Solved

how to avoid data flood/ dos flood from windows server 2003

Posted on 2004-08-16
19
509 Views
Last Modified: 2008-02-01
Hi expert,

I would like to ask you. Is there anyway to prevent a bad people dos flood, or data flood to windows server 2003 web server...My web server is running very fast, but when the bad people flood data, and it cause me server run so slow.  Can you teach me how to protect it.  Thanks
0
Comment
Question by:princeofem
19 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11815087
Hi princeofem,

Although you can't really protect yourself from real Bandwidth eating DDoS attacks, you can do something about the average syn-flood.
Please take a look at this page for hardening your server against those kind of things:
Hardening Microsoft IIS Web Servers
http://www.wilsonmar.com/1iiscfg.htm

If you're really having troubles with a DDoS attack, analize the data, see at what ports it's aimed and call your ISP to block those ports at THEIR firewall, you can't stop those without disappearing from the internet :( I know it sucks big time, but a real DDoS attack will just flood your connection with nonsence so legal approaches can't get through anymore, so as your ISP has a much bigger bandwidth, they have to block it to keep you online.

Greetings,

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11815177
Btw, I just found this page, and it's very informative for me, so maybe also for you:

Distributed Denial-of-Service Attacks and You
http://www.microsoft.com/technet/security/bestprac/ddosatku.mspx

Especially the way they explain the "why" and "how" might help you.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11815279
One more site for you to look at, this one really explains how to tighten the TCP/IP stack and winsock:
Security Considerations for Network Attacks
http://www.microsoft.com/technet/security/topics/network/secdeny.mspx

Personally I've been using exactly this strategy for over a year now, but this is the first time I found out that MS has documented this strategy.
0
 

Author Comment

by:princeofem
ID: 11821879
Can you tell me how do I drop all the ports accept the port i'm using for DNS, and also how do I block ICMP and TCP SYN flood.  

I guess I got hit by DOS Flood.  Here is a problem that I see

I'm using Bellsouth fastaccess DSL.  I run Linksys router to share home network. The DSL modem connected to Linksys Router, so I have 3 computers connect to Linksys router.

port 1  for webserver computer
port2 from home computer
port3 sql server

I also see there is a blinking light on DSL modem its blink very slow.  By the time I got hit I can't access to internet at all.  Even though i'm using home computer to access internet and I can't, and the internet traffic is extremely slow.

If I got hit by DOS how do I block the unuse port, or how do I analize the data and report to ISP?...I have read alot of DDOS article, but I have not find a solution yet.  Please help me step by step.  Thanks
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 250 total points
ID: 11822729
princeofem ,

First of all, forget the idea of blocking a DDoS attack and staying on the internet, it just won't happen. If they want you down, you're going down.

Secondly, you can block ICMP traffic, but then your bandwidth will still be used fully, your router has to say no to each. You can drop them, but then your download bandwidth will still be zero for legal traffic as everything will be filled with the ICMP packets.

Thirth, you can't block a TCP SYN flood, it's just normal internet traffic, it's needed to make a connection, so blocking these just has no use. You can by hardening your TCP/IP stack lower the amount of bandwidth used by those floods, and especially the buffer use.

So, what you should do to be able to withstand a DDoS and get yourself online as soon as possible at the moment you get struck by a DDoS attack is to block all ports you don't want open on your firewall (I personally never used a Linksys router, so I don't know how to set this up) and log all attempts to connect to those ports. Now, when a DDoS starts, check the logs, you'll see they will be filling in record speed, mostly aimed at one port, call your ISP and tell them to block it on their routers, they can handle it. Then, check the logs again, see if you have problems on another port then, report this one also to your ISP etc. etc. you get the idea :o)
If you get truck by a ICMP attack, then just ask your ISP to block ICMP packages (these are NOT vital for internet traffic)

Ok, but for instance, as you have webservers running. If you get a SYN flood on port 80, you have a big problem, in that case, ask your ISP if they can block the "from" address of the packages, sometimes this will be possible, otherwise, sorry, but you're out of luck and will be blasted off the internet.

