Prevent DDOS attack

Hi all you smart people

I work on a school where we have had some problems with out network.
We are believing much in it being a DDOS attack, but will keep on the investigation on this.

The thing is then, that we read up on how to prevent against DDOS attacks in the future.
But it seems that there are many things to do, but again nothing unique special.
What we found to be the best things to do:
- Increase bandwidth, so the attack has to be bigger
- Be sure our router can handle the traffic
- Buy a DDOS filter from our ISP
- Buy VPN with DDOS protection
- Some service as IBM or Cloudflare: Link
- Some device to put in before your router/as your router?

Can you help me in some direction? I will plant more information here, as soon as i got them collected.
The only thing for now is our ISP, who does recommend there DDOS filter as the best and most secure solution :)

Best regards
Mike Kristensen

Mike KristensenIT administratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Frank JacquesCommented:
most secure is VERY expensive router, best strategy to start is a cloudflare account, it will deal with 99% of the cases... the other 1% are the ones you need higher protection.
btanExec ConsultantCommented:
If it is Internet accessible, do consider DDOS Mitigation service such as cloudflare, DoSArrest, Incapsula or Akamai. CF is preferred with SME for cost budgeting. They provides the IP anycast and CDN which helps in spreading the high traffic loading with their global PoP. They will include web app FW to block app based DDOS attacks.

Besides this you will need the second layer of protection from ISP as those service can be bypass due to IP leakage. This is commonly understood as cleanpiping with scrubbing capability to allow cleaned traffic to pass through while sinkholing the malicious packets. Consider Cloudshield or F5 Silverline.

Adding on premise DDOS capable filter which is not just your PFW to handle subsequent launches that may have traffic even coming from other non Internet sources or internal sources. Consider the  Arbor and Radware. They would also have means to feedback attack to the upstream provider lSP for earlier blocking to build a proactive stance in engaging the attack prior to reach of your network. They will also have the web app detection capabilities. The FW will also have to consider having reverse source filtering (BCP38)  to block unsolicited sources. Other cirical service such as Dns server should be hardened to separate external resolver and include response rate filtering.

Other aspects is the resiliency aspects that you need to exercise the HA with the redundancy and load balancing requirement. This is normally estimated based on your stress and load testing through the multi tier architecture. The proper sizing nees to be verified. Also include the resource upsizing like memory or even CPU if required. Legacy hardware should consider for technical refresh based on their EOL.

not forgetting prepare the steps for incident handling during the attacks as it can be persistent and last for some period. You need to exercise your BCP and DR plan. Consider segmenting critical service off from other service to reduce exposure. Have the SLA in place with your third party contractor as you may activate them during emergency case where you even will cut off services from Internet to reduce damages.
Mal OsborneAlpha GeekCommented:
I am sceptical.

A DDOS attack takes quite a bit of effort, expense and planning. Thus, it is usually something that happens to targets that promise some sort of return to the attackers. Not always money, could be infamy, political reasons, attacks on competing entities etc. Usually, DDOS attacks happen suddenly without warning, and are immediately obvious.

If you were administering or  or something DDOS attacks would be expected, a school, very unlikely.

You will of course expect attacks by script kiddies probing ports, trying to find weak passwords, emailing malicious code ect. Leave an open relay on pert 25 and someone will quickly find it and use it to spew spam, have a weak password on an FTP server and it will soon be full of kiddy porn and stolen credit card numbers.

A DDOS attack, however, would be really unlikely.

What traffic are you seeing that leads you to conclude a DDOS attack is happening?
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

madunix (Fadi SODAH)Chief Information Security Officer Commented:
You need to implement DDoS protection like Arbor,  Prolexic  or Forti. Also you have to work with the ISP's to mitigate large DDOS attacks.  could be an option.
Mike KristensenIT administratorAuthor Commented:
The attacks we have is from the outside. If we disconnect everything, the router will still be attacked.

We dot not believe we have any students that performed some internal attack.

Is there any cheaper things to do? You mention alot, and i read about all of them. I believe the mitigation performed by our ISP, would be an ideal situation.
Does cloudflare works the same way as a ISP mitigating the attack?

But everythings comes down to economy. I believe we got a maximum of 500 dollars to spend on DDOS protection per month.

