How would I fight a DoS or DDoS attack?

[leadeater]

Just now, Mornincupofhate said:

I also took a look at OVH's cisco ddos protection and routing hardware, and believe it or not, the devices just had 2x4 core xeons in them. No asics, and nothing else special about them.

Yea the Cisco appliances literally are just servers.

http://www.cisco.com/c/en/us/products/collateral/security/guard-xt-5650a/product_data_sheet0900aecd800fa55e.html

[KuJoe]

3 hours ago, Mornincupofhate said:

I've been doing some research on it, and you can do a kernel bypass with netmap, and you can optimize the linux operating system on a 16 core processor to handle about 6mpps, according to the blog I read. It's also from cloudflare, so I trust them. https://blog.cloudflare.com/single-rx-queue-kernel-bypass-with-netmap/

I've yet to build one of these, but just using it to rate limit and drop invalid packets on a big enough pipe could be pretty efficient.

OK so under $10k for the hardware, hardware is cheap. Software is the expensive part. I still stand by my statement that you can't mitigate anything serious for under $10k. I would gladly write a check for a cheap mitigation device if I'm wrong though.

[gigabear]

11 hours ago, KuJoe said:

OK so under $10k for the hardware, hardware is cheap. Software is the expensive part. I still stand by my statement that you can't mitigate anything serious for under $10k. I would gladly write a check for a cheap mitigation device if I'm wrong though.

 

This guy is correct. If it was as cheap and easy as the rest of you are saying, why do companies invest millions into hardware? In regards to the original post, you really have no way of protecting yourself. You can only mitigate up to your line capacity which will be nothing as it is a home connection, most floods these days are a standard of 20Gbit+. Your best and only options are either getting a server from OVH or somewhere like that or use a DDoS Protected VPN to route your connection though, however this isn't the best idea for a game server (extra latency).

 

[schizznick]

The issue is not the hardware, stopping the packets at the edge of your network still, means the packets were encoded on the line and sent down the internet pipe. All the DOS or DDOS has to do is fill your connection with enough packets to "Deny your service". Who cares how you handle it on your end the packets are already on the wire. Most DDOS or DOS attack mitigation is done using routing and an appliance. ISP's and others can do this because they have much more bandwidth to work with. Even if you could build a server/appliance to handle the packet load, you still have to have the infrastructure on the network side to deal with it. 

[gigabear]

1 hour ago, schizznick said:

The issue is not the hardware, stopping the packets at the edge of your network still, means the packets were encoded on the line and sent down the internet pipe. All the DOS or DDOS has to do is fill your connection with enough packets to "Deny your service". Who cares how you handle it on your end the packets are already on the wire. Most DDOS or DOS attack mitigation is done using routing and an appliance. ISP's and others can do this because they have much more bandwidth to work with. Even if you could build a server/appliance to handle the packet load, you still have to have the infrastructure on the network side to deal with it. 

Ding ding ding!! Basically what I explained in my previous post, need to have the capacity with mitigate with!

[Mornincupofhate]

9 hours ago, gigabear said:

 

This guy is correct. If it was as cheap and easy as the rest of you are saying, why do companies invest millions into hardware? In regards to the original post, you really have no way of protecting yourself. You can only mitigate up to your line capacity which will be nothing as it is a home connection, most floods these days are a standard of 20Gbit+. Your best and only options are either getting a server from OVH or somewhere like that or use a DDoS Protected VPN to route your connection though, however this isn't the best idea for a game server (extra latency).

 

lol again, read the entire post not just the first sentence. We're talking about high pps floods. Not volumetric floods.

[Mornincupofhate]

20 hours ago, KuJoe said:

OK so under $10k for the hardware, hardware is cheap. Software is the expensive part. I still stand by my statement that you can't mitigate anything serious for under $10k. I would gladly write a check for a cheap mitigation device if I'm wrong though.

If the box can handle the high packet rate, I don't see why rate limiting and dropping invalid packets with iptables wouldnt stop a ddos attack? Do you really need thousand dollar "ddos mitigation software"?

[KuJoe]

41 minutes ago, Mornincupofhate said:

If the box can handle the high packet rate, I don't see why rate limiting and dropping invalid packets with iptables wouldnt stop a ddos attack? Do you really need thousand dollar "ddos mitigation software"?

Yes, very much yes.

[Mornincupofhate]

1 hour ago, KuJoe said:

Yes, very much yes.

Why

[KuJoe]

2 hours ago, Mornincupofhate said:

Why

Because "invalid packets" are just a small fraction of the attacks I see on a daily basis. I wish 6Mpps was considered a large attack but it's not unfortunately.

[Mornincupofhate]

6 hours ago, KuJoe said:

Because "invalid packets" are just a small fraction of the attacks I see on a daily basis. I wish 6Mpps was considered a large attack but it's not unfortunately.

I also said rate limiting. You could also do country blocks to deflate it. I still don't believe you need thousand dollar software to stop one.

[schizznick]

4 hours ago, Mornincupofhate said:

I also said rate limiting. You could also do country blocks to deflate it. I still don't believe you need thousand dollar software to stop one.

 

If you don't have enough bandwidth or alternate routes no matter how much processing power you have it's a moot point. Once the packet is encoded on the wire it's taking up bandwidth, once it's decoded on the end and processed it's already too late. DDOS mitigation is expensive because you need High Capacity routers and large amounts of bandwidth to deal with it. Cost is not exclusive to the Mitigation device because it's just an endpoint that processes the data after it's been routed away from the targeted service.

[Mornincupofhate]

3 hours ago, schizznick said:

If you don't have enough bandwidth or alternate routes no matter how much processing power you have it's a moot point. Once the packet is encoded on the wire it's taking up bandwidth, once it's decoded on the end and processed it's already too late. DDOS mitigation is expensive because you need High Capacity routers and large amounts of bandwidth to deal with it. Cost is not exclusive to the Mitigation device because it's just an endpoint that processes the data after it's been routed away from the targeted service.

Again, read what we're saying. We're strictly talking about processing power and handling and filtering out packets.

[leadeater]

1 hour ago, Mornincupofhate said:

Again, read what we're saying. We're strictly talking about processing power and handling and filtering out packets.

The problem is when talking about such large packet volumes that bandwidth is also extremely high, they go hand in hand. You can do a bandwidth flood using large packets or do a double hit and send a huge attack using small packets taking up both bandwidth and processing power.

 

The minimum size a UDP packet can be with 0 payload is 52 bytes, at 6Mpps that is 298Mbps. Even a small increase in payload size will mean more bandwidth. If it was a DNS reflector attack the maximum safe size is 576 bytes so at 6Mpps that is 3296Mbps. You would have to have an internet pipe lager than 3.3Gbps to even consider processing and filtering that attack regardless of how much filter processing power you have, that is also ignoring the amount of bandwidth required to service legitimate traffic.

[KuJoe]

23 hours ago, Mornincupofhate said:

I also said rate limiting. You could also do country blocks to deflate it. I still don't believe you need thousand dollar software to stop one.

My clients would kill me if I blocked countries or even whole subnets. Also rate limiting might stop some of the bad traffic on layer 3 but when the traffic looks legit and coming from a botnet of over 100k machines/devices it would definitely impact my client's services if I started to rate limit legitimate traffic. Sure, what you're saying might work for a home user who is getting hit with a standard DDoS attack vector, but a $10k server running iptables won't compare to a $50k+ appliance. We're also completely ignoring layer 7 attacks in this discussion.

[Mornincupofhate]

16 minutes ago, leadeater said:

The problem is when talking about such large packet volumes that bandwidth is also extremely high, they go hand in hand. You can do a bandwidth flood using large packets or do a double hit and send a huge attack using small packets taking up both bandwidth and processing power.

 

The minimum size a UDP packet can be with 0 payload is 52 bytes, at 6Mpps that is 298Mbps. Even a small increase in payload size will mean more bandwidth. If it was a DNS reflector attack the maximum safe size is 576 bytes so at 6Mpps that is 3296Mbps. You would have to have an internet pipe lager than 3.3Gbps to even consider processing and filtering that attack regardless of how much filter processing power you have, that is also ignoring the amount of bandwidth required to service legitimate traffic.

What I was saying was, we're just focusing on high packet attacks right now, not pipe sizes. The obvious fix to that would be just to get more bandwidth.

[leadeater]

Just now, Mornincupofhate said:

What I was saying was, we're just focusing on high packet attacks right now, not pipe sizes. The obvious fix to that would be just to get more bandwidth.

Yes but high packet attacks still generates very large bandwidth, that is basically why the only counter at the moment to DDoS attacks is having a bigger pipe than the attack has. There is no way to brush off or ignore bandwidth if the amount of packet flood is enough to cause degradation of service. The only time where this would not be the case is if the traffic is hitting a low resource server, but in this instance it would be very hard for a DDoS mitigation service to even pick it up since it would be so far below any warning thresholds.

