Belt and braces and DDOS

[Sussexite]

My hosting company is currently experiencing a DDOS attack so all my sites are down.

Do people have back up hosting arrangements with other hosts and how well do these work?

Thanks

 

[tifosi]

That's going to be difficult to work if you have to repoint nameservers for x domains and wait for them to propogate.

An efficient hosting company should be able to null route the offending IP's through iptables and sort a ddos fairly quickly.

Time to move host is after this is sorted... certainly if it happens again!

 

[DarrenTSO]

An efficient hosting company should be able to null route the offending IP's through iptables and sort a ddos fairly quickly.

Do you mean null route the affected IPs? That will prevent collateral damage to the rest of the network, but it takes down the targeted server so is usually a last resort (but means there is no collateral damage).

Filtering based on source IPs won't work - if you want to stay up under a big DDoS you need masses of capacity combined with very clever filtering at the application level.

 

[tifosi]

No I mean the offending ips... those from where the ddos traffic is originating. Not difficult to see this from the logs and filter through iptables. Surprising how they often originate from clusters of subnets. Depends on the type of attack - from flood attacks on SSH & FTP to apache http bombardment.

 

[DarrenTSO]

No I mean the offending ips... those from where the ddos traffic is originating. Not difficult to see this from the logs and filter through iptables. Surprising how they often originate from clusters of subnets.

I'm not sure you appreciate the size and scale of a modern DDoS attack. UDP based attacks will typically have spoofed IPs, but you can filter that at the router with ACLs (the easiest way is to just block all UDP traffic to a particular host...). If the attack is TCP based, filtering IPs is something that will work if you have a handful of IPs hammering a server. However, a modern DDoS attack will appear to come as genuine traffic from tens of thousands or hosts or more - from IPs in the UK, USA, Europe, Asia, all over. Modern DDoS attacks take some very intelligent filtering to remove the bad traffic and it is why companies spend tens of thousands or more on mitigation devices that are capable of analysing traffic using proprietary heuristic algorithms.

 

[Sussexite]

This is (genuinely) quite interesting.

And it does make me feel a bit better about things.

Even though I've lost around 12 hours of traffic and counting.

But any tips on what I could do though.

 

[tifosi]

True, but there's a scalability of ddos's (what is the plural of ddos). On a major corporate level for well known sites it will be as you say, but in my experience on the dedi's I've run small scale ddos - i.e. any spike in traffic that affects performance can be from anything like a few ip's running dictionary attacks on ssh/ftp to a single ip running a flood attack on http.

The action by the isp/host will depend very much on the nature of what's happening. No single cookie cutter solution. Suppose it depends on the definition of ddos!

 

[DarrenTSO]

No single cookie cutter solution. Suppose it depends on the definition of ddos!

Definitely, and the attacks are getting more sophisticated all the time so it's not trivial if the attacker is determined and has a significant amount of resources at their disposal.

Using something like Cloudflare might be worth looking at. They will cache your site if your hosting provider goes down.

 

[Sussexite]

My host has only just fixed this one.

It took around 18 hours to sort out and eventually they decided the Australians were to blame and blocked all traffic emanating from Australia.

Presumably this was revenge for the last few Ashes defeats, so by way of retribution here's my favourite Aussie bashing old joke.

Aus Immigration Officer to Englishman
"Do you have a criminal record?"

Englishman to Aus Immigration Officer
"I didn't know one was still required"

Boom Boom

I feel better about it now.