The hit and run attacks explained in the article, does very much sound like what we are seeing. Small, maybe cheap attacks putting our network down. We only got 40mbit to spare, when peaking bandwidth uses, and when i read about attacks easily going up to 2gbps, i assume a small attack, could easily lay down our network.
However, we are not interested in fixing this issue, by buying more bandwidth. It seems stupid.
Mal OsborneAlpha GeekCommented:
What traffic are you being deluged with when these attacks happen? Which ports and IPs?
btanExec ConsultantCommented:
First of make sure the router has been patched to latest and there is audit trail to whoever login. Change the admin password to a stronger passphrase. Recent DDOS attack at global has poorly secured router compromised and used it to launch attack

Next going for ISP and cloudflare is different. Traffic will go through cloudflare then via ISP to your servers and Network. in fact, you need protection at these two places, at Isp for cleanpipe and increased burst rate as well as farther upfront to block global traffic using the DMS.

Lastly, DDOS attack can goes up to terabytes and no more just Gbps. Recent attack has range from 665Gbps to 1.2 Tbps. Even ISP suffer from DDOS. For cloudflare it is not charge based on bandwidth as it eill block the attacks as long as it is affecting your end. Of course, you still be bottleneck by your subscribed bandwidth once cloudflare does it blocking.

Minimally go for ISP cleanpipe (preferably cloudflare) and have a on premise DDOS device as I shared in my last post.
Mike KristensenIT administratorAuthor Commented:
A file that shows and attack is attached.

I will return later today :)
Mal OsborneAlpha GeekCommented:
Interesting. Is this TCP or UDP? Is the destination port also 123?
Mal OsborneAlpha GeekCommented:
Certainly looks like an NTP amplification DDoS attack.

Can you ask your ISP to block UPD port 123, incoming?
Mike KristensenIT administratorAuthor Commented:
ISP is blocking UDP port 123 already now.
But then the source port was changed to port 10999, 24874, 36422 and so on. Same goes for destination port.

It is both TCP and UDP. The destination port was many different ports.

I will try to upload some more logs of another situation.
btanExec ConsultantCommented:
Looks like NTP based DDoS. See Cloudflare on this type of attack
NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.

.... The request packet is 234 bytes long. The response is split across 10 packets totaling 4,460 bytes. That's an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate.

An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP. And NTP servers aren't hard to find. Common tools like Metasploit and NMAP have had modules capable of identifying NTP servers that support monlist for a long time. There's also the Open NTP Project which aims to highlight open NTP servers and get them patched.
Mike KristensenIT administratorAuthor Commented:
So just to be sure

As i see it, no device at our location could ever deal with a DDOS attack, as long as the attack are bigger than our bandwidth?

What do you see as the main thing to do to prevent DDOS attacks in the future?
I would say:
- Blame the ISP, and make them deal with it in form of some mitigation filter
- If Necessary buy a DDOS mitigation filter at the ISP location, to be sure to get a clean pipe
- Set up a backup plan together with the ISP. Maybe in form of fast IP switching

How can Cloudflare help? Cloudflare seems to focus alot on websites. Same goes for Incapsula.
I will return with more information about both companies in a couple of days.
btanExec ConsultantCommented:
You are limited by your subscribed bandwidth even with your on premise DDOS attack. But note that there is application attack that is not dependent on the bandwidth but eat up your server resource such as memory to hold on concurrent connection. Same goes for protocol like DNS and HTTP/S.

Your DDOS measures should be with ISP arrangements to cater to sudden surge protection and cleanpiping. This is on top of your on premise DDOS box.

Cloudflare and Incapsula (as well as Akamai) is applications centric so primarily HTTP/S is the common baseline for their protection services. They do provide network based protection and even scrubbing. They provide anycast based on their CDN aware capability. This helps in DDOS mitigations.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KristensenIT administratorAuthor Commented:
Conclusion is made:
NTP amplification attack.
Over the next period of time, we will work to find the best and still economically accepted solution towards preventing further DDOS attacks.

We believe it was triggered by a student, while we where non resistent against it with our 30mbit to spare.

We also believe, that this problem should be fixed at the ISP because we simply cant fight someone taking our bandwidth. ISP's and solutions as Cloudflare, Incapsula and IBM DDOS prevention, are what we believe are how to mitigate attacks in the future.

I hope this thread will help other conclude and prevent future DDOS attacks.
btanExec ConsultantCommented:
Thanks for sharing.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.