Hashemian Blog
Web Tools, Financial Markets, Technology
Monday, May 22, 2006
Fighting DDoS - Part II
One of the first things to do when faced with DDoS is to make certain that the servers are actually under attack. Sometimes misconfigured code or other errant programs could soak up server resources, and while such conditions could lead to denial of service, they certainly do not constitute an external attack. If possible, in Windows open up the task manager, go to processes and sort the items by CPU usage to see which programs are using the mot resources. In Linux, the "top" command produces a list of processes with their resource utilization. That could give an indication of which programs might be misbehaving and need to be terminated.
Another area to investigate is whether the server is a target of an attack, or it has been compromised and is being used as a zombie to attack another server. There are plenty of utilities with varying capabilities out there than can show network traffic in real time. I can think of TCPView (free) for Windows, or IPTraf (free) for Linux. The command line "netstat –an" works on both platforms and produces a list of outbound and inbound connections to investigate.
It is also possible that the DDoS attack is inadvertent. Years ago a Chinese company had sent an email to a large list of people specifying a return address with our domain (using .com instead of .cn). I'm not sure if this was accidental or deliberate (the sender company looked real enough). The undeliverable emails brought one of our servers to its knees. After reporting the incident to the company, the emails subsided and the problem resolved itself.
If the DDoS is a genuine attack, use netstat, TCPView, or IPTraf to check to see if you are under attack by a limited number of servers. In those cases you should be able to block them at the firewall level and spare your servers from processing the needless requests. The attacker could call off the attack if he notices that he's hitting a wall. If, however, the attack is extensive, blocking IP addresses will do little good. First, it would take a long time to detect and block thousands of IP addresses. Second, a firewall with such a large block list will run into performance issues as it needs to vet packets against the lengthy list. Third, even though they are being blocked at the gate, the packets would still choke the edge router nonetheless, preventing legitimate traffic to efficiently travel on the line.
When dealing with large-scale attacks, your ISP should be contacted. They might need to allocate extra bandwidth to your servers, and migrate the servers to another IP range meanwhile. Most ISPs have sufficient bandwidth and the processing muscle to handle such attacks.
You might need to consider various options to guard against DDoS, by negotiating a DDoS support clause with your ISP, having geographically distributed servers, and buying enough bandwidth and equipment to foil such attacks.
Unfortunately most ISPs balk at disconnecting zombies from the Internet. It really doesn't matter if the PC is compromised without the owner's knowledge. If a PC is participating in a DDoS attack, the ISP should block the errant machine, alerting the user of situation and offer help in removing the infection before allowing them to reconnect. I suspect most users wouldn't mind being notified of the nefarious programs lurking in their PC's.
ddos,zombie,isp,tcp/ip,firewall,hacker,virus,netstat,windows,linux <Fighting DDoS - Part II>
// posted by rh
|
Links
Technorati Profile
TMCnet.com
ARCHIVES
09/01/2003 - 10/01/200303/01/2004 - 04/01/200404/01/2004 - 05/01/200405/01/2004 - 06/01/200406/01/2004 - 07/01/200407/01/2004 - 08/01/200408/01/2004 - 09/01/200409/01/2004 - 10/01/200410/01/2004 - 11/01/200411/01/2004 - 12/01/200412/01/2004 - 01/01/200501/01/2005 - 02/01/200502/01/2005 - 03/01/200503/01/2005 - 04/01/200504/01/2005 - 05/01/200505/01/2005 - 06/01/200506/01/2005 - 07/01/200507/01/2005 - 08/01/200508/01/2005 - 09/01/200509/01/2005 - 10/01/200510/01/2005 - 11/01/200511/01/2005 - 12/01/200512/01/2005 - 01/01/200601/01/2006 - 02/01/200602/01/2006 - 03/01/200603/01/2006 - 04/01/200604/01/2006 - 05/01/200605/01/2006 - 06/01/200606/01/2006 - 07/01/200607/01/2006 - 08/01/200608/01/2006 - 09/01/200609/01/2006 - 10/01/200610/01/2006 - 11/01/200611/01/2006 - 12/01/200612/01/2006 - 01/01/200701/01/2007 - 02/01/200702/01/2007 - 03/01/200703/01/2007 - 04/01/200704/01/2007 - 05/01/200705/01/2007 - 06/01/200706/01/2007 - 07/01/200707/01/2007 - 08/01/200708/01/2007 - 09/01/200709/01/2007 - 10/01/2007
|
