Solved

Prevent DDOS attack

Posted on 2016-11-02
16
44 Views
Last Modified: 2016-11-10
Hi all you smart people


I work on a school where we have had some problems with out network.
We are believing much in it being a DDOS attack, but will keep on the investigation on this.

The thing is then, that we read up on how to prevent against DDOS attacks in the future.
But it seems that there are many things to do, but again nothing unique special.
What we found to be the best things to do:
- Increase bandwidth, so the attack has to be bigger
- Be sure our router can handle the traffic
- Buy a DDOS filter from our ISP
- Buy VPN with DDOS protection
- Some service as IBM or Cloudflare: Link
- Some device to put in before your router/as your router?

Can you help me in some direction? I will plant more information here, as soon as i got them collected.
The only thing for now is our ISP, who does recommend there DDOS filter as the best and most secure solution :)

Best regards
Mike Kristensen

-
0
Comment
Question by:Mike Kristensen
  • 5
  • 5
  • 4
  • +2
16 Comments
 

Assisted Solution

by:Frank Jacques
Frank Jacques earned 83 total points
Comment Utility
most secure is VERY expensive router, best strategy to start is a cloudflare account, it will deal with 99% of the cases... the other 1% are the ones you need higher protection.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 251 total points
Comment Utility
If it is Internet accessible, do consider DDOS Mitigation service such as cloudflare, DoSArrest, Incapsula or Akamai. CF is preferred with SME for cost budgeting. They provides the IP anycast and CDN which helps in spreading the high traffic loading with their global PoP. They will include web app FW to block app based DDOS attacks.

Besides this you will need the second layer of protection from ISP as those service can be bypass due to IP leakage. This is commonly understood as cleanpiping with scrubbing capability to allow cleaned traffic to pass through while sinkholing the malicious packets. Consider Cloudshield or F5 Silverline.

Adding on premise DDOS capable filter which is not just your PFW to handle subsequent launches that may have traffic even coming from other non Internet sources or internal sources. Consider the  Arbor and Radware. They would also have means to feedback attack to the upstream provider lSP for earlier blocking to build a proactive stance in engaging the attack prior to reach of your network. They will also have the web app detection capabilities. The FW will also have to consider having reverse source filtering (BCP38)  to block unsolicited sources. Other cirical service such as Dns server should be hardened to separate external resolver and include response rate filtering.

Other aspects is the resiliency aspects that you need to exercise the HA with the redundancy and load balancing requirement. This is normally estimated based on your stress and load testing through the multi tier architecture. The proper sizing nees to be verified. Also include the resource upsizing like memory or even CPU if required. Legacy hardware should consider for technical refresh based on their EOL.

not forgetting prepare the steps for incident handling during the attacks as it can be persistent and last for some period. You need to exercise your BCP and DR plan. Consider segmenting critical service off from other service to reduce exposure. Have the SLA in place with your third party contractor as you may activate them during emergency case where you even will cut off services from Internet to reduce damages.
0
 
LVL 16

Assisted Solution

by:Malmensa
Malmensa earned 83 total points
Comment Utility
I am sceptical.

A DDOS attack takes quite a bit of effort, expense and planning. Thus, it is usually something that happens to targets that promise some sort of return to the attackers. Not always money, could be infamy, political reasons, attacks on competing entities etc. Usually, DDOS attacks happen suddenly without warning, and are immediately obvious.

If you were administering Trump.com or Nambla.org  or something DDOS attacks would be expected, a school, very unlikely.

You will of course expect attacks by script kiddies probing ports, trying to find weak passwords, emailing malicious code ect. Leave an open relay on pert 25 and someone will quickly find it and use it to spew spam, have a weak password on an FTP server and it will soon be full of kiddy porn and stolen credit card numbers.

A DDOS attack, however, would be really unlikely.

What traffic are you seeing that leads you to conclude a DDOS attack is happening?
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 83 total points
Comment Utility
You need to implement DDoS protection like Arbor,  Prolexic  or Forti. Also you have to work with the ISP's to mitigate large DDOS attacks.   cloudflare.com  could be an option.
http://www.inc.com/joseph-steinberg/denial-of-service-attacks-are-growing-increasingly-problematic-here-s-what-you-n.html
https://www.fortinet.com/products-services/products/ddos-protection/fortiddos.html
0
 

Author Comment

by:Mike Kristensen
Comment Utility
The attacks we have is from the outside. If we disconnect everything, the router will still be attacked.

We dot not believe we have any students that performed some internal attack.

Is there any cheaper things to do? You mention alot, and i read about all of them. I believe the mitigation performed by our ISP, would be an ideal situation.
Does cloudflare works the same way as a ISP mitigating the attack?

But everythings comes down to economy. I believe we got a maximum of 500 dollars to spend on DDOS protection per month.

The hit and run attacks explained in the article, does very much sound like what we are seeing. Small, maybe cheap attacks putting our network down. We only got 40mbit to spare, when peaking bandwidth uses, and when i read about attacks easily going up to 2gbps, i assume a small attack, could easily lay down our network.
However, we are not interested in fixing this issue, by buying more bandwidth. It seems stupid.
0
 
LVL 16

Expert Comment

by:Malmensa
Comment Utility
What traffic are you being deluged with when these attacks happen? Which ports and IPs?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 251 total points
Comment Utility
First of make sure the router has been patched to latest and there is audit trail to whoever login. Change the admin password to a stronger passphrase. Recent DDOS attack at global has poorly secured router compromised and used it to launch attack

Next going for ISP and cloudflare is different. Traffic will go through cloudflare then via ISP to your servers and Network. in fact, you need protection at these two places, at Isp for cleanpipe and increased burst rate as well as farther upfront to block global traffic using the DMS.

Lastly, DDOS attack can goes up to terabytes and no more just Gbps. Recent attack has range from 665Gbps to 1.2 Tbps. Even ISP suffer from DDOS. For cloudflare it is not charge based on bandwidth as it eill block the attacks as long as it is affecting your end. Of course, you still be bottleneck by your subscribed bandwidth once cloudflare does it blocking.

Minimally go for ISP cleanpipe (preferably cloudflare) and have a on premise DDOS device as I shared in my last post.
0
 

Author Comment

by:Mike Kristensen
Comment Utility
A file that shows and attack is attached.

I will return later today :)
usg310.pdf
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:Malmensa
Comment Utility
Interesting. Is this TCP or UDP? Is the destination port also 123?
0
 
LVL 16

Assisted Solution

by:Malmensa
Malmensa earned 83 total points
Comment Utility
Certainly looks like an NTP amplification DDoS attack.

Can you ask your ISP to block UPD port 123, incoming?
0
 

Author Comment

by:Mike Kristensen
Comment Utility
ISP is blocking UDP port 123 already now.
But then the source port was changed to port 10999, 24874, 36422 and so on. Same goes for destination port.


It is both TCP and UDP. The destination port was many different ports.

I will try to upload some more logs of another situation.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 251 total points
Comment Utility
Looks like NTP based DDoS. See Cloudflare on this type of attack
NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.


.... The request packet is 234 bytes long. The response is split across 10 packets totaling 4,460 bytes. That's an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate.

An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP. And NTP servers aren't hard to find. Common tools like Metasploit and NMAP have had modules capable of identifying NTP servers that support monlist for a long time. There's also the Open NTP Project which aims to highlight open NTP servers and get them patched.
https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/
0
 

Author Comment

by:Mike Kristensen
Comment Utility
So just to be sure

As i see it, no device at our location could ever deal with a DDOS attack, as long as the attack are bigger than our bandwidth?

What do you see as the main thing to do to prevent DDOS attacks in the future?
I would say:
- Blame the ISP, and make them deal with it in form of some mitigation filter
- If Necessary buy a DDOS mitigation filter at the ISP location, to be sure to get a clean pipe
- Set up a backup plan together with the ISP. Maybe in form of fast IP switching

How can Cloudflare help? Cloudflare seems to focus alot on websites. Same goes for Incapsula.
I will return with more information about both companies in a couple of days.
0
 
LVL 61

Accepted Solution

by:
btan earned 251 total points
Comment Utility
You are limited by your subscribed bandwidth even with your on premise DDOS attack. But note that there is application attack that is not dependent on the bandwidth but eat up your server resource such as memory to hold on concurrent connection. Same goes for protocol like DNS and HTTP/S.

Your DDOS measures should be with ISP arrangements to cater to sudden surge protection and cleanpiping. This is on top of your on premise DDOS box.

Cloudflare and Incapsula (as well as Akamai) is applications centric so primarily HTTP/S is the common baseline for their protection services. They do provide network based protection and even scrubbing. They provide anycast based on their CDN aware capability. This helps in DDOS mitigations.
0
 

Author Closing Comment

by:Mike Kristensen
Comment Utility
Conclusion is made:
NTP amplification attack.
Over the next period of time, we will work to find the best and still economically accepted solution towards preventing further DDOS attacks.

We believe it was triggered by a student, while we where non resistent against it with our 30mbit to spare.

We also believe, that this problem should be fixed at the ISP because we simply cant fight someone taking our bandwidth. ISP's and solutions as Cloudflare, Incapsula and IBM DDOS prevention, are what we believe are how to mitigate attacks in the future.


I hope this thread will help other conclude and prevent future DDOS attacks.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Thanks for sharing.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now