DDoS Attacks

[jtwhite]

Have you ever experienced a DDoS attack? What would you do to get it off the server?

[drosado]

Hello Jtwhite, I'll share some minor things you can do to prevent / help with DDoS Attacks.


1. SYN Floods. Alot of DDos attacks are SYN FLOODS.The best way to help with this type of attack is to limit the amount of connections a user can send at a time.


2. Smurf Attacks: A smurf attack is a ping attack the user conducting the attack will send a massive amount of ping traffic to the broadcast IP of the network, which in time will affect the network connection to the server making server replies slower.

3. LAND Attacks: A LAND attack is when someone sniff's your IP / Server for open ports. Once they find a open a vulnerable port, once they find the port / service they start to flood it and it mirror images it self and the server can't figure out what is going on so it will crash.

4. Ping of death: Users will ping the server with a large ping and crash the server. This mainly open works on systems running NT.

5. Ping flooding: One of the easist ways to DDoS a server. Usually servers can handle these attacks very well. A ping attack is pretty much someone using a program that constantly refreshes it's connection to the server.(Kinda like you spamming refresh in your internet browser)


6. Teardrop attacks This attack involves packets sent by the attacker to the target with oversized payloads. This exploits a bug in the TCP/IP protocol stack, crashing the system. Only Windows 3.11, 95 and Linux prior to 2.0.32 were vulnerable to this kind of attack.


7. Other type of attacks involve application flooding, like IRC bot raw line which usually crash Windows boxes running mIRC or any other client. These attacks are based on a greater number of raw socket transactions than a computer can handle.


Alot of the people that DDos are new kids to the hacking / crashing scene and are using crappy DDoS tools that won't do much damage. Although you should always be prepared.

Best way to prepare yourself is to limit the amount of connections to the server per person.

Also, GoogleBot can make it seem as if your server is being DDoS'd. Alot of hosts will actually deny googlebot from using the image directories of the site.


As i said earlier it's usually just some kid messing around. If thats the case and your only seeing a DDos from one machine(IP) Null out that IP on your router and then report that IP to your ISP to block it up stream.


If it's coming from a country you can simply block all the ip's from that country using a good firewall.


Also ask your host to implement a DDOS mitigation device. Which im sure X10 already has a Cisco switch to help prevent DDoS attacks.

If you have any further questions feel free to ask.


Hope this helps.

[ozcorps]

Wow that information was HOT, i mean smoking i had no idea there were so many versions of ping attacking someone. Jesus i hope that never happens to me, mind you i dont really have crap on my machine worth hacking into for.

thanks for that, i have def saved that for future information.

[Jarryd]

I have nothing worth hacking on my vps, i get about 10-15 attempts per day to brute force my ssh password. I set up something called fail2ban to automatically change IPtables to deny anyone that gets more than 3 failed logins

[drosado]

Oh i should of mentioned fail 2 ban. Good catch there Hell.

[The Real Rebel]

Nice, just make sure you have a good firewall on your vps, if you don't GET ONE NOW!!!! :P

[Sharky]

Power it off for 10-20 mins, and if it still doesn't resolve itself, cry down the phone to Corey until he gives a new IP address? Uhh, I mean... Ban everyone except 127.0.0.1 and your own IP address?

[masshuu]

also you can change the port ssh runs on, that stops about 99.9999999999999999999999999999999% of brute force attacks.

open
/etc/ssh/sshd_config

change Port to something else
like 2345 or something

last reload your ssh

[The Real Rebel]

Power it off for 10-20 mins, and if it still doesn't resolve itself, cry down the phone to Corey until he gives a new IP address? Uhh, I mean... Ban everyone except 127.0.0.1 and your own IP address?

Lol yeah and

also you can change the port ssh runs on, that stops about 99.9999999999999999999999999999999% of brute force attacks.

open
/etc/ssh/sshd_config

change Port to something else
like 2345 or something

last reload your ssh

Thats one of the best things you can do :D Nice one supermatthew :D

[TechAsh]

I have nothing worth hacking on my vps, i get about 10-15 attempts per day to brute force my ssh password. I set up something called fail2ban to automatically change IPtables to deny anyone that gets more than 3 failed logins

Lucky, I get at least 100-200 on a good day, I have seen 5000-6000 but that's less common. I use SSHGuard, but that seems to keep crashing after a day or so...