Re: Reduce effects of DDoS attack ...

• Previous message: Marc G. Fournier: "Reduce effects of DDoS attack ..."
• In reply to: Marc G. Fournier: "Reduce effects of DDoS attack ..."
• Next in thread: Cody Baker: "Re: Reduce effects of DDoS attack ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 7 Oct 2004 16:37:35 +0100
To: "Marc G. Fournier" <scrappy@hub.org>

On Thu, Oct 07, 2004 at 12:19:28PM -0300, Marc G. Fournier wrote:
>
> I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last
> night, a DDoS attack against a network "beside us" cause 70+% packet loss
> on our network, and I'm trying to figure out if there is anything I can do
> from my side to "compensate" for this ...
>
> I run ipaudit on all our servers, and a normal 30 minute period looks
> like:
>
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
> 12107
> neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
> 112
> neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
> 12219
>
> where 200.046.204 is our C-class ...
>
> Now, when the DDoS attack is running, those stats change to:
>
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
> 5815
> neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
> 594189
> neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
> 600004
>
> We're getting *alot* of traffic on our network that just is not ours ...

Seems that when the CISCO box upstream gets overloaded it starts
sending packets everywhere, instead of just to the networks they're
intended for.

You could put in a filtering bridge upstream of your unmanaged switch,
which would let you strip out everything not intended for your
assigned subnet. However, as your FreeBSD servers seem to be handling
the load just fine, that probably won't do you much good.

If the switch upstream of you is completely overloaded, there's not a
lot you can do, other than get your network moved over to some less
loaded equipment.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

• application/pgp-signature attachment: stored

• Previous message: Marc G. Fournier: "Reduce effects of DDoS attack ..."
• In reply to: Marc G. Fournier: "Reduce effects of DDoS attack ..."
• Next in thread: Cody Baker: "Re: Reduce effects of DDoS attack ..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Dcidag errors ... Port blockage between servers ... Other sorts of networking issues (lack of connectivity between the points ... These errors are typically a result of a network connectivity issue of some ... > replicating this nc. ... (microsoft.public.windows.server.active_directory) Re: I need Job Blobb ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ... (microsoft.public.cert.exam.mcse) Re: I need Job Blobb ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ... (microsoft.public.cert.exam.mcse) Event Viewer Networking Connectivity ... What we need is a very solid working network. ... Here's what lead up to this scenario of BDC replacement. ... On the corporate side I can see our servers. ... Registration of the DNS record ... (microsoft.public.windows.server.networking) Help with initial small org AD setup convention when using DMZ network ... firewall which then connects the public IP dmz network to a private IP ... domain name for such subnets based on the nearest airport code, ... Yahoo to manage my externally-visible DNS names on the acme.com domain. ... and servers that use this domain, ... (microsoft.public.win2000.active_directory)