Fighting DDoS - Part II

Another area to investigate is whether the server is a target of an attack, or it has been compromised and is being used as a zombie to attack another server. There are plenty of utilities with varying capabilities out there than can show network traffic in real time. I can think of TCPView (free) for Windows, or IPTraf (free) for Linux. The command line "netstat –an" works on both platforms and produces a list of outbound and inbound connections to investigate.

It is also possible that the DDoS attack is inadvertent. Years ago a Chinese company had sent an email to a large list of people specifying a return address with our domain (using .com instead of .cn). I'm not sure if this was accidental or deliberate (the sender company looked real enough). The undeliverable emails brought one of our servers to its knees. After reporting the incident to the company, the emails subsided and the problem resolved itself.

If the DDoS is a genuine attack, use netstat, TCPView, or IPTraf to check to see if you are under attack by a limited number of servers. In those cases you should be able to block them at the firewall level and spare your servers from processing the needless requests. The attacker could call off the attack if he notices that he's hitting a wall. If, however, the attack is extensive, blocking IP addresses will do little good. First, it would take a long time to detect and block thousands of IP addresses. Second, a firewall with such a large block list will run into performance issues as it needs to vet packets against the lengthy list. Third, even though they are being blocked at the gate, the packets would still choke the edge router nonetheless, preventing legitimate traffic to efficiently travel on the line.

When dealing with large-scale attacks, your ISP should be contacted. They might need to allocate extra bandwidth to your servers, and migrate the servers to another IP range meanwhile. Most ISPs have sufficient bandwidth and the processing muscle to handle such attacks.

You might need to consider various options to guard against DDoS, by negotiating a DDoS support clause with your ISP, having geographically distributed servers, and buying enough bandwidth and equipment to foil such attacks.

Unfortunately most ISPs balk at disconnecting zombies from the Internet. It really doesn't matter if the PC is compromised without the owner's knowledge. If a PC is participating in a DDoS attack, the ISP should block the errant machine, alerting the user of situation and offer help in removing the infection before allowing them to reconnect. I suspect most users wouldn't mind being notified of the nefarious programs lurking in their PC's.

----------------------------------
About the Author: Robert Vahid Hashemian, www.hashemian.com/ , is an Internet and database programmer living in Connecticut, USA. He is also the author of the book, "Financial Markets For The Rest Of Us". His Web site contains a variety of free Internet tools at www.hashemian.com/tools/ .