paul21: yes I confirm that what you posted is consistent with my experience.
tl;dr get a decent sysadmin and treat him well and your DDOS issues can be solved to a large degree.
Topic: DDOS Attacks. What you can do to help stop them! - page 3. (Read 4384 times)
Booters cost like $5/month and the pools need corporate grade protection to counter them; it's not cheap (2-4k/month for TCP applications like Stratum). If we manage to knock off 50% of the nodes, the booter price might go to $10/month or something so it's still a losing battle. These aren't the sophisticated attacks that mtgox has to deal with, but a simple UDP flood. Most hosts that offer DDoS protection, from my shopping experience, max out at 10Gbit/1-5MPPS, and I consistently saw attacks stronger than that with CNC (peak was 22Gbit, 75% of the attacks were over 10).
Some prices for dedicated DDoS protection I found: (not shared like awknet or VPS)
Staminus $1k/month for 10Gbit/1MPPS (not strong enough)
BlackLotus $675/month for 10Gbit/6MPPS
Some other $1k/month + $4k setup for similar
The solution I've come up with is to just use a suite of reverse proxies:
buyvm/etc VPS (10Gbit/5MPPS)
Minecraft-oriented VPS/Dedicated (Varies)
Cloud Load Balancer
For example, I used an amazon elastic load balancer and some micro instances for forwarding. By using the ELB, amazon soaks up the packet floods and does some filtering. I also use cloudflare free, but there's a risk. If your site gets a http-layer attack, and you're not on the 200/m plan, cloudflare will change your DNS record and effectively direct the traffic to your server. The pro is a packet flood goes to the CDN node, and that's not associated with any single domain, so it blocks those (you can route longpolling through cloudflare since it's HTTP traffic)
Some prices for dedicated DDoS protection I found: (not shared like awknet or VPS)
Staminus $1k/month for 10Gbit/1MPPS (not strong enough)
BlackLotus $675/month for 10Gbit/6MPPS
Some other $1k/month + $4k setup for similar
The solution I've come up with is to just use a suite of reverse proxies:
buyvm/etc VPS (10Gbit/5MPPS)
Minecraft-oriented VPS/Dedicated (Varies)
Cloud Load Balancer
For example, I used an amazon elastic load balancer and some micro instances for forwarding. By using the ELB, amazon soaks up the packet floods and does some filtering. I also use cloudflare free, but there's a risk. If your site gets a http-layer attack, and you're not on the 200/m plan, cloudflare will change your DNS record and effectively direct the traffic to your server. The pro is a packet flood goes to the CDN node, and that's not associated with any single domain, so it blocks those (you can route longpolling through cloudflare since it's HTTP traffic)
I am confused. You mean ppl who ddos do not even spoof their src ips from subnet related to the one they are on or random?
Sending out emails might mean sending emails to the wrong isps.
Sending out emails might mean sending emails to the wrong isps.
Once they are notified they can see if there was traffic or not and decide weather it was spoofed or actually coming from their machines. this just sends a notification for them to do internal investigating.
I am confused. You mean ppl who ddos do not even spoof their src ips from subnet related to the one they are on or random?
Sending out emails might mean sending emails to the wrong isps.
Sending out emails might mean sending emails to the wrong isps.
Script has been added my original post
Just publish the script right here. Lots of people will find it maybe years down the road and use it. There is really no reason to hide those behind PM's.
Great point i will post it up here as soon as i have access to a machine with a decent connection.
Yacoin. It is not about stopping it. It is about reducing zombie nets so that they are weaker for the next victim/attack. And yes admins do read those emails and do act on them. I used to be one of those admins, I should know.
What did you administer?
Yacoin. It is not about stopping it. It is about reducing zombie nets so that they are weaker for the next victim/attack. And yes admins do read those emails and do act on them. I used to be one of those admins, I should know.
I guess you didn't read serraz email...
The script doesn't create automatic rules. The firewall rules are already there. That's not the point!
The script generates the attack reports emails and sends them to contact according to "whois" info for the attacking IP.
This emails are monitored by sysadmin/netadmin teams, who actually act really fast.
Cheers.
kha0S
P.S.: Yes, it's low. But for a pool it's the difference between finding a block or not...
