* Re: [LARTC] Need help please
@ 2003-03-20 12:42 Gordan Bobic
2003-03-20 12:49 ` Webadmin
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Gordan Bobic @ 2003-03-20 12:42 UTC (permalink / raw)
To: lartc
On Thursday 20 Mar 2003 12:49, Webadmin wrote:
> We've been getting some DDOS attack recently, due to this I was just
> wondering if we use some network traffic control techniques in order to
> reduce the risk of having the DDOS attack?? is this possible after all??
> can we use the traffic control techniques in order to redu reduce the DDOS
> attack???
I don't think you can reduce the "risk" of being under attack.
What sort of an attack are you under? Ping/ICMP flood? Or just a lot of robots
killing your web server with seemingly valid requests?
If you are having your bandwidth between your router and your ISPs all used up
by the attack, then you may be out of luck, as congestion and dropping will
most likely occur before any valid traffic gets through to you.
OTOH, if it is just your server load that is being affected, then yes, you
could potentially do something about it, provided you have some bandwidth to
spare. You could block or reduce the priority of the offending traffic. You
could also analyze logs what hosts are consuming a large amount of resources,
or analyze the headers they are sending, and try to separate valid traffic by
that. Then, just drop all traffic to/from the offending hosts completely, or
reduce their traffic to a minimum priority. You can do this using
ipchains/iptables and setting fwmarks on packets to/from relevant machines,
and then filtering on fwmarks.
Ideally, you might be able to ask your ISP to filter out the offending traffic
before it hits your local router, so it doesn't consume your bandwidth, but
that depends on what they are able/willing to do with their network setup to
help you out...
I think you will have to be a little more specific about the type of attack
you are under for any more specific suggestions...
Regards.
Gordan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* [LARTC] Need help please 2003-03-20 12:42 [LARTC] Need help please Gordan Bobic @ 2003-03-20 12:49 ` Webadmin 2003-03-20 13:04 ` Emmanuel Guiton 2003-03-21 5:14 ` S Mohan 2 siblings, 0 replies; 4+ messages in thread From: Webadmin @ 2003-03-20 12:49 UTC (permalink / raw) To: lartc Hi All; We've been getting some DDOS attack recently, due to this I was just wondering if we use some network traffic control techniques in order to reduce the risk of having the DDOS attack?? is this possible after all?? can we use the traffic control techniques in order to redu reduce the DDOS attack??? -- Best Regards WebAdmin, Salam2U.com \\\ ||| /// ( @ @ ) --oOOo-(_)-oOOo---------- _\=/_ (o o) --oOOo-(_)-oOOo------ ______________________ Revolution does not require corporate support That, as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. -- Benjamin Franklin _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Need help please 2003-03-20 12:42 [LARTC] Need help please Gordan Bobic 2003-03-20 12:49 ` Webadmin @ 2003-03-20 13:04 ` Emmanuel Guiton 2003-03-21 5:14 ` S Mohan 2 siblings, 0 replies; 4+ messages in thread From: Emmanuel Guiton @ 2003-03-20 13:04 UTC (permalink / raw) To: lartc Webadmin wrote: >Hi All; >We've been getting some DDOS attack recently, due to this I was just wondering >if we use some network traffic control techniques in order to reduce the risk >of having the DDOS attack?? is this possible after all?? can we use the >traffic control techniques in order to redu reduce the DDOS attack??? > > > Hi, There ars some work in progress on this subject. I'm currently working on this kind of solution (I have to implement and test a new solution proposed by my boss). Some related work is already available, you can read the following for further information: (Note that the traffic limitation part is not really currently addressed). CITRA/IDIP D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday, and T. Reid. (2001, September 27). "Autonomic Response to Distributed Denial of Service Attacks", in Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, pp 134-139. Davis, California, USA. [Online]. Available: http://link.springer.de/link/service/series/0558/bibs/2212/22120134.htm D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne. (2001, June). "Cooperative intrusion Traceback and Response Architecture (CITRA)", in /Proceedings of the Second DARPA Information Survivability Conference and Exposition (DISCEX II). /Anheim, California, USA. D. Schnackenberg, K. Djahandari, and D. Sterne. (2000, January). "Infrastructure for Intrusion Detection and Response", in /Proceedings of the DARPA Information Survivability Conference and Exposition/. Hilton Head, South Carolina, USA. ACC/Pushback R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. (2001, July 13). "Controlling High Bandwidth Aggregates in the Network (Extended Version)". Draft paper pushback-Jul01.ps, work in progress. AT&T Center for Internet Research at ICSI (ACIRI) and AT&T Labs Research. [Online]. Available: http://www.icir.org/pushback. S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson. (2001, July). "Pushback Messages for Controlling Aggregates in the Network". Internet-Draft draft-floyd-pushback-messages-00.txt, work in progress. [Online]. Available: http://www.icir.org/pushback, http://www.icir.org/floyd/papers.html Bye, Emmanuel _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [LARTC] Need help please 2003-03-20 12:42 [LARTC] Need help please Gordan Bobic 2003-03-20 12:49 ` Webadmin 2003-03-20 13:04 ` Emmanuel Guiton @ 2003-03-21 5:14 ` S Mohan 2 siblings, 0 replies; 4+ messages in thread From: S Mohan @ 2003-03-21 5:14 UTC (permalink / raw) To: lartc You'll need to identify the sources/ protocols etc and rate limit them. E.g. Ping of Death is avoided by either dropping icmp-echo-request or rate limiting them to 5 per second. Need to use iptables for that. Mohan -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of Webadmin Sent: Thursday, March 20, 2003 6:20 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Need help please Hi All; We've been getting some DDOS attack recently, due to this I was just wondering if we use some network traffic control techniques in order to reduce the risk of having the DDOS attack?? is this possible after all?? can we use the traffic control techniques in order to redu reduce the DDOS attack??? -- Best Regards WebAdmin, Salam2U.com \\\ ||| /// ( @ @ ) --oOOo-(_)-oOOo---------- _\=/_ (o o) --oOOo-(_)-oOOo------ ______________________ Revolution does not require corporate support That, as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. -- Benjamin Franklin _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-03-21 5:14 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-03-20 12:42 [LARTC] Need help please Gordan Bobic 2003-03-20 12:49 ` Webadmin 2003-03-20 13:04 ` Emmanuel Guiton 2003-03-21 5:14 ` S Mohan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.