Go Back   Aural Moon - Progressive Rock Discussion > Station News > Website
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 10-02-2012, 08:50 AM
VAXman's Avatar
VAXman(Admin) VAXman is offline
progger propellerhead
Join Date: Dec 2003
Location: Presently reside in Jackson (southern) NJ (20 miles east of NEARfest 2002 & 2003
Posts: 2,359
Send a message via AIM to VAXman Send a message via Skype™ to VAXman
Recent DDoS Attacks

As you may or may not be aware, the network -- my network -- serving the Aural Moon web site has been unwittingly solicited as a participant in a more likely than not BotNet DDoS (Distributed Denial of Service) amplification attack. Be it known, it is not my network, nor is it the Aural Moon web site, that is the target of these attacks. My network's DNSs (Domain Name Servers) are being used -- or there's been an attempt to use them -- to facilitate a flood of requests to the intended targets. This is done by faking the source address in the IP packet such that when the unwitting DNS responds, it sends the response to the target victim. By using unwitting DNS participants around the 'net, they can amplify the attack's effect and essentially drown the target victim with too much traffic; hence, a denial of service.

I have taken steps to mitigate this but there's really no defense of this action because there's no way to trace the source of these feigned DNS requests. I have been able to identify a number of the targets and I have enabled an input filter on my network's routers to simply deny these request into/onto my network and, subsequently, to the DNSs. This is an ongoing battle. I have a packet sniffer running on the connection between the ISP's interface and the routing interface of the router. I've implemented some filter rules which quickly identify these feigned DNS requests. When I have the source IP address(es), I add them to an ACL (Access Control List) on the router to simply drop them. Note, however, that this doesn't STOP these attacks, it merely mitigates their effectiveness by keeping them from passing onto my network. These attacks are still consuming a vast chunk of my bandwidth.

Cisco871W#show access-list Deny-DDoS-ACL Extended IP access list Deny-DDoS-ACL 10 deny udp any eq domain 20 deny udp any eq domain (85 matches) 30 deny udp any eq domain 40 deny udp any eq domain (65 matches) 50 deny udp any eq domain (5580 matches) 60 deny udp any eq domain 70 deny udp any eq domain 80 deny udp any eq domain 90 deny udp any eq domain (520922 matches) 100 deny udp any eq domain (19 matches) 110 deny udp any eq domain (537785 matches) 120 deny udp any eq domain (90 matches) 130 deny udp any eq domain (10344 matches) 140 deny udp any eq domain 150 deny udp any eq domain 160 deny udp any eq domain 170 deny udp any eq domain 180 deny udp any eq domain (582 matches) 190 deny udp any eq domain 200 deny udp any eq domain 210 deny udp any eq domain (114439 matches) 230 deny udp any eq domain (358260 matches) 250 deny udp any eq domain (1074545 matches) 290 deny udp any eq domain (313799 matches) 300 permit ip any any (2646852 matches)
As you can see, these are unrelenting attacks as is indicated by the matches counts. That number is the count of how many times (since my router's last reload) that the particular listed network has been targeted through my network.

I totaled the matches counts for the 'deny' clauses and that number is 2,936,515. The total count of packets that were permitted onto the network is 2,646,852. Some quick math shows that that is about 52% of the traffic currently hitting my router's interface. So, if things seems slow, you know know why.

How to stop this? Good question. The Bots in the BotNet are, more likely than not, WEENDOZE boxes. STOP USING WEENDOZE. Also, the ISPs of the world are culpable too. A responsible ISP would/should not route ANY packets that do not maintain source IP addresses within their network.

Because I've never had to contend with this before, I'm learning some more Cisco IOS. IOS has "policing" policies that can throttle certain protocols, networks, etc. As soon as I can get my head wrapped around how to properly implement them, I will put in a throttle for DNS requests that should mitigate these attacks without having to constantly monitor and modify the Cisco's ACLs.
VAXman -- Watcher of the moon, watcher of all.
----------------Mopper of the moon, mopper of all.
-------------------- Aural Moon's Janitorial Services
---------------------and Restroom Supplies, and Techno-patsy --

Cogito ergo iMac.         
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -5. The time now is 03:07 PM.