The script doesn't create automatic rules. The firewall rules are already there. That's not the point!
The script generates the attack reports emails and sends them to contact according to "whois" info for the attacking IP.
This emails are monitored by sysadmin/netadmin teams, who actually act really fast.
Cheers.
kha0S
P.S.: Yes, it's low. But for a pool it's the difference between finding a block or not...
You can't protect yourself from a DDOS attack from running a script on your own server. You have to talk to the upstream providers. Make your own DNS server, block other DNS requests from other DNS servers, etc.
There's nothing you can do with an iptables script or anything of that matter to effectively stop DDOS on your servers.
Plus, 10 GB/s is very low
There's nothing you can do with an iptables script or anything of that matter to effectively stop DDOS on your servers.
Plus, 10 GB/s is very low
You can't protect yourself from a DDOS attack from running a script on your own server. You have to talk to the upstream providers. Make your own DNS server, block other DNS requests from other DNS servers, etc.
There's nothing you can do with an iptables script or anything of that matter to effectively stop DDOS on your servers.
Plus, 10 GB/s is very low
There's nothing you can do with an iptables script or anything of that matter to effectively stop DDOS on your servers.
Plus, 10 GB/s is very low
Just publish the script right here. Lots of people will find it maybe years down the road and use it. There is really no reason to hide those behind PM's.
great job guys, always good to see people sharing this type of stuff with the community for the greater good.
I'm sure you are all aware of the recent DDOS attacks on multiple pools and services in the crypto community.
Our Pool was one of the pools hit in these attacks. These attacks are damaging the reputation of crypto coins and causing mass panics.
i'm sure most pools have invested or are investing in some form of DDOS protection most of which will keep logs of any attack that happens on your pool. Now these are great but if you claim to be DDOS proof you would be lying nothing is DDOS proof if the attack is big enough some might even see it as a challenge.
We can all help to stop these attacks or at least shutdown some bots and i will tell you how right now.
Khaos and myself have developed a script that will analyse log files captured from a ddos attack split it up into subnets, find what company is in charge of those addresses and send them an email with the logs attached stating that a DDOS has come from those IP addresses.
The company's must act on these emails as doing a DDOS is a crime. I know it will not stop these DDOS attacks and they can get more bots quite easily but it will reduce their attack power and help make users aware that their machines are compromised and how to stop this happening.
If you would like a copy of the script please PM myself or Khaos.
Thanks for reading
Our Pool was one of the pools hit in these attacks. These attacks are damaging the reputation of crypto coins and causing mass panics.
i'm sure most pools have invested or are investing in some form of DDOS protection most of which will keep logs of any attack that happens on your pool. Now these are great but if you claim to be DDOS proof you would be lying nothing is DDOS proof if the attack is big enough some might even see it as a challenge.
We can all help to stop these attacks or at least shutdown some bots and i will tell you how right now.
Khaos and myself have developed a script that will analyse log files captured from a ddos attack split it up into subnets, find what company is in charge of those addresses and send them an email with the logs attached stating that a DDOS has come from those IP addresses.
The company's must act on these emails as doing a DDOS is a crime. I know it will not stop these DDOS attacks and they can get more bots quite easily but it will reduce their attack power and help make users aware that their machines are compromised and how to stop this happening.
If you would like a copy of the script please PM myself or Khaos.
Thanks for reading
Champion effort guys ++
Doesn't even need to a be DNS reflective attack.
1000-2000 bots can pump out about 25-50 GB/s without DNS reflective attacks
1000-2000 bots can pump out about 25-50 GB/s without DNS reflective attacks
We are not talking about a 0day exploit here. It's a misconfiguration on DNS servers allowing "attackers" to inflict a DNS amplification attack. In our case represented almost 10Gbps of unrequested UDP traffic.
Downtime caused: several hours
Time to fix: <1 minute
On the other hand:
Time to create the script: a couple of hours
Time to run it every time it happens from now on: 1 second
Cheers,
kha0S
Downtime caused: several hours
Time to fix: <1 minute
On the other hand:
Time to create the script: a couple of hours
Time to run it every time it happens from now on: 1 second
Cheers,
kha0S
Rather impossible. Because somebody who has a botnet. With a 0day exploit or even a crappy older exploit, he can increase that botnet by 500-1000 bots in a week or two.
