he claims that if I route all traffic to my site through his IP he can block the bad connections but he won't tell me how, he says just trust me and he wants $750 to set it up so i am nervous about going with him. anybody ever worked with a service like this?

So I can't really think of any solution? Does anybody have any ideas or any comments on the things I have listed above?

The only other thing I can think of trying is installing captcha anytime a page is accessed by a new IP. If the captcha is entered correctly, then the page requested will load otherwise it will not.
This way the dos attack will not be able to get access to the resource intensive files on my server and bring down mysql etc. Unsuccessful captcha entries will just end up using a basic simple resource light script.
What do you guys think about this? should i try this?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-07 at 09:05:27ID24635181
Tags

DDos

,

captcha

,

security

,

spam

Topics

Latest Threats

,

Network Software Firewalls

,

Networking Security Vulnerabilities

Participating Experts
3
Points
500
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Configure DMVPN spoke with redundant connections?
    I'm having quite a bit of trouble, and Cisco TAC has been working with me for about a week on this now. I think they're more confused than I am. I'm trying to set up DMVPN spokes with dual/redundant internet connections. Most of them will be connected via Cable/DSL as primar...
  2. Cisco DMVPN Redundancy on spoke routers using HSRP
    I would really appreciate a bit of advice on an issue I have recently come across. I have had a working DMVPN set up now for over 12 months with no issues whatsoever. We have a 1841 as the hub (hosted at a data centre) and 877's as spokes at 3 different sites. The problem ...
  3. Spoke to Spoke DMVPN Traffic
    I have a DMVPN setup consisting of a Hub and 5 spokes right now. My problem is this. .. I am unable to accomplish Spoke to Spoke traffic from the spoke that is behind NAT. Everything works correctly from the spokes to the hub and vice versa. I am using OSPF and am able to ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: GrantN05Posted on 2009-08-07 at 09:16:10ID: 25044323

The CAPTCHA would work provided that it isn't served from the same machine that's being attacked. If it is, then they can just attack the captcha and you've gotten nowhere. Do you have multiple IP addresses? You could just move your DNS to another numerical address for the duration of the attack and have the host nullroute the one being flooded. However, if they're flooding your domain rather than the IP then that won't do much good. Unfortunately there's not too much that can be done in the event of a DDoS.

 

by: xuserx2000Posted on 2009-08-07 at 09:18:48ID: 25044358

captcha is designed to identify who is HUMAN and who is COMPUTER..... for the purpose of preventing scripted attacks against accounts, signup bots, site trawling...

It's not a solution for preventing DDOS unfortunately.

Usually these types of attacks are done by botnets.  An army of infected computers that phone home to get instructions of which site to latch onto.  The sudden increase of traffic can make your site slow to a crawl, or become unresponsive.

Some of these things could be working against you in this situation...
1) the power of the server as the ISP mentioned...
2) the available bandwidth the isp provides
3) the processing power of a your router/firewall.

Unfortunately, the usual response to this, is to expand your infrastructure to be able to support the increase in requests.

Can I ask what the site is ?

If it's not a well known site...for example: look what facebook and twitter has gone through over the past week...., there must be some reason you are being targeted.

 

by: IgiwwaPosted on 2009-08-07 at 09:18:58ID: 25044360

if they attack the captcha, it wont have too much of an impact because the captcha is not load intensive, right, so if they attack the captcha it won't have too much of an impact right?

 

by: xuserx2000Posted on 2009-08-07 at 09:20:54ID: 25044382

GrantNO5:  Even if you used captcha in a "referral" manner, it doesn't prevent the server that is doing the referral from going down by the same DDOS method.  DOS would still be accomplished.

 

by: xuserx2000Posted on 2009-08-07 at 09:21:40ID: 25044395

Especially if the point of failure is bandwidth or firewall overload.

 

by: IgiwwaPosted on 2009-08-07 at 09:24:10ID: 25044414

i am not comfortable disclosing what site it is but it is a site that gets about 3 million pageviews and 1.5 million uniques  month

 

by: GrantN05Posted on 2009-08-07 at 09:24:42ID: 25044426

Well, after thinking about it for a few minutes, a captcha could help on the server's load. It would reduce the load caused by the DDoS if it served a blank page or something instead of running intensive server-side scripts. The bottleneck at that point would then probably shift to bandwidth availability as opposed to server resources. Other than that and moving your server to another IP address and nullrouting the other until the attack is over, alll you can really do expand to withstand the increase in traffic.

 

by: xuserx2000Posted on 2009-08-07 at 09:29:04ID: 25044470

understandable....


With regard to DOS,.... In most cases, what is being requested from your server, by the attackers, isn't as important as the amount of simultaneous requests coming in.

Simply sending enough simultaneous requests for the default page, can overload a web service or max the bandwidth or router processing power... it just depends on the nature of the attack.

Have you tried running a packet capture on web server to see what is coming in ?

 

by: GrantN05Posted on 2009-08-07 at 09:30:12ID: 25044487

xuserx: I thought of that about a minute after posting. You are correct. If the referred CAPTCHA was DDoSd it would still take the site down via proxy.

 

by: xuserx2000Posted on 2009-08-07 at 09:32:04ID: 25044506

Exactly... which is why there is no cheap/easy solution for this yet.... and even sites like Yahoo or Google can experience DoS from time to time.... and their mitigating solution is to have server service clusters with failover.

