10

As many other webmaster I am facing problems with DDOS attacks. I have tried denying offending IP addresses from htaccess files and using bigger and better hosting, but I am unable to stop the attacks as new IP addresses are used.

Anders
  • 64,406
  • 24
  • 178
  • 215
Saad Mirza
  • 235
  • 2
  • 5
  • 2
    If your only goal is to stop them wihtout any other priority named... an effective way to stop them is oging offline. ;) – Zaibis Feb 25 '16 at 11:01
  • Can you say a little bit about the likely motivations of the attackers? How do they profit from your users being denied service? – Eric Lippert Feb 25 '16 at 14:25
  • My brother made some kid angry online, and we ended up getting DDOS'd for 2 days straight. The only solution we found was to call our ISP and have them change our IP. Cycling the router seemed to temporarily help, but I guess all the traffic eventually "plugged it up". – Carcigenicate Feb 25 '16 at 14:25
  • You could use whois and send an email to the complaint email, if listed, with the details on the ip, and packet data. This would be a slow tedious process as there are likely 100's or 1000's of ip address. They could eventually track down the computer and have the owner clean it up. They could also null route your ip, if only temporarily. – cybernard Feb 26 '16 at 04:42
  • There are IP's from different hosting provider .like zoho corporations etc and alls are coming from united states.They are not coming like attack,Just come for one or two ,down the server and back – Saad Mirza Apr 04 '16 at 07:17
  • While in some aspects it is a duplicate to [DDoS - Impossible to stop?](http://security.stackexchange.com/questions/33811/ddos-impossible-to-stop) it gives much better answers what actually can be done. The tenor of the older question is more that it impossible to stop DDos in general while the answers here show specific techniques to mitigate the problem. Therefore I recommend to reopen the question and no longer treat it as a duplicate. – Steffen Ullrich Oct 25 '16 at 05:45
  • @SteffenUllrich Is "the suggested duplicate has bad answers" a reason to not mark as duplicate? I have no strong opinion, just asking. – Anders Oct 25 '16 at 07:52
  • @Anders: the focus of the suggested duplicate is to show how hard it is to stop DDos and that it is impossible to stop it completely. The focus of this question is to show ways for mitigation. Apart from that there are 3 years between these questions and a lot happened in the mean time, both in terms of attacks and of mitigations. – Steffen Ullrich Oct 25 '16 at 08:18

3 Answers3

23

If you're running a website that's under attack, you should consider a service such as Cloudflare.

Cloudflare and other CDNs are designed with DDoS attacks in mind - traffic passes through Cloudflare's network before it reaches yours. Since Cloudflare will filter DDoS traffic, only clean traffic will reach you.

On the other hand, if the attack is small enough to not saturate your port, and you feel comfortable enough dealing with it on your own, look into running Nginx as a reverse proxy in front of your Apache instance. Nginx is designed to handle floods a lot better than Apache can, due to the epoll architecture.

The way that services such as Cloudflare work are by 1) Mitigation appliances and 2) Having lots of capacity.

A mitigation appliance looks at anomalies in traffic, and matches traffic with known attack signatures in the past in order to distinguish legitimate traffic from DDoS traffic. The "dirty" traffic is dropped, while the clean traffic is passed on.

The best mitigation in the world doesn't help if your port is being saturated (Imagine sending 11gbps to a target who can only handle 10gbps). No matter how good your filtering is, you will go offline because your port is not capable of handling more than 10gbps. Services such as CloudFlare (any CDN or DDoS mitigation provider really) buy tons of capacity from transit providers in order to deal with huge volummetric floods - things that couldn't be handled at the server level because of the massive amounts of traffic (think 50gbps+)

dreadiscool
  • 331
  • 1
  • 4
13

There are several types of Distributed Denial of Service attacks, mitigation techniques can be specific to each case:

Volumetric Attacks

A few computers send a large amount of traffic, clogging the network of the victim and keeping legitimate connections from reaching it. In this category we can see:

  • UDP Attacks: Using the UDP protocol on random ports forces the server to check if there's an application listening on that port. You can mitigate this with strict firewall rules.
  • ICMP Floods: The idea is to initiate an echo request and never complete the handshake, doing this frequently enough from different hosts will make the victim unable to respond to legitimate requests. Mitigation techniques include blocking fragmented ping requests.

