Real Cases
Advise on DDoS attck Jul 31 2007 09:46PM
auto13925 hushmail com (3 replies)
Re: Advise on DDoS attck Aug 02 2007 04:42PM
Roland Dobbins (rdobbins cisco com)
RE: Advise on DDoS attck Aug 02 2007 02:38PM
Kandala, Nham (Nham_Kandala Keane Com) (2 replies)
RE: Advise on DDoS attck Aug 06 2007 11:06PM
David Gillett (gillettdavid fhda edu)
RE: Advise on DDoS attck Aug 03 2007 12:23PM
Mike Durgin (mdurgin synacksys com)
The problem is that every solution involves throwing resources at it,
and when you look at the number of unpatched systems on the web, and
the case of a DDOS there are a lot more resources available to
attackers.

You can try and employee a few cheap tricks to help spread your
existing resources out to help, depending on the attack.

It is likely they are sending a bunch of syn packets and never
completing the 3 way hand shake, moving it into the established queue.
Syn packets are put in the backlog queue prior to being moved into
the established queue, which is a lot smaller then the established
queue. Increasing the size of the backlog queue if you have the
memory, as well as decreasing the time it is allowed to sit in the
queue will help.

Other possibilities could be flooding your network with ICMP or some
other protocol. Make sure you block these on your border router, or
get your ISP to do it. If you leave it to your firewall, with all of
the stateful checks it may do, you are putting more over head on it
then it needs. It is still a good idea to do it here, but considering
the firewall is the bottleneck, you want to put it as far up stream as
possible.

Quoting "Kandala, Nham" <Nham_Kandala (at) Keane (dot) Com [email concealed]>:

> In my opinion, One way you can defend against DDoS attacks is to get
> more bandwidth than the combined bandwidth used by DDoS attack and
> wear out the attacker. Often it is tough because typically we deploy
> just enough bandwidth. Sometimes, if you have enough network
> bandwidth, the number of requests will overwhelm the equipment with
> higher CPU/memory utilizations.
>
> Once you pay, Attacker understands that your site is important and
> will try to exploit again and again.
>
> In your case You can also contact your ISP and they can put filters
> in the their upstream routers against this traffic but then no one
> can access your site and attacker kind of wins the battle without
> losing lot of his horse power.
>
>
> _________________________
> Nham Kandala
> www.keane.com
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of
> auto13925 (at) hushmail (dot) com [email concealed]
> Sent: Tuesday, July 31, 2007 2:47 PM
> To: realcases (at) securityfocus (dot) com [email concealed]
> Subject: Advise on DDoS attck
>
> I have a small, members only forum with about 150 members. It is
> hosted on a third party server. A few days ago I received an email
> demanding $500 to be paid into an e-gold account, otherwise attacks
> would start. I did not reply and last 3 days my domain/forum has
> been under DDoS attack. Attacks are not very effective in that due
> to small amount of members there is not too much activity and we
> can occasionally access to read/post the latest. However, they are
> annoying and we would like to defend against it if we can. I am
> looking for some advice from anybody who can spare some time to
> write a reply. Thanks.
>
> --
> Start providing for your family by becoming a paralegal. Click Now.
> http://tagline.hushmail.com/fc/Ioyw6h4ek5luP2QXE8sDN5iWmsaUY5zunKzNBGD0M
kUq99rS9qOLDW/
>
>
>
>

[ reply ]
Re: Advise on DDoS attck Aug 02 2007 10:59AM
Leif Ericksen (lericksen sbcglobal net) (1 replies)
RE: Advise on DDoS attck Aug 03 2007 04:04PM
Cox Danny W Contr USSTRATCOM/J812 (COXDW stratcom mil)


 

Privacy Statement
Copyright 2010, SecurityFocus