 

by: xuserx2000Posted on 2009-08-07 at 09:39:12ID: 25044584

I think we all agree that "something" needs to be done immediately even if the long term solution is expanded infrastructure.

Before we can do that.... we have to identify the exact point of failure.  Is it the SQL service, the web service, bandwidth, or router load ?

We have to know what the bots are requesting if you don't already know this.  I would suggest packet capture during off-peak hours using wireshark or netmon.  Try to identify the http GET or POST packets that are in fact malicious.  If it's requesting or sending something to a specific web service or page... a simple code or site rearrangement change may stop the effectiveness of the attack.

 

by: IgiwwaPosted on 2009-08-07 at 10:52:02ID: 25045316

yeah according to the ISP, the requests are distributed across multiple scripts, its not one script that is being overloaded, if it was, i would have shut it down

the overload is on the database and the web service, bandwith is not that big of an issue because we are not getting a huge enough amount of requests for the isp to take us offline, we are just getting enough to shut down my server

also, what is the consensus on the captcha? if the captcha script is low resource intensive, do you guys think it will work or not?

also there is no workaround around this right

i was also thinking that i could upload static html versions of my pages (the total # of pages is like 7000) and i have the static pages but the problem is the file names do not have the same name as the urls on my site. To make the urls the same I will have to rename the file names to include slashes (/) in multiple places but you can't have a / in the file name so this is not working either.

because there is a script that powers these 7000 pages, i can shut it down if I can get these static pages up instead of it

another idea - it seems the speculation is that these kinds of attacks come from outside the US, so should i just temporarily block all non-US traffic. The site typically gets 40% of its traffic from outside the US but I am willing to sacrifice that now if the site would work properly for US traffic (which is where the bulk of the ad revenues come from)

 

by: xuserx2000Posted on 2009-08-07 at 11:15:30ID: 25045498

I'm not sure how captcha would prevent making calls to the web app on the server...or just the bombardement of the server in general.

I don't think it will work, but then again I don't profess to know everything..... it's just that, if captcha was a solution for DoS, then more people would use it in that manner.

These dos attacks don't last forever... so temporarily blocking most of the bad traffic, would be a decent short term solution.  I would try to be very selective of course when blocking entire address blocks.

Clustered/distributed services with failover would be an actual solution....long term.

 

by: GrantN05Posted on 2009-08-07 at 11:16:48ID: 25045516

I would get a general feel for where the traffic is coming from and block traffic not coming from the US, Canada, or major European countries (such as Germany, France, UK, etc). That will hopefully lessen the load at least a little bit.

 

by: aleghartPosted on 2009-08-08 at 12:58:49ID: 25051470

ypigsfly.com  will advertise your WAN subnet to the upstream providers, which routes all of your traffic to their equipment.

They'll inspect and compare all the requests with their own dynamic algorithms...figure out what's "good" traffic and forward it on to your equipment.

They can suck up a fair amount of bandwidth (100-300+ Mbps) in requests, then send down a few Mbps of good traffic to you.  That may or may not be enough.  But consider that most of the bandwidth consumed by a server like yours is going to be upstream.

500Kbps of requests probably generates 10Mbps of content served up to the requestors.  Something like that?

In theory, far easier than shipping equipment to your premises and setup, train, initiate learning phase on the hardware...that's old-school.

I've never worked with that company, so my explanation is very layman.

 

by: IgiwwaPosted on 2009-08-10 at 12:30:14ID: 25063203

The captcha seems to be improving things but the server is still a little slow but more importantly, captcha is not a long-term solution, so short of upgrading the server, can anybody think of any other solutions? e.g. should i buy an anti-ddos software? is there any free sofware that i can try on a trial basis and see whether it deals with the problem and then if it does, i can buy it

 

by: xuserx2000Posted on 2009-08-10 at 12:37:40ID: 25063283

Some firewalls like Sonicwall have built in anti-ddos features....

I'm not sure how well it works, because I haven't been the subject of an attack in quite a while and i've only had this firewall for about a year....

 

by: IgiwwaPosted on 2009-08-11 at 15:47:30ID: 25074253

does anybody know if there is a way to get temporary server resources (e.g. via cloud computing)? I temporarily need additional serving capacity.

My hosting company says the ddos attack has subsided but my current server is still overloaded, they say its because the server is not powerful enough but just last week the current server was fine and traffic has not increased much, so I temporarily want to add additional serving resources and see whether that fixes the problem.

 

by: aleghartPosted on 2009-08-11 at 16:47:01ID: 25074611

Amazon Web Services.  You can create it and activate on demand.  You pay per hour of use, not flat rate per month.

So, you could pre-populate/provision the server, then leave it dormant until traffic required its use.

It called Elastic Compute Cloud (EC2):
http://aws.amazon.com/ec2/#pricing



United States		
	 	
Standard On-Demand Instances 	Linux/UNIX Usage 	Windows Usage
Small (Default) 	$0.10 per hour 	$0.125 per hour
Large 	$0.40 per hour 	$0.50 per hour
Extra Large 	$0.80 per hour 	$1.00 per hour
		
High CPU On-Demand Instances 	Linux/UNIX Usage 	Windows Usage
Medium 	$0.20 per hour 	$0.30 per hour
Extra Large 	$0.80 per hour 	$1.20 per hour
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:

Select allOpen in new window

 

by: IgiwwaPosted on 2009-08-12 at 08:59:58ID: 31612978

thanks everyone

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...