Hope this helps you understanding it a bit better,

LucF
0
 

Author Comment

by:princeofem
ID: 11824350
Thanks for explaing.  Now, I have a bit understanding.

Can you show me how to create an effective log file to monitor all attempts?  For now, I might use URLscan to stop a data flood....

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11824429
As I said above, I don't know about the linksys routers, but I assume they have a way of logging this kind of data. Please post the model number and I'll see what I can find for you. At the moment, all I can suggest you is to check the manual on how this is done.

URLscan can give you some valuable information about the source address and destination (you) also, but please, get the "stop a data flood" out of your head, it just won't work :( I know these DDoS attacks are a big pain in the you know what, but there's not much you can do yourself about them. I've got blasted a couple of times now. And while handling this with my ISP, I now have a direct telephone no. to one of the employees, so I know I get helped fast. In fact, I was under a DDoS just last weekend, but stayed online because of the filters set by my ISP. I heard later that I got packages of all kinds send at a rate of 60Mbit/sec... and I'm only on 8Mbit ADSL, so I'd be gone if it where not by the filters my ISP set.

So the best thing you can do to handle these kind of things is to get to know some tech guys at your ISP :o)

LucF
0
 

Author Comment

by:princeofem
ID: 11824907
But how do you determine which port they are using to DDoS.  Can you teach me how to create a log file to monitor incomming data.?  

Again, thank you very much for your help...
0
 

Author Comment

by:princeofem
ID: 11824951
again before calling ISP what information do you give them...I'm lost...just because of these blasts... it's painful
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 32

Expert Comment

by:Luc Franken
ID: 11824969
Again, as I said above, as I don't know the linksys routers, I don't know how they create the logfiles, so I can't really tell you how to do so. (I'll send an e-mail around, checking if some experts I know have more experience with these and will be able to let you know the "how to")

The port number should be listed in the logfiles, without any doubts. The logfiles should mention the from and destination. Most of the time, in these kind of things, the destination is the most important, as that'll mention at what port it's aimed.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11824994
>>again before calling ISP what information do you give them...I'm lost...just because of these blasts... it's painful<<
All I normally give them is the destination port to block, last time the attack on my servers was aimed at port 750, so I just asked my ISP to block access to port 750 and I popped back online within seconds.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11825094
I send a mail to four other experts, hope one of them will be able to tell you how to set the logging of these kind of things.

LucF
0
 
LVL 67

Assisted Solution

by:sirbounty
sirbounty earned 250 total points
ID: 11825304
How to enable the logs on a Linksys (presumably for most models, although I've only used 3 or 4 models):

Click Start->Run->Http://192.168.1.1 (this is the setup page for your linksys)
Enter admin as the password (with no username) - this is the default - if you've changed it from the default, apply the appropriate credentials.
You should find the Logs tab when you are logged in.
Click on that tab and click Enable under Access Log
Then set up "Send Log to" 192.168.1.255

You can then check both the incoming and outgoing logs via the buttons beneath that section.

You might also consider utilizing IP filtering feature on your linksys (outlined here: http://www.linksys.com/tech_helper/advanced.html)
That may help with your troubles.
Good luck!
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11825322
Thanks sirbounty :)

LucF
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11828769
if your on the latest flash upgrade you will find the logs on the administration tab :)

PL
0
 

Author Comment

by:princeofem
ID: 11833425
Thank you so much for yours help.....you guys such a wonderful people....Now, I'm able to send my web server online now... :-)
0
 

Author Comment

by:princeofem
ID: 11833454
I would love to assign 250 pts to LucF, and adding another 250pts to sirbounty.  How do I do that....thanks again
0
 

Author Comment

by:princeofem
ID: 11833463
Nevermind I found a solution...
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11833519
Glad to help :)

Just one last piece of advice, when you're under a DDoS, the last thing you should do is panic. You now know where to look, so you know how to get this solved in no time.

Take care,

LucF
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now