 

1. Have more bandwidth than an attack has
2. Re-route traffic and do some basic splitting/load balancing
3. Basic filtering of packets (This is pretty much what your talking about) then split/load balance
4. More in-depth inspection and processing, IDS/IPS (Either part of the service or customer on-prem equipment, or both)
5. Remaining traffic passed to actual service

You can't make it to step 3 without 1 and 2.

 

The smarter the tool is the less traffic it can filter, it's one of those trade off situations. You can't have your cake and eat it too. Also the smarter the tool the more it costs, the more it can process the more it costs.

[Mornincupofhate]

47 minutes ago, leadeater said:

Yes but high packet attacks still generates very large bandwidth, that is basically why the only counter at the moment to DDoS attacks is having a bigger pipe than the attack has. There is no way to brush off or ignore bandwidth if the amount of packet flood is enough to cause degradation of service. The only time where this would not be the case is if the traffic is hitting a low resource server, but in this instance it would be very hard for a DDoS mitigation service to even pick it up since it would be so far below any warning thresholds.

 

1. Have more bandwidth than an attack has
2. Re-route traffic and do some basic splitting/load balancing
3. Basic filtering of packets (This is pretty much what your talking about) then split/load balance
4. More in-depth inspection and processing, IDS/IPS (Either part of the service or customer on-prem equipment, or both)
5. Remaining traffic passed to actual service

You can't make it to step 3 without 1 and 2.

 

The smarter the tool is the less traffic it can filter, it's one of those trade off situations. You can't have your cake and eat it too. Also the smarter the tool the more it costs, the more it can process the more it costs.

A standard IPS could be used to filter out moderate attack traffic? Interesting.

[leadeater]

21 minutes ago, Mornincupofhate said:

A standard IPS could be used to filter out moderate attack traffic? Interesting.

Depends on the attack, sometimes you can't tell it's an attack without knowing behavior of the traffic and more in-depth protocol information. I was more meaning IDS/IPS in addition to rather than it being that.  

[KuJoe]

It's safe to say this topic has gone way off course and the question has been answered already. The OP is not able to afford multiple 10Gbps uplinks to tank an attack so the only way to manage any real DDoS attack is to mitigate off-site and route the legitimate traffic back to him via a VPN/tunnel or to host the Minecraft server elsewhere.

 

As for a general server mitigating DDoS attacks with iptables and other handmake scripts, it can work for some attacks but the number of attacks that it won't handle make it far inferior to a dedicated appliance with special software. But something is better than nothing, although I can host a few servers in a DDoS protected data center for cheap these days and get a few hundred Gbps of protection along with it.

 

@Mornincupofhate as you do more research into this please open a new thread and tag me and @leadeater on it as we both are pretty interested in this (at least I believe @leadeater is based on his replies). If I can offer basic layer 3 protection in my data centers that don't offer any protection for just a few thousand dollars I would be really happy.

[dr_sepheroth]

Two very simple methods to fight this kind of attack.

 

1. Your dead

Disconnect, from the network, disable the networking adaptor, restart the computer, enable the networking adaptor, connect, change your wireless channel and then change your external ip.

 

2. Flip Flop

Set up a network loop by simply connecting an ethernet cable too port one and two of your wireless router. Set port two as out bound.

 This method effectively makes the attacker dos / ddos themselves.

 

If you are on a wired network it is a bit more complicated.

 

1. Please hold

Ring your ISP, explain the situation and request a new external ip.

 

2. Set up a second computer, (make sure it is fast and has a lot of RAM), and a modem. Send a port flooder through the modem to the attackers ip if you have there ip.

 

Other options are much more complicated.

 

You could create a virtual packet trap, this is a custom bit of code that blocks stores and sends all incoming packets through a network adaptor.

 This is illegal, and you will not find software to do this, most hackers will write the application themselves. 

The benefit of this method is it is exactly the same as creating a network loop. except the incoming data does not reach either the RAM or Processor, because the code is programed to an EEPROM on the network card.

 

Another option is to re-direct your incoming data through a VPN. Most VPN services provide DOS/DDOS protection.

 But not all.

 

By far the most time consuming option to fix this (but not the most complicated), is to set up a Beowulf cluster and a Network adaptor interface bus. This would provide more ports then a typical DOS/DDOS attack could handle.

 However this is also very expensive.

 

The most shocking solution to this is to connect to the internet via a power line, trace and DOS/DDOS the attacker through the power line network adaptor.