Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


DDOS Question
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

DDOS Question

NexusNexus Member
edited March 2013 in General

Hey guys,

If using a small script like citadel or DDOS deflate, when a real DDOS hits, it should atleast counter and block some IP's before the server ip gets nulled? Or is this entirely dependant on the networks router protection?

image

It seems to me, the network protection actually null routed it before the 1minute allocated time that ddos deflate runs? (once per min)

Network said screw off, not waiting for your shitty software protection to risk it, time for null route?

If so, fine with me, I just don't know what else to do to help mitigate attacks, I've got iptables, deflate, all ports dropping expect the ones I need (prob useless), but yeah........

I'm also willing to pay for any bandwidth charges by my host, I feel so bad to be honest...

Comments

  • flyfly Member

    depends on the type of attack. if its a lot of packets or traffic then most likely you're out of luck as your upstream will be affected too

  • @Nexus said: not waiting for your shitty software protection to risk it

    Even if your software does block the IPs, it makes no difference to your host. The traffic is still reaching your server. You will still get nullrouted if the attack is large enough, and even if you didn't, the software protection would not help.

  • Why do you drop packets (ddos deflate) if you want to know who sent them..?

  • NexusNexus Member

    @Jack said: You have your small HTTP Floods like GET/HEAD/POST Floods which ddos deflate,CSF and those small iptables based software firewalls will help with.. upto a certain point.

    Is this because the deflate is based on connections per IP? With a DDOS you can have thousands of IP's with 1 connection each, so rendering deflate useless?

  • @Nexus said: Is this because the deflate is based on connections per IP? With a DDOS you can have thousands of IP's with 1 connection each, so rendering deflate useless?

    It's called DoS deflate and made by a skiddie in ~2002

  • NexusNexus Member
    edited March 2013

    Yeah, after looking back at this topic, I want to shoot myself, but I went all out and posted it anyway. I am waiting to see what kind of attack it was from the host and i'll go from there.

    The thing that scares me is, if a skiddie can do this, what's stopping them from doing it whenever they want? Seems to me like I will have to keep updating my domain to each different IP assigned to my node that is not null routed?... Then wait the proper amount of time for dns propagation. I think my time has come to a end.

  • @Nexus said: Seems to me like I will have to keep updating my domain to each different IP assigned to my node that is not null routed?... Then wait the proper amount of time for dns propagation. I think my time has come to a end.

    Cloudflare or Rage4 with uptimerobot?

    I am working on a ddos protection network for not just HTTP to stop the ever evolving skid race

  • TheLinuxBugTheLinuxBug Member
    edited March 2013

    @Nexus In a case when you are seeing a lot of traffic my suggestion is get a ddos protected ip from @Franciso and the BuyVM crew or from @Kujoe from SecureDragon they both have products which you can place in front of your servers to filter abusive traffic. When using the tunnels they provide a way so that the attack gets tanked before making it to your network and you do not have to worry about changing your ip all the time as well. If you have questions about what they can do for you I would suggest PM to either of those guys, I am sure they would be happy to explain to you what it can and can't do (if they do not feel motivated already to do so in the thread).

    Thanked by 1JohnMiller92
  • flyfly Member
    edited March 2013

    if a skiddie can do this, what's stopping them from doing it whenever they want?

    welcome to the internet

  • JanevskiJanevski Member
    edited March 2013

    @Nexus When the unsolicited traffic reaches the victim it's pretty much done.
    Every denial of service attack can always be resolved on the upper network node (which by rule of order has more networking capacity - up to a point when getting close to middle path links), working Your way through the nodes up to the attacker and taking him off the net. Stopping a DDOS is something like stopping epileptic seizure.

    Thanked by 1JohnMiller92
  • if its BGP witch auto nulls it's based on traffic being sent, so even if its being blocked at software level traffic is still being sent.

  • @MonsteR said: if its BGP witch auto nulls it's based on traffic being sent, so even if its being blocked at software level traffic is still being sent.

    No, you can use BGP to null, it won't go automagically

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Correcto.

    Auto null isn't an over the counter solution that you get by running your own ASN.

    It always requires an extra price of software that's doing analysis and pushing null routes to the router.

    Francisco

  • IshaqIshaq Member

    @Jack said: @BronzeByte said: automagically

    I think that was intended.

  • @Ishaq said: @Jack said: @BronzeByte said: automagically

    I think that was intended.

    Exactly, Automagically™ is property of Pony Corp.

    @Francisco

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Automatically is a cpanel thing.

    I think it was a spelling error and they simply continued with it :P

  • IshaqIshaq Member

    @Francisco said: Automatically is a cpanel thing.

    No, it's an English word.

    Muhahaha. >_>

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    Bah stupid autocorrect :P

    Automagically Is what I meant.

  • superpilesossuperpilesos Member
    edited March 2013

    My least favorite word, I only see it spamming my email when a service is down and refuses to come back up :(

  • NexusNexus Member
    edited March 2013

    Got slammed by the exact same thing today. Both my ip's are null routed, it's game over AFAIK.

    image

    I was in SSH while this was happening, it was instant, no lag no nothing, it was raped. I am very fortunate that the DC stopped it pretty quick. But now I am looking for some type of IP filter. Jack and KuJoe and Francisco will be my next step, what a shame really.

    image

    Edit: I cant even imagine if I was running a web hosting site.... how'd I feel :/

  • OllieOllie Member

    @BronzeByte Your network sounds interesting. Let me know when you get it done, I may be interested :)

  • sleddogsleddog Member
    edited March 2013

    @Francisco said: Automatically is a cpanel thing.

    I think it was a spelling error and they simply continued with it :P

    No :)
    http://www.adclassix.com/ads/46thor.htm

  • FranciscoFrancisco Top Host, Host Rep, Veteran
  • JanevskiJanevski Member
    edited March 2013

    @Nexus said: Got slammed by the exact same thing today. Both my ip's are null routed, it's game over AFAIK.

    image

    I was in SSH while this was happening, it was instant, no lag no nothing, it was raped. I am very fortunate that the DC stopped it pretty quick. But now I am looking for some type of IP filter. Jack and KuJoe and Francisco will be my next step, what a shame really.

    image

    Edit: I cant even imagine if I was running a web hosting site.... how'd I feel :/

    Here i see 5 minutes traffic of less than 16Mbps, which is pretty low for a denial of service attack.
    If the packets are 64B then it's only below 32768pkt/s.
    If the packets are 1500B then it's below 1400pkt/s.
    There might be some kind of traffic shaping by the ISP, but still if there is You won't get null routed by the ISP.

Sign In or Register to comment.