DDOS Utilities to Survive and Mitigate.

[hostmedic]

While talking on the telephone today with a partner I was asked what I would recommend as a good utility to mitigate a DDOS.

First I must say that I do not think that anything - software and/or hardware will be 100%, however it is wise to have something in place.

Generally a Dos attack is about resource starvation - in where a DDos is about not only eating up the resources of the server being attacked but also filling the pipe that server uses to the interent.


First you must understand that although a Firewall is a great utility - it does not take place of an anti-DDOS device. A good firewall can help when a Dos comes into play - but when a DDOS (distributed attack) comes in - a firewall gets lost and sends most all routing into Space along with the moon and stars... cheap firewalls generally do not inspect the amount of data being traversed nor inspect the payload itself, with a few exceptions such as Cisco's feature called TCP Inspection or Syn Cookies, (*note - Checkpoint and Netscreen have similar functions...)

Some higher-end firewalls will perform SPI (Deep Packet Inspection) however.

In this posting you will see a few links to explain what DDOS are - as well as some links to articles to talk about some hardware / software to assist with mitigation.

1. Riverhead neworks - (now Cisco)
2. Captus Networks
3. FortInet
4. Juniper Networks (routers and NetScreen Appliances)
5. Foundry Networks
6. Tipping Point
7. TopLayer

A list of some providers that offer this service with their hosting is as follows:

Cybercon
Website: http://www.cybercon.com/
Comment: Based out of St. Louis, Missouri, USA. Expensive, but these folks have the knowledge in dealing with attacks.



DDoSProtection
Website: http://www.ddosprotection.com/
Comment: Our company is aimed at helping small-to-medium online businesses to protect themselves from DDOS attacks and other security vulnerabilities.



EV1Servers
Website: http://www.ev1servers.net/
Comment: All IPs on all servers at both EV1 data centers are now protected by FireSlayer, a combination of EV1-developed and commercially available anti Denial of Service (DoS) technologies. This service is 100% automatic and 100% free.



GigeSERVERS
Website: http://www.gigeservers.com/
Comment: Based out of Chicago, Illinois, USA. Eight years of experience in DoS/DDoS attacks.



RackSpace
Website: http://www.rackspace.com/
Comment: The Rackspace network has been engineered from the ground up to accommodate the high-availability demands of our customers' mission-critical Web applications. Our Cisco-powered, Zero-Downtime Network™ has unique self-healing attributes that allow us to deliver on our 100% infrastructure availability guarantee.



Staminus
Website: http://www.staminus.net/
Comment: We offer a wide array of dedicated server hosting solutions so please feel free to navigate our site or sitemap. Our dedicated servers come with a 99.9% network uptime guarantee so you can have peace of mind..



The Planet
Website: http://www.theplanet.com/
Comment: Based out of Dallas, Texas, USA. They use the Savvis Data Center. 19Gbps available bandwidth.


of course this is not all inclusive.

Beware of those providers that state they offer this service - but cannot back up their claims. Remember if a network states 99% uptime that means they allow for up to 1% of downtime or 72 hours per month !!!

[hostmedic]

one last note -

If you feel like your having an issue with a server under a DDos --- shell in and do the following:
-------------------------------------------------------------------------------------------------------------

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

An alternative to some of these solutions is a dedicated rate-baed intrusion prevention system. Intruguard Devices has such a solution. It supposedly is hands off and blocks DDoS attacks in seconds with gigabit throughputs.

I have yet to see DOS protection that works with anything but the most outdated of attacks. Attacks are now sophisticated enough that stopping them is more than likely impossible.

Scripts like Slice or Stealth can not only create randomized IPs and routing paths, but also forge MAC addresses of fake NIC cards. It is now possible to use something as simple as 4 zombie boxes and make it appear that a 20k box deep botnet is attacking your server.

I do agree that having SOMETHING in place is beneficial, but expecting anything of this protection should never be.

I am simply saying that to this date the only way I have seen a DOS detured was via the attacker stopping.

Quote:

Originally Posted by zogmo_dave

Scripts like Slice or Stealth can not only create randomized IPs and routing paths, but also forge MAC addresses of fake NIC cards. It is now possible to use something as simple as 4 zombie boxes and make it appear that a 20k box deep botnet is attacking your server.

Translation: you don't know how routing works.

MAC addresses exist only in layer 2. Fake MACs are irrelevant, as the Internet is comprised of interconnected IP networks (layer 3).

Quote:

I am simply saying that to this date the only way I have seen a DOS detured was via the attacker stopping.

Then you haven't been paying attention.

To the original poster (and anyone else considering the contents of the first post), it's worth noting that ThePlanet is horrible when it comes to DoS. Rather than deploying filters to the edge to stop sub-1MPPS attacks, they simply nullroute the IP being attacked. There are numerous complaints of this on WebHostingTalk.

Considering that ThePlanet has an all-Juniper edge, I'm assuming that they don't deploy edge filtering because they don't know how to push ACLs out to the edge in an organized fashion. It's certainly not for lack of adequate hardware.

[Zitibake]

Can anyone comment on mitigation devices or techniques that can help with full connection floods? When each zombie starts making connections to the target, and requesting different documents from a website, it's a little harder to distinguish the good guys versus the bad guys.

[DataCenterBlogger]

Nice post, Hostmedic. Useful linkage. Thanks!