

Ask HN: DDOS attack remedies? - wturner

How can anyone protect there project from a DDOS attack?
======
dibarra
I deal with this in my day job as well. Many datacenters will have mitigation
appliances such as Arbor Peakflow, Cisco Guards, IntruGuard, etc. For attacks
that are throwing garbage to unused ports, you can block these fairly
effectively by having your datacenter block these ports at the router. Just
ask your datacenter's support for a service such as this, usually their SLA
specifies a time limit for how long your site may consume mitigation services
for free. Your datacenter will probably start nulling your IP at around 1gbps
inbound (varies, might be lower)

Some DDoS's are easy to block via iptables- attackers who aren't very clever
will have the same UA on all of their bots, and they are easy to block via a
combination of tailing your domlogs, and adding bad ips to an iptables
listing. Many don't set a user agent, making it much easier.

Floods that consist of holding open http server connections for long periods
of time can be combated by throwing MaxClients to something large (about 5000)
and setting keepalive to something low, like around 5 seconds (if you're using
Apache, similar probably holds true for other http servers).

You can usually use string blocking via iptables, but these will still hold
the connection open until the client times out, and you might have to resort
to the above in conjunction (raise MaxClients, etc.). Usually, I try to
mitigate via IP addresses before string blocking.

Rarely will I see an attack that will require a nullroute upstream. If you're
worried about those, you will need to seek professional services. In most
cases, you can mitigate at the server level easily. Also, ngrep is your
friend.

------
rakkhi
Just answered a similar question on Quora: [https://www.quora.com/How-can-did-
Tumblr-successfully-defend...](https://www.quora.com/How-can-did-Tumblr-
successfully-defend-itself-against-4chan-and-will-4chan-attack-again)

------
iuguy
To be honest it depends on the type of DDOS and the project in question.
Different types of DDOS require different approaches.

I deal with this in my day job. If you're (or anyone on HN) is currently
experiencing a DDOS I'd be happy to speak with you over email or a phone call.
My contact details are in my signature.

~~~
wturner
I just shot you an email

~~~
iuguy
For some reason your email address has disappeared from my setup. Can you do
me a favour and send your email address?

