OK, I think this is going to be the new series. I have just spent my past 7 days, blocking from attacks, and dropping notes here.
What are server attacks, aka denial of service (DOS)?
It’s basically, creating lots of server request from forged IP and making servers busy with these fake traffics then cause real traffics to jam. And here are how.
How to prevent it?
There are few ways to prevent it, but if you are working with large scale service and getting heavy hits, then I recommend investing some $ in hardware appliances and optimize.
- Application front end hardware.
You can check vendors like below;
Application level Key Completion IndicatorsIn order to meet the case of application level DDoS attacks against Cloud based applications, approaches may be based on an application layer analysis, to indicate whether an incoming traffic bulk is legitimate or not and thus enable the triggering of elasticity decisions without the economical implications of a DDoS attack. These approaches mainly rely on an identified path of value inside the application and monitor the macroscopic progress of the requests in this path, towards the final generation of profit, through markers denoted as Key Completion Indicators
Blackholing and sinkholingWith blackholing, all the traffic to the attacked DNS or IP address is sent to a “black hole” (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP.Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks.
DDS based defenseMore focused on the problem than IPS, a DoS Defense System (DDS) can block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).
IPS based preventionIntrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.An ASIC based IPS may detect and block denial-of-service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.
RoutersSimilar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has optional features that can reduce the impact of flooding.
SwitcheMost switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.These schemes will work as long as the DoS attacks can be prevented by using them. For example, SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using bogon filtering. Automatic rate filtering can work as long as set rate-thresholds have been set correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.
Upstream filteringAll traffic is passed through a “cleaning center” or a “scrubbing center” via various methods such as proxies, tunnels or even direct circuits, which separates “bad” traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the “cleaning center” or “scrubbing center”.
How to find who did it?
Well, unless the attacker is very amateur.. it is not easy to find who is doing it, as the attacker is hidden behind all nodes.
You can see many of current DDOS at http://map.norsecorp.com/#/
Looks like west coast gets lot of attacks..
For people who is doing it. It is illegal to attack in many countries. If you are doing it for fun, you shouldn’t, you will be in big pain when you get caught. If you are doing it for revenge of some kinds, you are better off talking to that person or company direct, or just find some other legal ways to do it. If you are doing it for money, that’s definitely not cool and you should stop.