DDoS Attacks

jtwhite

Community Advocate
Community Support
Messages
1,381
Reaction score
30
Points
0
Have you ever experienced a DDoS attack? What would you do to get it off the server?
 

drosado

New Member
Messages
36
Reaction score
3
Points
0
Hello Jtwhite, I'll share some minor things you can do to prevent / help with DDoS Attacks.


1. SYN Floods. Alot of DDos attacks are SYN FLOODS.The best way to help with this type of attack is to limit the amount of connections a user can send at a time.


2. Smurf Attacks: A smurf attack is a ping attack the user conducting the attack will send a massive amount of ping traffic to the broadcast IP of the network, which in time will affect the network connection to the server making server replies slower.

3. LAND Attacks: A LAND attack is when someone sniff's your IP / Server for open ports. Once they find a open a vulnerable port, once they find the port / service they start to flood it and it mirror images it self and the server can't figure out what is going on so it will crash.

4. Ping of death: Users will ping the server with a large ping and crash the server. This mainly open works on systems running NT.

5. Ping flooding: One of the easist ways to DDoS a server. Usually servers can handle these attacks very well. A ping attack is pretty much someone using a program that constantly refreshes it's connection to the server.(Kinda like you spamming refresh in your internet browser)


6. Teardrop attacks This attack involves packets sent by the attacker to the target with oversized payloads. This exploits a bug in the TCP/IP protocol stack, crashing the system. Only Windows 3.11, 95 and Linux prior to 2.0.32 were vulnerable to this kind of attack.


7. Other type of attacks involve application flooding, like IRC bot raw line which usually crash Windows boxes running mIRC or any other client. These attacks are based on a greater number of raw socket transactions than a computer can handle.


Alot of the people that DDos are new kids to the hacking / crashing scene and are using crappy DDoS tools that won't do much damage. Although you should always be prepared.

Best way to prepare yourself is to limit the amount of connections to the server per person.

Also, GoogleBot can make it seem as if your server is being DDoS'd. Alot of hosts will actually deny googlebot from using the image directories of the site.


As i said earlier it's usually just some kid messing around. If thats the case and your only seeing a DDos from one machine(IP) Null out that IP on your router and then report that IP to your ISP to block it up stream.


If it's coming from a country you can simply block all the ip's from that country using a good firewall.


Also ask your host to implement a DDOS mitigation device. Which im sure X10 already has a Cisco switch to help prevent DDoS attacks.

If you have any further questions feel free to ask.


Hope this helps.
 
Last edited:

ozcorps

New Member
Messages
23
Reaction score
0
Points
0
Wow that information was HOT, i mean smoking i had no idea there were so many versions of ping attacking someone. Jesus i hope that never happens to me, mind you i dont really have crap on my machine worth hacking into for.

thanks for that, i have def saved that for future information.
 

Jarryd

Community Advocate
Community Support
Messages
5,534
Reaction score
43
Points
48
I have nothing worth hacking on my vps, i get about 10-15 attempts per day to brute force my ssh password. I set up something called fail2ban to automatically change IPtables to deny anyone that gets more than 3 failed logins :)
 

drosado

New Member
Messages
36
Reaction score
3
Points
0
Oh i should of mentioned fail 2 ban. Good catch there Hell.
 
Last edited:

The Real Rebel

New Member
Messages
336
Reaction score
10
Points
0
Nice, just make sure you have a good firewall on your vps, if you don't GET ONE NOW!!!! :p
 

Sharky

Community Paragon
Community Support
Messages
4,399
Reaction score
95
Points
48
Power it off for 10-20 mins, and if it still doesn't resolve itself, cry down the phone to Corey until he gives a new IP address? Uhh, I mean... Ban everyone except 127.0.0.1 and your own IP address?
 

masshuu

Head of the Geese
Community Support
Enemy of the State
Messages
2,293
Reaction score
50
Points
48
also you can change the port ssh runs on, that stops about 99.9999999999999999999999999999999% of brute force attacks.

open
/etc/ssh/sshd_config

change Port to something else
like 2345 or something

last reload your ssh
 

The Real Rebel

New Member
Messages
336
Reaction score
10
Points
0
Power it off for 10-20 mins, and if it still doesn't resolve itself, cry down the phone to Corey until he gives a new IP address? Uhh, I mean... Ban everyone except 127.0.0.1 and your own IP address?

Lol yeah and

also you can change the port ssh runs on, that stops about 99.9999999999999999999999999999999% of brute force attacks.

open
/etc/ssh/sshd_config

change Port to something else
like 2345 or something

last reload your ssh

Thats one of the best things you can do :D Nice one supermatthew :D
 

TechAsh

Retired
Messages
5,853
Reaction score
7
Points
38
I have nothing worth hacking on my vps, i get about 10-15 attempts per day to brute force my ssh password. I set up something called fail2ban to automatically change IPtables to deny anyone that gets more than 3 failed logins :)
Lucky, I get at least 100-200 on a good day, I have seen 5000-6000 but that's less common. I use SSHGuard, but that seems to keep crashing after a day or so...
 

IonCannon218

New Member
Messages
177
Reaction score
2
Points
0
I have nothing really worth hacking for on my VPS.

I do have fail2ban and just changed the SSH port to an non standard port.
 

jtwhite

Community Advocate
Community Support
Messages
1,381
Reaction score
30
Points
0
I have nothing worth hacking on my vps, i get about 10-15 attempts per day to brute force my ssh password. I set up something called fail2ban to automatically change IPtables to deny anyone that gets more than 3 failed logins :)

Lucky, I get at least 100-200 on a good day, I have seen 5000-6000 but that's less common. I use SSHGuard, but that seems to keep crashing after a day or so...


How do you know about these attempts? Is there a log I could check?
 

Jarryd

Community Advocate
Community Support
Messages
5,534
Reaction score
43
Points
48
On ubuntu 9.04 the log is in /var/log/authlog.log.
 
Top