7

So ok, right now my windows 2003 dedicated server is under attack by some guy who's flooding UDP packets (~90.000 packets/sec) on my 100Mbps server for the last 8 hours.

I'm on a shared port, so I'm guessing there is one 100Mbps router, or cable shared with about 50 to ~100 other machines on the same network. (I guess all of them suffer from this attack too)

When I'm having this attack, it's eating ~90% of my network (I seet it in the taskManager) but nothing changes in the CPU... Cuz does UDP packets are not targetting any application in my server, the're just random packets.

My hosting company said that I could buy some software or hardware solutions, and they said it could work. And that upgrading to 1Gbps internet speed won't do any good.

I think they're wrong.

Since 100 Mb/s is all what that shared port can handle, if I buy a cisco hardware firewall (~400$) it will just not send bad trafic to my machine, but the port will still be busy and full of maximum trafic from the DDoS, which I think will still be slowing down my server anyways.

And software solutions is just stupid, I don't see how it could help in this case.

I'm I wrong here?

hawk1337
  • 3
  • 4
Reacen
  • 71
  • 3

2 Answers2

10

Have a good look at this question on DDoS mitigation - it is not something you will be able to solve by buying a faster switch, as an attacker can always get more traffic sources than your network can cope with.

All the workable solutions manage it with routing or dropping packets within the ISP - if your ISP doesn't offer a solution you should consider looking around for one which will.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
0

I think you are more right than your ISP is.

The first step to mitigating a DDoS is working out what is being exhausted. In this case it sounds like it is your network connection. Putting a hardware or software firewall on your side of the flooded connection isn't going to stop it getting flooded.

Switching to a faster connection may mitigate the issue, or it may turn out that the attacker just scales up their attack to match.

If it is still not enough then you probably need to look at a dedicated DDoS mitigation provider who can deploy very high bandwidth firewalls capable of separating the attack traffic from the legitimate traffic.

The answer would be very different if you were dealing with a DDoS attack designed to exhaust server rather than network resources (for example a synflood).

Peter Green
  • 4,918
  • 1
  • 21
  • 26