how to avoid data flood/ dos flood from windows server 2003

Hi princeofem,

Although you can't really protect yourself from real Bandwidth eating DDoS attacks, you can do something about the average syn-flood.
Please take a look at this page for hardening your server against those kind of things:
Hardening Microsoft IIS Web Servers
http://www.wilsonmar.com/1iiscfg.htm

If you're really having troubles with a DDoS attack, analize the data, see at what ports it's aimed and call your ISP to block those ports at THEIR firewall, you can't stop those without disappearing from the internet :( I know it sucks big time, but a real DDoS attack will just flood your connection with nonsence so legal approaches can't get through anymore, so as your ISP has a much bigger bandwidth, they have to block it to keep you online.

Greetings,

LucF

Btw, I just found this page, and it's very informative for me, so maybe also for you:

Distributed Denial-of-Service Attacks and You
http://www.microsoft.com/technet/security/bestprac/ddosatku.mspx

Especially the way they explain the "why" and "how" might help you.

One more site for you to look at, this one really explains how to tighten the TCP/IP stack and winsock:
Security Considerations for Network Attacks
http://www.microsoft.com/technet/security/topics/network/secdeny.mspx

Personally I've been using exactly this strategy for over a year now, but this is the first time I found out that MS has documented this strategy.

Can you tell me how do I drop all the ports accept the port i'm using for DNS, and also how do I block ICMP and TCP SYN flood.  

I guess I got hit by DOS Flood.  Here is a problem that I see

I'm using Bellsouth fastaccess DSL.  I run Linksys router to share home network. The DSL modem connected to Linksys Router, so I have 3 computers connect to Linksys router.

port 1  for webserver computer
port2 from home computer
port3 sql server

I also see there is a blinking light on DSL modem its blink very slow.  By the time I got hit I can't access to internet at all.  Even though i'm using home computer to access internet and I can't, and the internet traffic is extremely slow.

If I got hit by DOS how do I block the unuse port, or how do I analize the data and report to ISP?...I have read alot of DDOS article, but I have not find a solution yet.  Please help me step by step.  Thanks

Thanks for explaing.  Now, I have a bit understanding.

Can you show me how to create an effective log file to monitor all attempts?  For now, I might use URLscan to stop a data flood....

As I said above, I don't know about the linksys routers, but I assume they have a way of logging this kind of data. Please post the model number and I'll see what I can find for you. At the moment, all I can suggest you is to check the manual on how this is done.

URLscan can give you some valuable information about the source address and destination (you) also, but please, get the "stop a data flood" out of your head, it just won't work :( I know these DDoS attacks are a big pain in the you know what, but there's not much you can do yourself about them. I've got blasted a couple of times now. And while handling this with my ISP, I now have a direct telephone no. to one of the employees, so I know I get helped fast. In fact, I was under a DDoS just last weekend, but stayed online because of the filters set by my ISP. I heard later that I got packages of all kinds send at a rate of 60Mbit/sec... and I'm only on 8Mbit ADSL, so I'd be gone if it where not by the filters my ISP set.

So the best thing you can do to handle these kind of things is to get to know some tech guys at your ISP :o)

LucF

But how do you determine which port they are using to DDoS.  Can you teach me how to create a log file to monitor incomming data.?  

Again, thank you very much for your help...

again before calling ISP what information do you give them...I'm lost...just because of these blasts... it's painful

Again, as I said above, as I don't know the linksys routers, I don't know how they create the logfiles, so I can't really tell you how to do so. (I'll send an e-mail around, checking if some experts I know have more experience with these and will be able to let you know the "how to")

The port number should be listed in the logfiles, without any doubts. The logfiles should mention the from and destination. Most of the time, in these kind of things, the destination is the most important, as that'll mention at what port it's aimed.

LucF

>>again before calling ISP what information do you give them...I'm lost...just because of these blasts... it's painful<<
All I normally give them is the destination port to block, last time the attack on my servers was aimed at port 750, so I just asked my ISP to block access to port 750 and I popped back online within seconds.

LucF

I send a mail to four other experts, hope one of them will be able to tell you how to set the logging of these kind of things.

LucF

Thanks sirbounty :)

LucF

if your on the latest flash upgrade you will find the logs on the administration tab :)

PL

Thank you so much for yours help.....you guys such a wonderful people....Now, I'm able to send my web server online now... :-)

I would love to assign 250 pts to LucF, and adding another 250pts to sirbounty.  How do I do that....thanks again

Nevermind I found a solution...

Glad to help :)

Just one last piece of advice, when you're under a DDoS, the last thing you should do is panic. You now know where to look, so you know how to get this solved in no time.

Take care,

LucF