And your emails are going to shut down what? 200-300 of his bots in a week...
So it's a race.
You can't win.
And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.
The only way to stop DDOS is to pay for DDOS protection
And your emails are going to shut down what? 200-300 of his bots in a week...
So it's a race.
You can't win.
And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.
The only way to stop DDOS is to pay for DDOS protection
Rather impossible. Because somebody who has a botnet. With a 0day exploit or even a crappy older exploit, he can increase that botnet by 500-1000 bots in a week or two.
And your emails are going to shut down what? 200-300 of his bots in a week...
So it's a race.
You can't win.
And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.
The only way to stop DDOS is to pay for DDOS protection
And your emails are going to shut down what? 200-300 of his bots in a week...
So it's a race.
You can't win.
And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.
The only way to stop DDOS is to pay for DDOS protection
Agreed with you 100%. This is not a solution to stop them per say not is it a replacement for ddos protection and it never will be. You are correct we can never stop them. but if we can take down some of the bots and make users aware of certain programs used for botnets it could make the attackers job that little bit harder.
Again this is not going to stop ddos attacks or is it a replacement for ddos protection. Its a simple way we can help make users aware of exploits and unwanted programs on their machines and servers.
Surely shutting down 200 - 300 a week is better then a extra 200 - 300 bots in their army.
I would like to add, that from this first batch of emails sent (around 8000 emails), we have already received a huge number of reports stating servers "fixed" or simply disconnected for investigation. The problem affecting this machines was quite easy to fix.
That kind of prompt answer from SysAdmin teams should be praised and thanked.
Thanks!
../kha0S
That kind of prompt answer from SysAdmin teams should be praised and thanked.
Thanks!
../kha0S
Rather impossible. Because somebody who has a botnet. With a 0day exploit or even a crappy older exploit, he can increase that botnet by 500-1000 bots in a week or two.
And your emails are going to shut down what? 200-300 of his bots in a week...
So it's a race.
You can't win.
And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.
The only way to stop DDOS is to pay for DDOS protection
And your emails are going to shut down what? 200-300 of his bots in a week...
So it's a race.
You can't win.
And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.
The only way to stop DDOS is to pay for DDOS protection
I'm sure you are all aware of the recent DDOS attacks on multiple pools and services in the crypto community.
Our Pool was one of the pools hit in these attacks. These attacks are damaging the reputation of crypto coins and causing mass panics.
i'm sure most pools have invested or are investing in some form of DDOS protection most of which will keep logs of any attack that happens on your pool. Now these are great but if you claim to be DDOS proof you would be lying nothing is DDOS proof if the attack is big enough some might even see it as a challenge.
We can all help to stop these attacks or at least shutdown some bots and i will tell you how right now.
Khaos and myself have developed a script that will analyse log files captured from a ddos attack split it up into subnets, find what company is in charge of those addresses and send them an email with the logs attached stating that a DDOS has come from those IP addresses.
The company's must act on these emails as doing a DDOS is a crime. I know it will not stop these DDOS attacks and they can get more bots quite easily but it will reduce their attack power and help make users aware that their machines are compromised and how to stop this happening.
If you would like a copy of the script you can find it here. http://pastebin.com/ZN0bqrKS
Thanks for reading
Our Pool was one of the pools hit in these attacks. These attacks are damaging the reputation of crypto coins and causing mass panics.
i'm sure most pools have invested or are investing in some form of DDOS protection most of which will keep logs of any attack that happens on your pool. Now these are great but if you claim to be DDOS proof you would be lying nothing is DDOS proof if the attack is big enough some might even see it as a challenge.
We can all help to stop these attacks or at least shutdown some bots and i will tell you how right now.
Khaos and myself have developed a script that will analyse log files captured from a ddos attack split it up into subnets, find what company is in charge of those addresses and send them an email with the logs attached stating that a DDOS has come from those IP addresses.
The company's must act on these emails as doing a DDOS is a crime. I know it will not stop these DDOS attacks and they can get more bots quite easily but it will reduce their attack power and help make users aware that their machines are compromised and how to stop this happening.
If you would like a copy of the script you can find it here. http://pastebin.com/ZN0bqrKS
Thanks for reading
Jump to: