Jump to content

Web server DoS protection


K1u
 Share

Recommended Posts

I currently have a flood control system set up at my sites. I am constantly DoS'ed. I have already logged about 20 Ip's...

Although... as TomB pointed out to me once I believe... there really is not any way you can protect against DoS attacks. You can of course limit requests... though. So what do you guys who are also webmasters recommend for DoS protection.

Link to comment
Share on other sites

Beyond a certain point all you can do is log the traffic, drink beer and fume.

Look at stuff like syn cookies, tweaking sysctl values to improve the tcp stack performance. For apache you should disable keep alives, reduce timeouts to a few seconds and bump up the number of server instances (lots of severs = lots of servers to deal with the large amount of connections).

This should keep it kinda working, but it will never be great. The best way of dealing with a DOS type attack is to route all the traffic threw a dedicated bit of kit designed to handle the traffic but good luck finding the cash for this. A roundrobin would also work but same price issue.

Link to comment
Share on other sites

I am going to be upgrading the amount of bandwidth on my server. I recently got a msg from a guy saying he has a "80k DoS botnet" and that he will DoS with that. The only good thing is usually when these guys DoS they cant use a proxy for a number of reasons (speed etc...).

You know... the best mentality to put these things into is like this... most sites on the internet are attacked using the DoS attack. It is not something I can stop all together. I would personally like to simply do this - be able to block all incoming traffic from these attackers... but this is probably not possible... you know what why the hell am I even calling these guys attackers. The DoS attacks I am getting are not that bad... but I am paranoid about it.

Every time I feel too worried I just google botnet user arrested and feel happy again.

Link to comment
Share on other sites

As per your PM'd request, the one thing that will help ou more than anything in this situation is a cisco box in front of the server. Don't block IP's with iptables as the machine will still have to think about blocking the connection, block all the IP's with the external firewall. When hak5.org was being ddos'd I found that blocking at the cisco worked far better than anyhing else. Blocking everything except port 80 in from any and port 22 in from limited, including ICMP will limit there attack vectors significantly. If you know and can reach the people who are doing the attack, consider physical reprisal.

Link to comment
Share on other sites

As per your PM'd request, the one thing that will help ou more than anything in this situation is a cisco box in front of the server. Don't block IP's with iptables as the machine will still have to think about blocking the connection, block all the IP's with the external firewall. When hak5.org was being ddos'd I found that blocking at the cisco worked far better than anyhing else. Blocking everything except port 80 in from any and port 22 in from limited, including ICMP will limit there attack vectors significantly. If you know and can reach the people who are doing the attack, consider physical reprisal.

Ouch... problem though... this is a hosted server. I have the same hosting as you guys are using. I wish to ask one thing though... what types of DoS attacks are these guys using. It seems like a botnet. I have all of there IP's if you wish for me to post them. I am going to contact godaddy as well and see if they can give me some advice or possibly contact the attackers.

Link to comment
Share on other sites

1) It's likely a botnet, which would be a DDoS (distributed denial of service).

2) Specifically what attack I wouldn't know, there are a fair number of DDoS methods.

3) This being the case, the IPs themselves are of little use unless someone obtains and reverse engineers one of the bots in this net.

Contacting the attackers will do next to nothing even if you could. Best way out of this is grin and bear it and if you're being attacked for a personal reason go sort that out.

Link to comment
Share on other sites

Google the person in questions personal information, social engineer the persons ISP into an account password reset.  This is proven to be fun.

Well... what if I just report them... seeing as I already have there attacks logged. In the other hand... is it really the right thing to do?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...