Solved

DDOS Protection

Posted on 2004-03-28
7
1,092 Views
Last Modified: 2010-04-11
I offer psybncs and shell access and all that, and my server recently was hit by DDOS. I have recently blocked any ICMP packets, and blocked any incoming UDP packets except port 53 (for DNS). I tried to ddos myself, and succeeded in preventing any PING ddos but when i UDP'ed myself my server was still hit. Where have I gone wrong? I also want to prevent TCP syn packet DDOSing, and i read somewhere that by filtering incoming TCP syn requests to drop any packets after a certain number of packet/sec is possible, but I am fairly new to this and I need some help in configuring my firewall. Can anyone give some examples on how to prevent DDOS attacks, or at least minimize them?
0
Comment
Question by:rudyzainal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10700406
What is your firewall? If it's a cisco pix, or router, they are able to "deflect" ddos to a certain degree. If other please specify. Also, what server are you running, windows IIS windows apache, linux apache... other?
Here are some things to understand, and possibly minimize dos attacks.: http://www.cisco.com/warp/public/707/newsflash.html
I also recommend DJBDNS (aka tinydns) over BIND,  2Billion times better than bind... http://cr.yp.to/djbdns.html
-rich
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10704573
Right, you should address firewall individually, RTFM, and use appropriate TA for better response:
http://www.experts-exchange.com/Security/Firewalls/

> but when i UDP'ed myself my server was still hit. Where have I gone wrong?

Check here:
http://www.iana.org/assignments/port-numbers

Sample:

xns-time         52/tcp     XNS Time Protocol
xns-time         52/udp    XNS Time Protocol
#                                   Susie Armstrong <Armstrong.wbst128@XEROX>
domain           53/tcp     Domain Name Server
domain           53/udp    Domain Name Server
#                                    Paul Mockapetris <PVM@ISI.EDU>
xns-ch             54/tcp     XNS Clearinghouse
xns-ch             54/udp    XNS Clearinghouse

TCP and UDP are different protocols, so you must default block all ports for both of them. Also, where you do not block, you may choose to condifer blocking only one way, probably inbound traffic.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 10704589
<ugh> condifer = consider
0
Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

 

Author Comment

by:rudyzainal
ID: 10712270
richrumble: I am using Linux IPCHAINS.

sunbow: I cant block any inbound TCP due to the nature and the purpose of the server. My current firewall has been configured to accept all inbound TCP packets, drop all ICMP, and drop all UDP packets EXCEPT UDP 53 for DNS. I am still losing my server and having to reboot after my test DDOS with a mere 30 DSL drone UDP attack
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 100 total points
ID: 10716818
Try to change your rules to DENY instead of REJECT, if your rules are set this way.
Are you using 30 dsl host's to dos a single host... yourself? That's not "mere" that quite a bit, even if upstream isn't so good, you may be dos'ing your router more than your own box. It's pretty tough to dos a 10/100mb nic. I would think you'd dos the router (cable modem, dsl router) way before your server would be dos'd- espically with 30 host's to throw at it.
Are your able to upgrade to iptables? Iptables is the newer more supported firewall for linux.

DDoS info
SANS, Help Defeat Denial of Service Attacks: Step-by-Step: http://www.sans.org/dosstep/index.htm
SANS, ICMP Attacks Illustrated: http://rr.sans.org/threats/ICMP_attacks.php
CERT, Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html
NWC, Fireproofing Against DoS Attacks (forms of): http://www.nwc.com/1225/1225f38.html
SANS, Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/ddos_roadmap.htm
SANS, Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://rr.sans.org/threats/spoofed.php
SANS, Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation: http://rr.sans.org/threats/understa...anding_ddos.php
Juniper.net, Minimizing the Effects of DoS Attacks: http://arachne3.juniper.net/techcen...ote/350001.html
CISCO, Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks: http://www.cisco.com/warp/public/707/newsflash.html
Dave Dittrich's references: http://staff.washington.edu/dittrich/misc/ddos/
Xinetd Sensors: ~http://www.gate.net/~ddata/xinetd-sensors.html
Xinetd FAQ: http://synack.net/xinetd/faq.html

-rich
0
 

Author Comment

by:rudyzainal
ID: 10717092
rich,
its already set to drop, not reject. and my box is not behind any router. its situated on a datacenter. And yes i'd say about 30 DSL host to DDOS my own box for testing purpose, more or less.

But my original question was, is restricting incoming packets by filtering incoming TCP syn requests to drop any packets after a certain number of packet/sec possible, and if so will it help much, and the way to go about doing it. I have read up a bit on some burst rate limits and such, but the book I read wasnt meant for a novice like me, i guess.

I've upped the points for this question cause I was hit yet again and its getting quite irritating to have to go down to the datacenter to reboot my box twice in a fortnight.
0
 

Author Comment

by:rudyzainal
ID: 10726345
thanks rich the links are useful. but so far it doesnt actually stop the ddos to my current box, but it does give certain insights as to what is needed and the lot.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FSRREMOS 7 106
encrypt SQL Server 2008 port 1433 3 41
Documents do not open in Protected View. 5 74
HIPAA Security Audit - How much do I charge? 5 66
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question