Web server DoS protection

[K1u]

I currently have a flood control system set up at my sites. I am constantly DoS'ed. I have already logged about 20 Ip's...

Although... as TomB pointed out to me once I believe... there really is not any way you can protect against DoS attacks. You can of course limit requests... though. So what do you guys who are also webmasters recommend for DoS protection.

[Sparda]

Take that server down, the skiddies will get tiered of waiting for it to appear again.

[VaKo]

Beyond a certain point all you can do is log the traffic, drink beer and fume.

Look at stuff like syn cookies, tweaking sysctl values to improve the tcp stack performance. For apache you should disable keep alives, reduce timeouts to a few seconds and bump up the number of server instances (lots of severs = lots of servers to deal with the large amount of connections).

This should keep it kinda working, but it will never be great. The best way of dealing with a DOS type attack is to route all the traffic threw a dedicated bit of kit designed to handle the traffic but good luck finding the cash for this. A roundrobin would also work but same price issue.

[K1u]

I am going to be upgrading the amount of bandwidth on my server. I recently got a msg from a guy saying he has a "80k DoS botnet" and that he will DoS with that. The only good thing is usually when these guys DoS they cant use a proxy for a number of reasons (speed etc...).

You know... the best mentality to put these things into is like this... most sites on the internet are attacked using the DoS attack. It is not something I can stop all together. I would personally like to simply do this - be able to block all incoming traffic from these attackers... but this is probably not possible... you know what why the hell am I even calling these guys attackers. The DoS attacks I am getting are not that bad... but I am paranoid about it.

Every time I feel too worried I just google botnet user arrested and feel happy again.

[remkow]

You can stop a lot of the traffic, especially if it's DoS and not DDoS using iptables on linux, but I'm not sure whether you have complete access to the box. If you do, you should give that a try.

[K1u]

You can stop a lot of the traffic, especially if it's DoS and not DDoS using iptables on linux, but I'm not sure whether you have complete access to the box. If you do, you should give that a try.

I could try to get SSH access.

[VaKo]

As per your PM'd request, the one thing that will help ou more than anything in this situation is a cisco box in front of the server. Don't block IP's with iptables as the machine will still have to think about blocking the connection, block all the IP's with the external firewall. When hak5.org was being ddos'd I found that blocking at the cisco worked far better than anyhing else. Blocking everything except port 80 in from any and port 22 in from limited, including ICMP will limit there attack vectors significantly. If you know and can reach the people who are doing the attack, consider physical reprisal.

[K1u]

As per your PM'd request, the one thing that will help ou more than anything in this situation is a cisco box in front of the server. Don't block IP's with iptables as the machine will still have to think about blocking the connection, block all the IP's with the external firewall. When hak5.org was being ddos'd I found that blocking at the cisco worked far better than anyhing else. Blocking everything except port 80 in from any and port 22 in from limited, including ICMP will limit there attack vectors significantly. If you know and can reach the people who are doing the attack, consider physical reprisal.

Ouch... problem though... this is a hosted server. I have the same hosting as you guys are using. I wish to ask one thing though... what types of DoS attacks are these guys using. It seems like a botnet. I have all of there IP's if you wish for me to post them. I am going to contact godaddy as well and see if they can give me some advice or possibly contact the attackers.

[moonlit]

1) It's likely a botnet, which would be a DDoS (distributed denial of service).

2) Specifically what attack I wouldn't know, there are a fair number of DDoS methods.

3) This being the case, the IPs themselves are of little use unless someone obtains and reverse engineers one of the bots in this net.

Contacting the attackers will do next to nothing even if you could. Best way out of this is grin and bear it and if you're being attacked for a personal reason go sort that out.

[Sparda]

There are a multitude of different types of DDoS attacks. Ranging from simple ICMP flooding to very hard to defend against SYN packet flood.

[K1u]

I currently have the "Premium Plan" which is 2,000 GB of bandwidth. I am going to try to do some things to cut down on bandwidth.

[VaKo]

I currently have the "Premium Plan" which is 2,000 GB of bandwidth. I am going to try to do some things to cut down on bandwidth.

Yes, turn off ICMP!

[K1u]

I currently have the "Premium Plan" which is 2,000 GB of bandwidth. I am going to try to do some things to cut down on bandwidth.

Yes, turn off ICMP!

On it!

Also thank you guys for all the help!

[jollyrancher82]

Google the person in questions personal information, social engineer the persons ISP into an account password reset.  This is proven to be fun.

[K1u]

Google the person in questions personal information, social engineer the persons ISP into an account password reset.  This is proven to be fun.

Well... what if I just report them... seeing as I already have there attacks logged. In the other hand... is it really the right thing to do?

[jollyrancher82]

Attacks don't tell you what person is doing it.

[K1u]

Attacks don't tell you what person is doing it.

Well forget it now... the attacks have stopped this week after I said I could "take further action"...