0

Our websites have been the target of an increasing DDoS, the reason is unknown. Right now, we have taken enough precautions to reliably identify and filter the problematic requests (approx 1 mio/day at its peak, before we stopped counting). But as there were other efforts to disrupt our service in recurring intervals in the past and the attacks seem related, I wonder what else we could do.

The IPs are obviously just some botnet on consumer devices (DSL connections around the world etc., not TOR nodes), so I even if we started sending out abuse emails, it would not really make a difference, as the IPs are frequently changing. The attacker also does not seem to really care that the attack is no longer generating any deteriotion on our service, but it has been going on for more than a week now.

What should be our next step, while the attack is still ongoing, but is not harming us? Collect the IP adresses and report them somewhere? Handle the problematic requests in a special way in order to reduce the harm of the botnet to others? Anything to identify who is behind it, or why the site is being attacked?

In other words, right now we can gather information, if the next wave is better we might not be able to do it in such a reliable way. Can we do anything now?

Martin
  • 103
  • 3
  • possible duplicate of [What techniques do advanced firewalls use to protect againt DoS/DDoS?](http://security.stackexchange.com/questions/114/what-techniques-do-advanced-firewalls-use-to-protect-againt-dos-ddos) – Deer Hunter Dec 13 '14 at 00:07
  • @DeerHunter I read the linked post before posting my question. I am not asking how to deal with the DDoS, but what steps should be taken next. The documentation suggested by David Stubley in that post seems logical, but will not help much in my case. The requests are regular HTTP traffic, the IPs spread across the world. And our data center provider probably does not even care about the volume of "our" DDoS. – Martin Dec 13 '14 at 00:14
  • 1
    Honestly, unless you can dig up evidence of who is behind it and there is a chance that their local law enforcement will get involved, there's not much else that can be done. I've worked at jobs where we were constantly hit with DDoS attacks 24x7x365. Welcome to the Internet. :) – theterribletrivium Dec 13 '14 at 06:57

1 Answers1

1

Reporting the IP addresses will yield little, moreover, nothing. In many cases, the addresses DoS'ing you are likely compromised or infected with malware. Your goal should be to focus your time, resources on minimizing, or getting rid of the capabilities of being DoS'd, this is time better spent. The question becomes, how do you stop/minimize DoS attacks.

My suggestions: Familiarize yourself with RFC 4732. What kind of DoS are you suffering from? Resource exhaustion on the network side? Application side (e.g. someone requesting hundreds of thousands of webpages)? Then focus on fixing that side of the equation.

From the networking side, you could work with your provider to implement BCP38 (RFC 2827), and have your ISP work with your upstream provider to have them too implement some changes however, this is out of your control (the actual change) and you're at the mercy of your provider, and their provider to actually get anything done.

From the application side (say your HTTP server is getting hammered), you could move HTTP over to something like Cloudflare but if THEY go done, so too then you. There are many different approaches to tackling this issue, e.g. load balancing using different Amazon AWS instances, CDN providers, it all depends on how much time, and resources you put into it. As for reporting IPs, it's akin to calling NOT the local authorities, but a local random security guard company, and saying: "I just saw 1,000 suspicious cars driving." I can assure you little will be done.

Community
  • 1
munkeyoto
  • 8,682
  • 16
  • 31