* Re: [LARTC] Need help please
@ 2003-03-20 12:42 Gordan Bobic
2003-03-20 12:49 ` Webadmin
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Gordan Bobic @ 2003-03-20 12:42 UTC (permalink / raw
To: lartc
On Thursday 20 Mar 2003 12:49, Webadmin wrote:
> We've been getting some DDOS attack recently, due to this I was just
> wondering if we use some network traffic control techniques in order to
> reduce the risk of having the DDOS attack?? is this possible after all??
> can we use the traffic control techniques in order to redu reduce the DDOS
> attack???
I don't think you can reduce the "risk" of being under attack.
What sort of an attack are you under? Ping/ICMP flood? Or just a lot of robots
killing your web server with seemingly valid requests?
If you are having your bandwidth between your router and your ISPs all used up
by the attack, then you may be out of luck, as congestion and dropping will
most likely occur before any valid traffic gets through to you.
OTOH, if it is just your server load that is being affected, then yes, you
could potentially do something about it, provided you have some bandwidth to
spare. You could block or reduce the priority of the offending traffic. You
could also analyze logs what hosts are consuming a large amount of resources,
or analyze the headers they are sending, and try to separate valid traffic by
that. Then, just drop all traffic to/from the offending hosts completely, or
reduce their traffic to a minimum priority. You can do this using
ipchains/iptables and setting fwmarks on packets to/from relevant machines,
and then filtering on fwmarks.
Ideally, you might be able to ask your ISP to filter out the offending traffic
before it hits your local router, so it doesn't consume your bandwidth, but
that depends on what they are able/willing to do with their network setup to
help you out...
I think you will have to be a little more specific about the type of attack
you are under for any more specific suggestions...
Regards.
Gordan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LARTC] Need help please
2003-03-20 12:42 [LARTC] Need help please Gordan Bobic
@ 2003-03-20 12:49 ` Webadmin
2003-03-20 13:04 ` Emmanuel Guiton
2003-03-21 5:14 ` S Mohan
2 siblings, 0 replies; 4+ messages in thread
From: Webadmin @ 2003-03-20 12:49 UTC (permalink / raw
To: lartc
Hi All;
We've been getting some DDOS attack recently, due to this I was just wondering
if we use some network traffic control techniques in order to reduce the risk
of having the DDOS attack?? is this possible after all?? can we use the
traffic control techniques in order to redu reduce the DDOS attack???
--
Best Regards
WebAdmin, Salam2U.com
\\\ ||| ///
( @ @ )
--oOOo-(_)-oOOo----------
_\=/_
(o o)
--oOOo-(_)-oOOo------
______________________
Revolution does not require corporate support
That, as we enjoy great advantages from the inventions of others, we should be
glad of an opportunity to serve others by any invention of ours; and this we
should do freely and generously.
-- Benjamin Franklin
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Need help please
2003-03-20 12:42 [LARTC] Need help please Gordan Bobic
2003-03-20 12:49 ` Webadmin
@ 2003-03-20 13:04 ` Emmanuel Guiton
2003-03-21 5:14 ` S Mohan
2 siblings, 0 replies; 4+ messages in thread
From: Emmanuel Guiton @ 2003-03-20 13:04 UTC (permalink / raw
To: lartc
Webadmin wrote:
>Hi All;
>We've been getting some DDOS attack recently, due to this I was just wondering
>if we use some network traffic control techniques in order to reduce the risk
>of having the DDOS attack?? is this possible after all?? can we use the
>traffic control techniques in order to redu reduce the DDOS attack???
>
>
>
Hi,
There ars some work in progress on this subject. I'm currently working
on this kind of solution (I have to implement and test a new solution
proposed by my boss).
Some related work is already available, you can read the following for
further information: (Note that the traffic limitation part is not
really currently addressed).
CITRA/IDIP
D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H.
Holliday, and T. Reid. (2001, September 27). "Autonomic Response to
Distributed Denial of Service Attacks", in Proceedings of Recent
Advances in Intrusion Detection, 4th International Symposium, pp
134-139. Davis, California, USA. [Online]. Available:
http://link.springer.de/link/service/series/0558/bibs/2212/22120134.htm
D. Schnackenberg, H. Holliday, R. Smith, K. Djahandari, and D. Sterne.
(2001, June). "Cooperative intrusion Traceback and Response Architecture
(CITRA)", in /Proceedings of the Second DARPA Information Survivability
Conference and Exposition (DISCEX II). /Anheim, California, USA.
D. Schnackenberg, K. Djahandari, and D. Sterne. (2000, January).
"Infrastructure for Intrusion Detection and Response", in /Proceedings
of the DARPA Information Survivability Conference and Exposition/.
Hilton Head, South Carolina, USA.
ACC/Pushback
R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S.
Shenker. (2001, July 13). "Controlling High Bandwidth Aggregates in the
Network (Extended Version)". Draft paper pushback-Jul01.ps, work in
progress. AT&T Center for Internet Research at ICSI (ACIRI) and AT&T
Labs Research. [Online]. Available: http://www.icir.org/pushback.
S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V.
Paxson. (2001, July). "Pushback Messages for Controlling Aggregates in
the Network". Internet-Draft draft-floyd-pushback-messages-00.txt, work
in progress. [Online]. Available: http://www.icir.org/pushback,
http://www.icir.org/floyd/papers.html
Bye,
Emmanuel
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [LARTC] Need help please
2003-03-20 12:42 [LARTC] Need help please Gordan Bobic
2003-03-20 12:49 ` Webadmin
2003-03-20 13:04 ` Emmanuel Guiton
@ 2003-03-21 5:14 ` S Mohan
2 siblings, 0 replies; 4+ messages in thread
From: S Mohan @ 2003-03-21 5:14 UTC (permalink / raw
To: lartc
You'll need to identify the sources/ protocols etc and rate limit them.
E.g. Ping of Death is avoided by either dropping icmp-echo-request or
rate limiting them to 5 per second. Need to use iptables for that.
Mohan
-----Original Message-----
From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]
On Behalf Of Webadmin
Sent: Thursday, March 20, 2003 6:20 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Need help please
Hi All;
We've been getting some DDOS attack recently, due to this I was just
wondering
if we use some network traffic control techniques in order to reduce the
risk
of having the DDOS attack?? is this possible after all?? can we use the
traffic control techniques in order to redu reduce the DDOS attack???
--
Best Regards
WebAdmin, Salam2U.com
\\\ ||| ///
( @ @ )
--oOOo-(_)-oOOo----------
_\=/_
(o o)
--oOOo-(_)-oOOo------
______________________
Revolution does not require corporate support
That, as we enjoy great advantages from the inventions of others, we
should be
glad of an opportunity to serve others by any invention of ours; and
this we
should do freely and generously.
-- Benjamin Franklin _______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-03-21 5:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-20 12:42 [LARTC] Need help please Gordan Bobic
2003-03-20 12:49 ` Webadmin
2003-03-20 13:04 ` Emmanuel Guiton
2003-03-21 5:14 ` S Mohan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.