DDoS Mitigation Appliances

Portal Home > Knowledgebase > Articles Database > DDoS Mitigation Appliances

Posted by justintime, 03-01-2011, 11:43 AM
Hello everyone, Our site recently came under a DDoS a week ago Monday. We're an ecommerce site, and haven't ever had to deal with this sort of thing before. After a few hours of hacking together some shell, perl, and expect, I had a script in place that would analyze the weblogs, identify zombie attackers, and place them on a blacklist on our firewall. While a tad ugly, it's worked really well. Unfortunately, the attack shows no sign of subsiding at all. On Sunday, the attack vector changed, and the intensity of the attack was increased. I was able to change the script to keep up, but I'm blocking 36,000 IP's and counting. The DDoS itself isn't targeted to us specifically, I've been in contact with one other site that's under the same attack. This certain botnet is essentially making full HTTP requests for a site's homepage, over and over again. Originally, it was easy to detect, because the bot would never request any css or js, but they changed that on Sunday. My hunch is that this botnet is being tested on a bunch of smaller sites, and being tuned to have it's full attention focused on one very large player once the owner is happy that it's "strong" enough. My fear is that this thing will last weeks or months and the botnet could be hundreds of thousands of IP's. While my firewall has no limit on the number of IP's blocked, I will start seeing performance issues if it has to compare every packet to a list of 100K IP's before passing it through. So, I need something more permanent, and something that's built to handle this level of filtering. Most importantly, I need something smart enough that can separate the signal from the noise in this certain attack and not block any false positives. Our site's traffic isn't huge, we peak just over 100Mbit full-duplex daily. I've got a call with RioRey today, it seems that they will likely work in our case. I'm aware they're using x86 hardware and Linux, but I don't think that's an issue for our size. I've got an email in to IntruGuard, and have yet to hear back, but they're west coast. I know Cisco IOS, but frankly don't have the time to setup and configure a 200 line config, so I'm leaning away from a Cisco Guard. I would love to have the ability in cases such as this where I've got some way to be able to add IP's via external API's, whether it's over an SSH tunnel or a SSL web service. What's everyone here partial to and why? Thanks, Justin
Posted by asciiDigital, 03-01-2011, 12:46 PM
I know it's expensive but have a look into ddos protection at the hardware level http://www.compsource.com/ttechnote....F&vid=91&src=F
Posted by justintime, 03-01-2011, 01:16 PM
Thanks Chad for the link. I didn't make myself clear, hardware protection is exactly what I'm looking for, and the price on that Cisco gear is actually cheaper than what I was expecting. Do you use Cisco Guard? What do you like/dislike about it?
Posted by asciiDigital, 03-01-2011, 01:40 PM
I've never used it personally, no. But the reviews are positive and I always trust Cisco hardware.
Posted by AI-Wayne, 03-01-2011, 01:47 PM
Hi Justin, Just curious, why did you rule out filtering services like ServerOrgin, BlackLotus, Gigenet, etc? Regards, Wayne
Posted by justintime, 03-01-2011, 03:59 PM
AI-Wayne, we have a webapp that uses the inbound IP for various decisions and routing. I know that with the filtering services you can get the IP from the headers, but our devs didn't know that and making that change across the website in a small amount of time isn't an option. Otherwise, a scrubbing network would have been a perfect fit
Posted by Steven, 03-01-2011, 04:28 PM
Justintime, What software does your server use? Apache? http://stderr.net/apache/rpaf/ Should allow you to use a proxy service.
Posted by ddosguru, 03-01-2011, 05:48 PM
You could do this as well, but it wouldn't cost you $20,000. You've demonstrated in your opening paragraph that you understand the basics of using Linux as a filtering platform.