|
Recent DDoS Attacks
As you may or may not be aware, the network -- my network -- serving the Aural Moon web site has been unwittingly solicited as a participant in a more likely than not BotNet DDoS (Distributed Denial of Service) amplification attack. Be it known, it is not my network, nor is it the Aural Moon web site, that is the target of these attacks. My network's DNSs (Domain Name Servers) are being used -- or there's been an attempt to use them -- to facilitate a flood of requests to the intended targets. This is done by faking the source address in the IP packet such that when the unwitting DNS responds, it sends the response to the target victim. By using unwitting DNS participants around the 'net, they can amplify the attack's effect and essentially drown the target victim with too much traffic; hence, a denial of service.
I have taken steps to mitigate this but there's really no defense of this action because there's no way to trace the source of these feigned DNS requests. I have been able to identify a number of the targets and I have enabled an input filter on my network's routers to simply deny these request into/onto my network and, subsequently, to the DNSs. This is an ongoing battle. I have a packet sniffer running on the connection between the ISP's interface and the routing interface of the router. I've implemented some filter rules which quickly identify these feigned DNS requests. When I have the source IP address(es), I add them to an ACL (Access Control List) on the router to simply drop them. Note, however, that this doesn't STOP these attacks, it merely mitigates their effectiveness by keeping them from passing onto my network. These attacks are still consuming a vast chunk of my bandwidth. Code:
Cisco871W#show access-list Deny-DDoS-ACLI totaled the matches counts for the 'deny' clauses and that number is 2,936,515. The total count of packets that were permitted onto the network is 2,646,852. Some quick math shows that that is about 52% of the traffic currently hitting my router's interface. So, if things seems slow, you know know why. How to stop this? Good question. The Bots in the BotNet are, more likely than not, WEENDOZE boxes. STOP USING WEENDOZE. Also, the ISPs of the world are culpable too. A responsible ISP would/should not route ANY packets that do not maintain source IP addresses within their network. Because I've never had to contend with this before, I'm learning some more Cisco IOS. IOS has "policing" policies that can throttle certain protocols, networks, etc. As soon as I can get my head wrapped around how to properly implement them, I will put in a throttle for DNS requests that should mitigate these attacks without having to constantly monitor and modify the Cisco's ACLs. |
Re: Recent DDoS Attacks
Well VAX, I understood about 62.1374% of what you were saying. But as long as YOU understand it, that's really all that matters. I appreciate all the time, dedication and technical knowledge that you bring to Aural Moon. Thanks for keeping prog alive on the web and may all your packets be legitimate.
|
Re: Recent DDoS Attacks
Vax,
I'm always amazed at the sh** that you have to deal with in order to make everyone else's life more enjoyable. It is *truly* appreciated. Ken |
Re: Recent DDoS Attacks
Ditto what the other guys said. Thanks for everything, VAX
|
Re: Recent DDoS Attacks
OK. I believe I have this right. I've enabled some of the Cisco's policing action. The rules I've put in place (using the lowest values the Cisco would allow me) should slow down any would be DNS floods that aren't already dropped with the ACLs I've added.
Code:
class-map match-all DDoS |
Re: Recent DDoS Attacks
Diff is more advanced than me in computers..I recognize,,'network',,,"web site' ....and couple of things.
I m with KEN,,thanks a lot from here,,thanks to do everything you can to avoid problems for many,me included of course, AM is a important part in our day. |
Re: Recent DDoS Attacks
I followed about 80%, but still, I couldn't DO it. Thanks, VAX, for your hard work.
|
Re: Recent DDoS Attacks
I won't even try to understand. I will give you a gigantic, BRAVO. Without your efforts Aural Moon would fall into the abyss of internet trash. Thanks so much, Vax.
|
Re: Recent DDoS Attacks
All we can do is express our gratitude for the amount of personal time you continue to dedicate for our collective benefit. We all owe you a pint. Thanks!
|
Re: Recent DDoS Attacks
nice work, and explanation ... I learned something new too ...
... one day the world's ISPs will have to start cooperating in managing these problems. After all, a legit ISP has nothing to lose from contributing - since all must be getting hit in approximately the same way. What was a big surprise to me was that many of the attack targets are in CN .. almost funny (but only almost). |
Re: Recent DDoS Attacks
Fascinating! I wonder how many other websites out there have also 50% of their traffic used up by DDoS attacks? And how many of these have a VAXman administering them!?
Just for the sake of curiosity, can you reveal what kind of targets are being hit by these fake requests? |
Re: Recent DDoS Attacks
Quote:
Ironically, ost of them turned out to be the web sites of companies offering DDoS mitigation services or appliances. Several others were web hosting and co-lo service companies. Currently, there is this address: 66.249.17.112 dig tells me: Code:
vaxman@Satellite:~$ dig -x 66.249.17.112Whois says: Code:
vaxman@Satellite:~$ whois 66.249.17.112 |
Re: Recent DDoS Attacks
Wow VAX, the sh** you go through for the Moon amaze me. Thanks for all you do for us all!
|
Re: Recent DDoS Attacks
VAX,
I also thank you. I have not been much of a participant lately - at least in the shout box due to work load - but I have been following this problem on the website, and I truly appreciate what you are doing. Again - THANK YOU. As has been mentioned, it is amazing what you are doing keeping Aural Moon functioning on the net. Hat's off my man, and grab another G! Regards from Texas, Ted P.S. Also - as Jam said, thanks for sharing with us - I too only understand a fraction, but it is still fascinating. |
Re: Recent DDoS Attacks
Another attack last evening. This one: http://www.rivalhost.com/
Most of the attacks that I've mitigated were directed at such sites. (ie. company sites that provide guaranteed DDoS hosting services, DDoS mitigation services or DDoS mitigation appliances.) Oh well, another network in the router's "direct those packets into the packet toilet" rules. |
Re: Recent DDoS Attacks
FWIW, it's been exceptionally bad today!!!
Code:
Extended IP access list Deny-DDoS-ACLTotal packets passed: 1,341,306 Total packet payload: 2,435,429 Do a little division and you'll see that 45% of my total bandwidth is being pissed away with this nonsense. :hot: |
Re: Recent DDoS Attacks
Hi VAx, itīs quite clear that you're a professional fighting all these threats, but I simply ask myself why the hell did you write down here your whole strategy.....don't you think it may turn hackers' life easier ?
|
Re: Recent DDoS Attacks
Quote:
|
Re: Recent DDoS Attacks
...
|
Re: Recent DDoS Attacks
Adding my thanks to those of others who have expressed their gratitude so well.
Your self description as "janitor" of the Moon is starting to make a lot more sense to me. Merci beaucoup Vax! |
| All times are GMT -5. The time now is 10:52 AM. |
Integrated by BBpixel Team 2024 :: jvbPlugin R1011.362.1
Powered by vBulletin Version 3.6.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.