Ask Slashdot: How To Deal With a DDoS Attack? 303
Posted
by
timothy
from the boot-human-face-forever dept.
from the boot-human-face-forever dept.
First time accepted submitter TheUnFounded writes "A site that I administer was recently 'held hostage' for the vast sum of $800. We were contacted by a guy (who was, it turns out, in Lebanon), who told us that he had been asked to perform a DDoS on our site by a competitor, and that they were paying him $600. He then said for $800, he would basically go away. Not a vast sum, but we weren't going to pay just because he said he 'could' do something. Within 5 minutes, our site was down. The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future. While the site was down, I contacted our hosting company, Rackspace. They proceeded to tell me that they have 'DDoS mitigation services,' but they cost $6,000 if your site is under attack at the time you use the service. Once the attack was over, the price dropped to $1500. (Nice touch there Rackspace, so much for Fanatical support; price gouging at its worst). So, obviously, I'm looking for alternative solutions for DDoS mitigation. I'm considering CloudFlare as an option; does anyone have any other suggestions or thoughts on the matter?"
Cloudflare (Score:3, Informative)
Cloudflare are great, I use them on my sites and they can handle the traffic w/o issue.
this may help you (Score:5, Informative)
Hi first time accepted submitter!
You may want to check this [slashdot.org] Ask Slashdot.
Re:ip blockage (Score:4, Informative)
Re:This May Work (Score:2, Informative)
http://www.imdb.com/title/tt0936501/quotes?qt=qt0459504
Not a lot you can really do (Score:5, Informative)
There isn't much you can really do against a determined foe. There are just too many bot computers out there ready and willing to flood your servers with traffic. Huge companies with lots of staff, racks upon racks of servers, and really fat pipes have been hit with these attacks and failed to stop them.
Now there are a few things you can do to help... You'll note that these things are all extremely important for high-volume sites or major legit traffic spikes:
Have a switch in your website app that turns off all dynamic access, logins, session state, content generation, Ajax loading, etc and just serves static pages. This should also disable any kind of downloads unless you are already serving them from a CDN. If you are under attack (or just get featured on slashdot) throw the switch. Your website won't be terribly functional, but it will still be up. If you want to get fancy, have several levels of degradation where you can progressively turn features off to lighten database loads, etc. but without throwing up error pages or just having the site completely fall down. (ex if your sidebar typically shows recent comments via a database query, then just show a cached set of comments only updated once per day. Now every page access is using one less database query.) This is super critical because the first resource to be exhausted will be your database's ability to answer queries. The second will be your web server's ability to track session state and process requests. Especially if your site does anything even mildly complicated.
If your OS/Webserver/app support it, turn on kernel caching, install a cache plugin, etc. Especially make sure the parts of your pages, images, etc that can be cached are cached. If the under attack flag is set, vastly increase the cache timeouts. Make sure proxy caching is enabled too so any clients behind ISP proxies, etc don't hit your systems. Serve jQuery, fonts, etc from Google's CDN. That's just good practice anyway and free.
If possible, use a CDN for images and other content. CloudFlare is a good one. Companies like Dediserve offer cheap CDN. There are thousands of others. If the panic switch is set, you can even serve the static pages off the CDN if you structure things correctly. These help offset bandwidth saturation.
Take the time to setup a VM of at least your basic site and keep it on standby at Amazon/Azure. If you are under attack or heavy load, spin up a bunch of nodes using that VM image. If you leave your load balancing running on their systems 24/7 then it is trivial to add nodes to the pool. Running a bunch of extra servers for just a few minutes or hours shouldn't cost a ton and will encourage all but the most determined script kiddies to find an easier target once they see your site is still up.
The most common resources exhausted during an attack (in order):
1. Database servers
2. Web server CPU load or memory
3. Bandwidth
4. Load balancers
Again, like I said, none of this will stop a determined attacker with a million node DDoS botnet... But it will make you a less vulnerable target.