Application Layer

The most common attacks of this type target HTTP and DNS services, you basically request a resource so many times that the server processing the request uses all the resources available. About HTTP specifically, this is usually very difficult to differentiate from normal http requests, mitigation usually consists of a mix of IP reputation, tracking abnormal activity and sometimes requiring the execution javascript.

State Exhaustion

Every device has a table that stores the state of each connection (if you run netstat you can see this "table"), this type of attacks aim at using every entry in that table to the point where no new connections can be added. (See "slowloris" for an example of this attack). Mitigation often includes timing out unfinished requests to free up resources quickly.

There are of course services that help prevent and mitigate these types of attacks, CloudFlare even has this service free of charge but Im sure there are others. In general the concept of defense in depth applies here, having several layers of security helps lower the risk associated with DDoS attacks, however keep in mind that we are talking in terms of mitigation, even Github was DDoS-ed and with their massive infrastructure and great expertise they saw their service affected

If you currently are under attack I would contact CloudFlare and ask them for what options can they offer to you, then start planning a prevention strategy as soon as possible. Right now it looks like you were caught off guard so best of luck

Here's a great resource from arbornetworks

Purefan
  • 3,560
  • 19
  • 26
1

If your web server runs Windows, there are certain registry values that you can set to prevent DoS (apparently DDoS too):

hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \synattackprotect=1 REG_DWORD (The value 1 enables SYN flooding attack protection)

hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxconnectresponseretransmissions=2 REG_DWORD (This key has 2 purposes. First, when the value is set to 2, it enables SYN flooding attack in conjunction with the above registry key. Second, it controls the number of retransmissions by TCP to unanswered SYN-ACK. So, it will not retransmit more than twice.)

hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxdataretransmissions=3 REG_DWORD (This key controls the number of times TCP retransmits unacknowledged data segments in an existing connection.)

hkey_local_machine \system \currentcontrolset \services \tcpip \parameters \enablepmtudiscovery=0 REG_DWORD (As per Microsoft, the value 0 means "TCP uses an MTU of 576 bytes for all connections to computers outside the local subnet". This ensures packet sizes cannot be reduced below 576b by an attacker to decrease performance.)

More information for Windows is provided here.

For Linux, this is a good resource.

Earthling
  • 157
  • 1
  • 10
  • 2
    These can help mitigate the problem, but will not prevent! – Rory Alsop Feb 25 '16 at 13:50
  • @Rory Alsop: so? For DDoS, you are going to need layered defense and using such mitigation will only help. You will not get one tool that will magically prevent all DDoS! – Earthling Feb 25 '16 at 15:02
  • 2
    So perhaps use a different word to "prevent" – Rory Alsop Feb 25 '16 at 15:08
  • 3
    Would probably help to briefly explain what each of those changes does. – trallgorm Feb 25 '16 at 15:13
  • @Rory Alsop: Mitigations are used to prevent attacks. Maybe you are confusing with stopping attacks in real time. Prevention is before the attack can occur, so prevent is the correct word as that is what mitigations do, they prevent attacks. – Earthling Feb 26 '16 at 04:05
  • @trallgorm: thanks for the suggestion. I have edited the answer to explain each registry key, hope it clarifies things. – Earthling Feb 26 '16 at 04:38
  • Those_who_have_downvoted_the_answer: what did you find is missing in the answer? How can it be improved? I believe this answer gives hands-on tips on implementing controls, but if more details are needed, please clarify what is needed. – Earthling Feb 26 '16 at 04:39
  • 1
    Your update is a great improvement. – Rory Alsop Feb 26 '16 at 08:55