Howdy all,
So, i'm kind of new to this so please deal with my ignorance. But,
what is common practice these days for HTTP DDoS mitigation during an
attack? You can of course route every offending ip address to null0 at
your border. But, if it's a botnet or trojan or something, It's coming
from numerous different source IPs and Null0 routes can get very
cumbersome. obviously. How do you folk usually deal with this?
Any input would be greatly appreciated.
Cheers,
Mike
There are devices available today from different vendors (including Cisco, full disclosure) which are intelligent DDoS-'scrubbers' and which can deal with more sophisticated types of attacks at layer-7, including HTTP and DNS. S/RTBH is also an option, keeping in mind some of the caveats you mentioned (staying mindful of attacking hosts behind proxies, botted hosts of legit customers, et. al.).
Citrix (Netscaler), F5 (BIG-IP), and as Roland mentioned, Cisco, all
offer varying levels of security for the content layer.
If you're running Apache, you may also investigate mod_evasive, and in
the case of exploits, mod_security.
Naturally, your ability to filter and contain the attack with software
is going to be limited by the host hardware, so it's best to take a
layered approach to mitigating various attacks you face. Also
important to be aware of your network architecture lest you find
yourself with DDoS bits clogging the pipes just before your
(expensive) defenses. 
- Tim
mod_evasive and mod_security are definitely recommended, good point.
And a good relationship with your peers/upstreams/customers/vendors is also key, so that you can get assistance when you need it.
mike.lyon@gmail.com ("Mike Lyon") writes:
So, i'm kind of new to this so please deal with my ignorance.
:-). on the internet, everybody's new to everything since it's all
changing every day. if anybody grumps at you for your ignorance, or
says "i can't type that into an IOS prompt" then the fault is theirs.
But, what is common practice these days for HTTP DDoS mitigation during
an attack? You can of course route every offending ip address to null0 at
your border. But, if it's a botnet or trojan or something, It's coming
from numerous different source IPs and Null0 routes can get very
cumbersome. obviously. How do you folk usually deal with this?
i only use or recommend operating systems that have their own host based
firewalls. soon that will mean pf (from openbsd but available on freebsd)
but right now that means ipfw. ipfw has a "table" construct which uses a
data structure similar to the kernel's routing table. with a little bit
of tuning, and using X86_64 to get more kernel memory map space than I386,
i've listed every member of 60K-node botnets in a table whose only use is
"if a SYN comes from here, silently drop it with no ICMP response". with
more tuning work, a 200K-node botnet would pose no problem. we populate
these tables with a perl script that watches the apache server's logfiles.
Paul Vixie wrote:
i only use or recommend operating systems that have their own host based
firewalls. soon that will mean pf (from openbsd but available on freebsd)
pf's tables are nifty too btw 
pfsense, which is FreeBSD + pf, also has a port of snort IDS available. Provided the OP has a signature of the attack he can match on, there's a wholly open-source solution (I know snort can be configured inline to drop packets on a filtering bridge, but of course you've got the problems of half-open connections accumulating as well as the potential for migration to https).
Even on an untuned fbsd i386, I had success with an ipfw table with well over
1e6 entries. What finally broke was doing a table list, possibly because the
command prints in sorted order. No performance problems were observed at my
limited volume of perhaps 30000 hits per day.
There are also companies with whom you can contract for this service. It's
my understanding that if you have a problem they will help you mitigate it.
I'm not sure if they require some specific DDoS gear or if they are able to
take advantage of their customer's gear to address the issue. In any case,
it's reactive.
Frank
Several SPs (quite a few, actually) are offering DDoS mitigation services based upon a variety of tools and techniques, and with various pricing models. Some provide the service for their own transit/hosting/colo customers, and some provide it as an OTT/overlay service.
They're a few companies that specialize in "DDOS protection type
services" one company that comes to mind is Prolexic and their IPN
infrastructure protection service. Prolexic will basically absorbs all
attacks filter out the bad data and then deliver clean traffic back to
your network. Its completly transparent to you're clients. Its not
cheap but i've worked with a few internet based trading companies who
used this service to litigate DDOS attacks on their network
infrastructure.
i only use or recommend operating systems that have their own host based
firewalls.
That was exactly my problem.
Barney Wolff wrote:
What finally broke was doing a table list, possibly because the
command prints in sorted order.
Happened to me too.
First step: Borrowed "sort.c" from Minix.
Next step: Large swap file.
Finally: changed the distribution.
sort is one the biggest hidden problems. There are broken sorts around,
I guess some of the problems are character set specific. There is no
more EBCDIC but UTF-8 and UTF-16 are even worse.
Related to sort, you may have more than enough memory or swap but your
process wont get it.
You can avoid sorting by looking into the "/proc" files.
proc2pl might get you ideas, from the ISAON tools on
You might even sort or grep the output and you can always do that
on a machine that is not your router.
Kind regards
Peter
Hi Mike,
Depending upon the type of DDOS, there are five things you should do in order:
1. immediate response: set your host based security to mitigate the attack. E.g. mod_security for Apache web server, IPTables for host firewall. This will keep the hard drives from filling up, the cpu from smoking, etc.
2. second response: gateway router or border firewall. Filter that stuff out if you can. This will keep your internal network clean so it won't affect your other systems. One quickie *temporary* fix would be to block whole networks of DSL/Cable modems. There are lists out there specifically for this--always-on broadband home PCs are a often the compromised sources of attacks.
3. third response: contact your upstream providers and ask them to take action. They can apply filters, and apply pressure to their colos.
4. make sure you have done your part: secure your network so it cannot be used for DOS attacks by applying egress filtration etc. ( http://www.sans.org/dosstep/ ); secure your hosts against future DOS attacks using things like mod_security and mod_evasive for Apache, tcplimit for IPTables, or etc.
One caveat: bandwidth flooding effects can be mitigated, but you can't really do anything about it other than contacting your upstream provider. Until your provider does something, the bottleneck here is your uplink.
--Patrick Darden
Prolexic was indicted about 1.5 years ago for aiding gambling sites:
http://www.infoworld.com/article/06/11/15/HNnyillegalonlinegambling_1.html
http://www.firstamendment.com/media/NYQCIndictment.pdf
Does anyone know if the indictment has been dropped? (It should be.)
A quick poke around their site didn't show any news items saying that.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
proc2pl might get you ideas, from the ISAON tools on
You know, for the last year or two I’ve heard you go on and on about IASON. A few months ago I actually did download it and the only thing I can find in it is an assortment of scripts to manage DNS zone files. I don’t see anything in there about auto detecting the network, automatically blocking DDoS or any of the other artificial intelligence you purport it has.
Peter and Karin Dambier
I’m not sure how to interpret this. Are Peter & Karin the same person? You be the judge.
http://wiki.piratenpartei.de/images/3/39/KarinPeter.jpg
Cesidian Root - Radice Cesidiana
Google searches on Cesidian Root reveal a rather scruffy man running this alternative root out of Long Island, fighting for secession from the United States. I’m sure Most Rev. Dr. Cesidio Tallini, BS, PhD hc, CPC, RH-INHA, APP, AMBCS, MMPR, OEMTDV will get there, one day.
You might want to have the reverend doctor contact customer care, as the website suggests. It seems the website is down.