Re:Regarding price "gouging"... (Score:5, Informative)
I read it as "It is price x no matter what, while a DDoS is in progress, the price increases to y, even if you bought it ahead of time" which would be gouging. If it is, indeed, "Price x if you buy it ahead of time, and price y if you buy it during an attack" then that's just common sense. Ongoing protection that might not be needed is going to be cheaper than ongoing protection that is needed immediately.
That said, it sounds like the guy had warning before the attack started, so this is more like buying homeowner's insurance after someone threatens to burn down your house.
Re:For gods' sake, don't *pay* them (Score:5, Informative)
Rackspace's behaviour is contemptible, though. I'd suggest looking for a different provider.
I'm not convinced - putting an order in for a service which you don't immediately need means that the provider (Rackspace) has time to plan and implement the change at their leisure. It may only take one or two people a couple of minutes, but it is undoubtedly a change on an appliance somewhere, or maybe even a physical network change if you're just "wired in" to their Internet feed. There may be an outage for you as well, meaning it has to be coordinated amongst yourself and someone doing the work. Then the whole thing needs to be tested as functional, which is very easy to do when you aren't being attacked. So the base price of $1500 seems justified.
In contrast, when you're under attack, you're basically asking your provider to "assemble the troops" on your behalf - it's an emergency change, which needs to be performed the moment you request it regardless of which other customers are being worked on. Not to mention it is significantly more complex to do this while you are being attacked.
So I think Rackspace is perfectly justified. If you want your provider to be at your beck and call 24/7 for complex changes, you're going to pay a premium. At least they have this as an option - most other hosting providers would just terminate your contract because you are now a "high risk" (expensive) customer.
Re:Gouging Schmouging (Score:4, Informative)
This isn't really insurance though. It's just a service rackspace provides.
Re:Rackspace IDS (Score:3, Informative)
IDS will not help protect you from a DDOS. The closed it might come to offering any kind of DDOS protect is it may help your firewall thwart scanning and information gathering in preparation for a DDOS.
I would have agreed with you until recently, but today you can get IPS boxes which will do TCP SYN proxy (with cookies) and similar at 10Gbps. Now you can obviously get hit by more than 10Gbps of traffic, but in most cases that means you need to ask your provider for help anyway, since your own Internet connection is full. Some providers offer that you can pass dynamic blacklists to them which they will then install at their end of the connection, and some IDS boxes know how to provide such blacklists.
Re:Next time (Score:4, Informative)
Dude, I live in Beirut...police ain't gonna do anything, the government's sites get hacked and defaced from time to time and nothing's ever happens. Find another solution.
Re:You can't win. (Score:4, Informative)
Prolexic has a cool approach, you proxy your site through them (either web proxy or they can annouce BGP routes for you) and they have massive datacenters that do nothing but scrub packets for you.
The downside is their service is very very expensive ($60k+ a year)
Re:Don't negotiate with cyber criminals? (Score:4, Informative)
The most important thing is to become invisible.
In short don't allow icmp in and out.
The second most important thing is to make sure you still have enough bandwidth.
If all of your internet connections are full then you need to find a way to have bandwidth in and out again. For this step then you have to deal with your ISP if you don't have BGP routers. If you have those BGP routers then you can tell your router to tell the ISP to stop sending traffic from those few ip addresses. Usually not much ip are sending huge amount of UDP or crap.
The third thing is to temporarily apply some aggressive firewall filtering at the border.
Black list all suspicious ip. This mean you should have some list of countries to block. If all your internet partners are in the US, you can safely block the rest of the world. Then you should start to grey-list some abusive ip for 1 hour. An efficient grey-list that fit your business model is very important. It will probably not be perfect the first time, but after 2 or 3 DDoS, it will catch a lot of crappy traffic.
It will let your clients and coworkers use your onlines services.
There are so many things that can be done, that you should hire some experts if this become a concern for your business. But with the steps above you can survive many DDoS.