

The penultimate guide to stopping a DDoS attack – A new approach - konradc
http://blog.unixy.net/2010/08/the-penultimate-guide-to-stopping-a-ddos-attack-a-new-approach/

======
tptacek
This is roughly the same approach used by the DDoS mitigation services; you
run your servers on an unpublished address and front it on their address
space.

I like that they've got the ghetto version of the technique documented. Better
that you should rig this up on a couple VM hosting providers for a few hundred
bucks than that you spend tens of thousands of dollars to get the same level
of service from someone with slick marketing.

The obvious problem here is that it's hard to keep a determined attacker from
finding your real address space, and as soon as that happens, you're done;
attackers just skip the DNS and whack you directly.

This is a useful trick, but it's not the end of the story.

~~~
JoachimSchipper
I'm interested in how you think an attacker would find your address - at
least, presuming you have a web-only [1] host on a competently-run [2] network
that drops anything but requests from the proxies [3].

Of course, there are (D)DoS attacks that don't consist of sending lots of
bits/packets at a host, and this does assume you're hiring a dedicated server
or somesuch.

Of course, they could try to sniff network traffic at one of the providers/on
the backbone/..., but that's a _lot_ harder to carry out than a basic DDoS
attack.

[1] E.g. don't try to receive e-mail at this host while it's being attacked;
you'll need to point an MX record at it, which pretty much defeats the
purpose. [2] IP spoofing will break the next defense; if the entire provider
can be taken down, you have serious problems. [3] If you accept all traffic,
nmap/curl will easily find the host, after which the attack resumes. For bonus
points, serve up an uninteresting-looking page.

------
paulgb
I hate to be pedantic, but "penultimate" means "second last", which doesn't
seem to be the intended use here.

~~~
guns
I thought that seemed awkward. What do you think they intend to mean?

~~~
paulgb
My guess is "ultimate". Admittedly, "penultimate" is a cooler-sounding word.

~~~
WorkerBee
All words are cool if you don't know what they mean. If the reader knows what
it means but the writer doesn't, the effects are less predictable and
desirable.

~~~
paulgb
I disagree. I don't know what "venial" means, but I don't think it sounds as
cool as "penultimate" :-)

~~~
antirez
well not knowing what venial means is venial after all.

~~~
paulgb
I'd upvote you, but then you'd know I was lying (which isn't as venial).

------
carson
Something missing from the cost calculation in this article is the cost of
bandwidth used for each VM. The VM itself may be low cost but at 100Mbps you
will use about 1TB of bandwidth a day. You would need to select your VM
provider with that in mind. A sustained attack could end up being fairly
expensive.

~~~
tptacek
A good point, but I think part of the implied logic here is that if your
defenses work, attackers will give up early.

~~~
conover
Why would an attacker give up? The site may stay online but you are still
having to pay thousands of dollars+ in bandwidth costs. It seems like a win-
win for the attacker.

~~~
tptacek
Because they can't see a site paying thousands of dollars, and they can see a
site going down, and they're going to invest their attention in things they
can see.

If they were thinking rationally about what they were doing, they'd (a) be
demanding money to let up, and (b) breezing right past DNS-based defenses like
this.

------
mrtron
" Just be sure to set high TTL for the records so your DNS server does not
collapse under the enormous volume."

The attacker, noticing your round-robin approach, decides to drop the DNS
server and then only has one host to deal with.

There are a lot of weak points that can be attacked. Certain sites will have
features that can be taken advantage of. If you have a long timeout/keepalive,
the attacker could launch lots of quick requests with no proper tear-down. If
you have a zillion servers setup like this - perhaps they can take out a major
link before the traffic even gets to you.

I also don't think this is a new approach - unfortunately it is much harder to
stop attacks than to create various approaches. The number of compromised
machines is just too high - that is the ultimate solution.

~~~
tptacek
Are people actually seeing their DNS servers collapse under load? DNS servers
--- even BIND, which, don't use BIND --- are very, very fast.

~~~
laz
Compared to HTTP DNS is crazy cheap to serve, but you'll still end up
bottlenecking on the pps rate of your NIC and OS. Everybody optimizes for high
throughput and ignores small packets.

Speaking of DNS DDoS, DNS Made Easy saw a 40Gbit DNS DDoS a few weeks back.

------
zende
Trying to categorize all DDoS together is nonsense. The scale and type of the
attack depend on the attacker's means and motivations. How would unixy.net
have blocked the following attack?
[http://www.csoonline.com/article/220336/how-a-bookmaker-
and-...](http://www.csoonline.com/article/220336/how-a-bookmaker-and-a-whiz-
kid-took-on-a-ddos-based-online-extortion-attack)

DDoS attacks make the most sense for the attacker when they are an extortion
attempt. The economics works in favor of the attacker. It costs the site
dearly to be down, and they set a price that makes sense based on your site.
Unfortunately, you may not hear about a lot of these attacks, and the attacker
is never found or can't be arrested.

unixy.net sells DDoS insurance. You never know if the insurance policy was
worth the monthly payments until an attack happens.

Note: I've never used unixy.net and can't speak to their effectiveness, but I
don't like how they grossly oversimplify a complex problem

~~~
jjoe
unixy.net doesn't sell DDoS insurance. They're not in the DDoS business at
all. Check their portal.

Best

------
krobertson
I do find it ironic for a hosting company to post that their DDoS strategy is
to offload the load on other hosting companies.

They're talking about $5-10/month VPSes and want them to handle 100Mbps each?
Sure those providers love that traffic.

~~~
JoachimSchipper
Meh, if the traffic only lasts a couple of hours before the attacker gives up,
the VPS provider could still make a tidy profit - it's not like the VPS would
do much for the rest of the month...

------
alecco
Using a CDN service with ESI support handling all external hits can be even
better.

------
rsingel
The second-to-last guide? What's the last one?

------
callmeed
_"The individual or groups that conduct the DDoS attacks are most of the time
hired to complete the job."_

Purely out of curiosity, how do people go about finding such nefarious
characters?

~~~
Terretta
The answer was in the article.

~~~
callmeed
Dang it, thanks. Will have to read more closely after work.

------
nwmcsween
The sysctl.conf settings are bad.. like never ran a high end server bad. 1.
tcp syncookies slows down connections considerably 2. rp_filter takes up a
large amount of cpu time. 3. kernel.pid_max net.ipv4.ip_local_port_range is
useless. Also this doesn't stop a DDOS attack, it mitigates it by having a
bigger pipe than the bad guy. A _real_ way to mitigate attacks is to 1.
identify an attack based on history 2. make damn sure it's an attack 3.
'tarpiting' attacks (xtables-addons for linux). Tarpiting keeps connections in
an open state on the client side thus eventually crashing the client.

~~~
JoachimSchipper
This advice is _very_ bad. Yes, I'm certain you can make a server go faster by
disabling some security features, but without syncookies you're one SYN flood
away from a painful crash.

Your "mitigation" is also useless - yes, tarpitting for antispam purposes can
work, but a specialized DDoS tool likely uses raw socket access (i.e. the OS
doesn't keep track of the connections). If you can't take the number of
bits/packets thrown at you, you _will_ be unreachable. And even if not - we're
still talking about 10,000 machines talking to your one server. The bad guys
have a _lot_ more memory.

~~~
nwmcsween
Security features? I will bet no _give_ you a large sum of cash if you can
show me that a server under a large pps DDOS survives with rp_filter and
syncookies on with iptables on and without any crazy tcp modifications. In the
real world there are no "specialized DDOS tools" most viruses are simple.
EDIT: Why would you use a single server? Why on gods earth would you track
tarpitted connections?

