Best way of stopping a DDoS Attack?

Portal Home > Knowledgebase > Articles Database > Best way of stopping a DDoS Attack?

Posted by nessic, 08-25-2009, 05:27 AM
What is the best ways to stop DDoS Attacks
Posted by iTom, 08-25-2009, 05:33 AM
Firewalls and programs like ddos deflate are a good way to slow them. Best way is get a data centre that will do it for you.
Posted by badboyx, 08-25-2009, 05:38 AM
this depended on the ddos size if its small like 30-50 Mbps you can use a cheap hardware firewall winch prices like 200/month it self and if the ddos size too large like 8 Gbps you must use another hardware firewall which will cost you about 60k + $ @ once like riorey or somthing else
Posted by WHR-Abner, 08-25-2009, 06:23 AM
If its a huge attack, then contact your NOC. Most of them provide Cisco firewalls which can mitigate the attack to a noticeable extent. If its a controllable one, use DDOS mitigating softwares like DOS-Deflate, APF with anti-dos and most importantly tweak your kernel to resist such attacks. (sysctl tweaks)
Posted by ianeeshps, 08-25-2009, 06:48 AM
Yes, that would be good. if it is large you need to check with DC...otherwise you need to setup firewall/iptable rules accoordingly
Posted by inspiron, 08-25-2009, 07:33 AM
You can secure your server by getting good Anti-DDos software installed. And should get csf firewall and apf firewall installed on the server.
Posted by mnaumann, 08-25-2009, 08:11 AM
Always contact your upstream provider (ISP/colo/hosting provider) first of all. Let them know you believe to be under attack and when it started, ask them to check their options and get back to you. Also ask them to tell you how they will deal with attacks against you, and if they plan to shut down your service against your interest. Check your contract, do you have a free traffic limit? It can get very expensive to get DDoS attacked if you have a contract which includes limited free traffic, and you pay on top for every extra GB transferred (often found with VPS, for example). If this is the case, ask your ISP to null route your traffic while the attack lasts. This way, you do not pay anymore, but your system(s)/network(s) are not available anymore either. This can be a quick short term fix, you should later investigate into more fine grained options. Only now, investigate how the attack is carried out, and how it can be filtered. Use traffic inspection / packet filtering software such as tshark or ngrep (both CLI) or wireshark (GUI). Create a traffic dump and analyze it. If you cannot analyze it yourself, contact someone who can, which can be your ISP or a networking or IT security consultant. Once the attack is analyzed, if it is on an application protocol level and you actually use this protocol for legitimate traffic (example: both is true: you run a web server and this attack is targetting TCP port 80), mitigate it yourself. Use snort or another IPS and create rulesets for it, or mod_security if it's a HTTP based attack against a hosted website (and you run Apache). If you also maintain the network, setup a BSD router with good network interface cards and lots of RAM, and put it in front of your network (next to your upstream provider), and have it filter the traffic using pf. To do so, you will need to gather a blacklist of the attacking hosts. If you do not maintain your own network or expect your upstream provider to act quickly to mitigate this attack, then just gather the backlist and pass it to your upstream provider. Keep in mind that bandwidth prices do apply (and are likely charged to you) anywhere between the attackers and a firewall which filters out malicious inbound traffic directed to your systems/networks, meaning you will not save money if you pay for bandwidth but only filter out malicious traffic on your very webserver which is under attack. Disable all unneccessary services on the targetted systems, keep in mind that DDoS attack patterns often change once they have been mitigated, so keep a close eye on your router/traffic stats. If you do not have traffic stats, make sure you generate some. Consider reporting what you know about the attack to the authorities, and/or organizations such as http://shadowserver.org Keep talking to your ISP or upstream provider while the attack lasts. See if they can handle the traffic and make sure they are not too unhappy with this attack. If they are, and you need the attacked service to maintain available, consider moving to a different provider which can provide you with more and cheaper bandwidth, if maybe just temporarily. Once the attack is over, talk to your ISP/upstream provider again, and see how they feel about continuing to host you/provide your with upstream/exchange traffic with you/peer with you. Ask them to remove the blacklisting, if any. Prepare for additional DDoS attacks if you can expect to receive more. Last edited by mnaumann; 08-25-2009 at 08:19 AM.
Posted by angathan, 08-25-2009, 12:15 PM
You can try to protect it by configuring CSF or APF.
Posted by yajur, 08-25-2009, 02:04 PM
CSF or APF wont work in this case