5

I have been under constant DDOS attack the last couple of weeks.

Now it seems my servers network is being flooded till it just doesn't have space anymore to receive and send normal packages.

I run CENTOS 5.6, and i have hardened SYSCTL and iptables to fight off SYN attacks as much as possible.

I have a 100Mbit network card and connection to my hosting company.

Normal incoming traffic is around 8mbit/s. Incoming data spikes go up to 100mbit when the attacks happen.

Could it help me fight off attacks if i were to upgrade my server to a 1GBPS network card + network connection?

I'm hoping the pipe doesn't flood so quickly when it's under attack.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
Mr.Boon
  • 1,441
  • 4
  • 24
  • 41

3 Answers3

14

You should be working with your hosting company to mitigate the attack.

They likely have other resources and means with which to deal with a DDOS attack. It is better handled at the network edge rather than the target.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Yes, I agree. But the DDOS attacks I am receiving only last about 1 - 5 minutes. By the time my hoster has received my request, the attack is usually over already. But I'm getting 15 - 20 a day of these attacks. Furthermore, my hoster can only offer me their Cisco Guard. Which fights off the attack, but also blocks many 'normal' visitors. So I'm looking to improve my server/network in other ways. All tips / ideas are more than welcome! – Mr.Boon Aug 08 '11 at 15:08
  • Well, upgrading to Gb will help you mitigate the attacks *if* the actual attack bandwidth is <1Gb. It may not be the best thing to do as it may end up costing you more $$$ than you expect due to using up your bandwidth at a higher rate. A service such as CloudFlare (mentioned below) may help. I haven't tried them myself but the idea is a good one. – MikeyB Aug 08 '11 at 15:20
  • You can also spend a lot of money and go with something like Arbor Networks' PeakFlow: http://www.arbornetworks.com/threat-management-system-ddos-mitigation.html – voretaq7 Aug 08 '11 at 15:29
  • @Godius, so if they come in waves that makes them easy to spot and compare against background traffic and identify unique elements in the attack (e.g. which pages, user agent, etc). It also means you have a chance to compare before/after effects of your evasive actions. Plus if they are only 1-5 minutes in length it would be feasible to tcpdump all traffic during this period and analyse it offline. You might not realize it, but you're in a power position to counter the attack :) – Coops Aug 08 '11 at 15:56
  • 3
    @Godius, P.S. if your hosting provider is happily letting you upgrade to 1GB pipe I would start considering moving to a more proactive hosting provide. – Coops Aug 08 '11 at 15:59
  • I actually just caught another attack while I was monitoring the server. Running iptraf, all the sudden the number of UDP requests shot up so high, it was getting more requests than TCP. When normally I hardly get any UDP request. Then i ran tcpdump, this is a small snapshot of it: http://pastebin.com/raw.php?i=QaybC8C1 Is there a way at server level to block this? – Mr.Boon Aug 08 '11 at 19:18
  • By the time it gets to your server it's already too late. – MikeyB Aug 25 '17 at 19:04
6

Umm... No. Having a bigger pipe doesn't do anything to prevent the traffic or the attack. You may reduce the impact, but you're not fixing anything by installing a 1Gbps NIC.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
5

A solution to this is CloudFlare. It acts as a reverse proxy for your site and blocks DDoS attacks. It can also perform security checks and reputation checking for the IPs trying to access your site.

Antoine Benkemoun
  • 7,314
  • 3
  • 41
  • 60
  • +1 Used this recently. It has some usability flaws, but I'd be looking to try this before paying for a gigabit pipe! – Coops Aug 08 '11 at 15:52