[e-gold-list] Re: what's a DDOS
At 7:15 PM -0500 11/25/03, Adam Selene wrote: So what is the best architecture/method to defend against DDOS? (just a note, I'm not a systems engineer or networking guru) Honestly? I'd have to say that your best defense is having your servers hosted at, or your bandwidth delivered by, a competent and attentive provider with highly skilled staff. Such an organization will have a plan of action in the event of a DDOS attack and carry it out. A large and sophisticated DDOS attack can consume the fattest of bandwidth. That's a situation that your provider isn't going to be too fond of as they probably host many other clients. In all likelihood they'll want the problem solved as quickly as you do. More to the point, they'll have better resources to deal with such an event than you will. I don't think alter.net cares too much when you call them and ask for help in diagnosing the DDOS attack on your subleased 64k colocation bandwidth! Note that even large companies and organizations like Microsoft and The SCO Group, who presumably have armies of skilled network and system engineers and heaps of bandwidth, have in fact been totally crippled by such attacks. I personally think that fact goes a long way toward illustrating that weathering the storm so to speak is often the only realistic option for Joe sysadmin. In front of or on your own boxes it's obviously important to implement a firewall that allows for stateful packet inspection. While a DDOS attack may effectively clog your connectivity for a time, proper packet filtering should prevent your servers from experiencing even the tiniest of ill effects. Under only small scale DDOS attack where the available bandwidth isn't entirealy consumed, such filtering may be enough to keep your server totally available. Also, having backup box(es) on some other network is a possibility. Though, once the address of such a server has been established, they may quickly suffer the same fate as your original server. Unfortunately DDOS has graduated from script kiddies to organized crime. The unfortunate fact is DDOS attacks can very effectively disable servers and disrupt business. A recent example being all of the spam email "blacklist" servers being forced to shut down due to endless DDOS perpetrated by spam cartels. Thankfully most extortionists, as you point out, generally tire of aiming their attacks at one individual and will move on to the next target they feel may give in to their monetary demands. Ironically of course, if anyone ever gave into such a demand, you'd imagine that they'd be DDOS'd into the ground as word spread that they were lucrative targets. It's a fun network out there! --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
another strategy we have used in the past which only works for servers with only clients on a dedicated ip with ssl is to block off port 80 when it is being flooded. your site will still run over the ssl port and escape attack in many cases. Sometimes when we see a ddos we can keep the ssl clients up when the rest drop so that is a cheap way to stay up during a ddos on a shared server if your admin is willing to help you in that way. $200 a year extra in a shared hosting envirnment may be the difference to not losing your sales that week. Not fullproof, but it does work in some cases. Gordon www.katzglobal.com Anonymous Hosting(tm) Solutions --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
their is not a whole lot that can be done for a smaller outfit. The only partially effective solutions start in the 50k range which would imply you would drop in a special server in front of the network to filter random ip traffic properly. Since ddos is coming in from any and everywhere it becomes very hard to deal with and most nocs are not even capable of the expense and time it takes to work up a real solution. or you could add large bandwidth and pay 10k a day to provide it to the network. Only the deepest pockets could do that while trying to sort out the issue. You will find that many admins cannot even help you trace it back through the network and when you succeed you may find that many peoples computers are being used as a slaves via IRC without their knowledge. Fortunatly, most ddos attacks die off after a few days. the market is wide open for a real software solution for this. The first one to market will be an instant millionaire, but the architecture of the internet itself may place limitations of a cheap software solution. Gordon www.katzglobal.com Anonymous Hosting(tm) Solutions --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
> If the IP addresses showing up at your server in a DDOS > situation were the legitimate IP addresses for offending > machines, filtering them out would be relatively easy in the > scheme of things! So what is the best architecture/method to defend against DDOS? Unfortunately DDOS has graduated from script kiddies to organized crime. In fact the company I work for was under DDOS attack and received an extortion letter demanding $50,000 for a 1 year "protection" from attack. I'm aware of at least a dozen companies in the area that received similar attacks/letters. I wasn't involved in managing the network at the time, but I suspect boredom and the multitude of other targets was more responsible for the DDOS stopping than was the series of firewalls and filters put into place. How should one architect their systems to minimize the impact of DDOS? Adam --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
At 6:52 AM -0500 11/25/03, James M. Ray wrote: Anyway, the important point is that it's hard to fight because it's coming from lots of "legitimate" IP addresses which can not all be blocked. Actually part of the problem in defending against DDOS, is quite often the IP addresses are in fact being forged / spoofed (at random no less) which makes it largely impossible to determine what *actual* IP addresses the attacks are coming from. It is possible to discover this information ultimately, but literally only by tracing the traffic backwards from router to router. This of course necessitates having access to administrative staff at different network points willing to dig into the bits and bytes of the packets being sent through their equipment. That's often a tall order unfortunately. If the IP addresses showing up at your server in a DDOS situation were the legitimate IP addresses for offending machines, filtering them out would be relatively easy in the scheme of things! --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
Gibson Research (www.grc.com) has some pretty interesting information on this subject too. The owner, Steve Gibson, once exposed a script kiddie after facing a DoS attack. The complete story is on the site. Unfortunately the site was down just now, maybe they are under attack as well (again). Exposing hackers or script kiddies usually p*ss*s them off so retalliations aren't out of the question. Perhaps the site grcsucks.com was setup by such a person. Tools for DoS attacks are plentyful. It's very easy to find them including tutorials. It's a big bad world out there... Remco --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
At 10:27 PM +1100 11/25/03, [EMAIL PROTECTED] wrote: ... >However a distributed DOS attack can be very sophisticated indeed. > >A ddos attack might very much NOT be a "script kiddie," but could be >a "real" hacker - definitely. A ddos attack could be mossad, or >maybe just script kiddies. > >D-dos attacks are generally seen, I think, as scary and sophisticated. ... You're right, I have no idea who it is or how much skill he/she has, but I've heard there's now a "toolkit" for doing these things, so I do have some suspicions. Anyway, the important point is that it's hard to fight because it's coming from lots of "legitimate" IP addresses which can not all be blocked. JMR --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
[e-gold-list] Re: what's a DDOS
At 5:32 AM -0500 11/25/03, Jon Jensen wrote: ... If someone has these details maybe they can make a new posting to let others know the basics. (Google's your friend for details, but...) A DDOS is a Distributed Denial of Service attack. It's accomplished when a script-kiddy (they're almost-never actually programmers, but some of them CALL themselves hackers, mistakenly IMO!) I'm all for slagging on hackers (bastards!), however man, it is dangerous to assume the wrong things... A "dos" attack (one person keeps pinging you) is no big deal and could be a "script kiddie" However a distributed DOS attack can be very sophisticated indeed. A ddos attack might very much NOT be a "script kiddie," but could be a "real" hacker - definitely. A ddos attack could be mossad, or maybe just script kiddies. D-dos attacks are generally seen, I think, as scary and sophisticated. uses a stable of compromised Windows-machines which are usually on fast connections to send hundreds of bogus requests to a site the script- kiddy has decided he dislikes. More info is at http://www.2600.com and in 2600 magazine. JMR Certainly not necessarily windows machines - could be normal unix servers all over the place. Gaining access to the suite of machines used may have been an extemely sophsisticated operation, over a long period of time. Dealing with hackers mentally is totally infuriating. (Whether they are script kiddies or "real" hackers.") You simply have no power (ie, the hacker has all the power). Your fantasy is finding them and smacking them upside the head, but that's not going to happen. One rule of dealing with hackers is never, ever, underestimate them -- it's tough. --- You are currently subscribed to e-gold-list as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
