Feb 8, 2014
DDoS attacks have become a common threat in the internet. But how to block DDoS and stop DDoS attacks that affect your uptime and eventually your business?
http://www.r00t-services.net/knowledgebase/12/How-to-Block-DDoS.html
seen from Germany
seen from United States
seen from Croatia
seen from Malaysia
seen from China
seen from Malaysia
seen from Malaysia
seen from United States
seen from Croatia
seen from United States
seen from United States
seen from United States
seen from Malaysia
seen from Bangladesh
seen from Malta
seen from Malta
seen from Malta
seen from Iraq
seen from United States
seen from United Kingdom
DDoS attacks have become a common threat in the internet. But how to block DDoS and stop DDoS attacks that affect your uptime and eventually your business?
http://www.r00t-services.net/knowledgebase/12/How-to-Block-DDoS.html
What are DDoS attacks and how to block them?
What are DDoS Attacks? DDoS attacks (Distributed Denial of Service attacks) have the sole purpose of bringing down your server. In most cases a botnet is being used, which is a large farm of infected computers and servers. The attacker is able to control all of these infected machines using a C&C (command and control) server. This C&C server can be accessed through an IRC channel, DNS, peer to peer or a web-based panel. IRC and web panels are most common. Now the attacker can make his bots/zombies (infected machines) send as many requests as possible to a domain or IP address, which could be your server. Depending on the type of bot, it can be either a volumetric network layer (Layer 3) attack or an application layer (Layer 7) attack. Network level (volumetric) layer 3-4 attacks Network layer attacks usually have the purpose to overload your whole server, by either sending large packets to saturate your uplink, or sending many small packets to overload your CPU and use up all TCP sockets. In both cases they will just send as many packets as possible to get your server down. Network layer attacks with many small packets are mostly SYN/ACK attacks, while for large packets attackers mostly use the UDP protocol. If your uplink is saturated or your CPU is overloaded, your server will not be able to get a network connection and not respond anymore, you will probably have a lot of traffic costs and your provider will block your server. Application level (layer 7) attacks Application layer attacks are far more advanced than network layer attacks. They aim at a specific service on your server and try to overload it, by sending requests to the application instead of just flooding the whole server with packets. This type of attack does far more damage than a... Continue
[Howto] Block HTTP flood with IPTables
Apart from scripts like BARF, that we discussed in our article about how to mitigate DDoS attacks, we can also use IPTables directly to block certain requests on layer 4 already. However, this is only possible if the bad requests always contain a certain string that no other requests contain (such as request URI, referrer, user agent). Sometimes that is the case and the most effcient solution would be to drop these requests before they even reach your web server or any other application, right? Now let's take this POST flood for example, which represents a real case scenario of a server which is attacked by a Pushdo botnet. In our Apache access logs we see lots of these requests that kill our Apache: 1.2.3.4 - [02/Dec/2013:14:54:40 +0100] "POST /?ptrxcz_9JIkQz8jIZ12hHs8Qks7j HTTP/1.1" 200 All of these requests contain the pattern "ptrxcz" which is not a legit URI and we don't see any legit requests containing that pattern. Therefore it will be safe to simply block every packet that contains the pattern... Continue