Click to Play

Bing Explains Search and Mobile...
It is no secret that Microsoft is definitely serious about its role in search. Bing is continually launching new products and features and WebProNews recently...

Network Intrusion Detection And Prevention...
A network that's not secure is perhaps worse than no network at all; it's a bad idea to provide hackers and malware with an easy way to jump from one site or computer to the next. And so network...

Benefits of Practical it Network Training
IT network training courses are a new addition to build a business' diverse working knowledge in their field. Some of the major factors in providing these courses include improving efficiency, increasing employee...

IBM Buys Intelliden To Improve Network Automation
IBM has announced it has acquired network automation software firm Intelliden and will integrate the company's technology into its Tivoli Software. Financial terms of the purchase were not released. Intelliden provides...

Cisco Starts 2010 With Strong Numbers and Job Creation
Late last week provided a glimpse of where many network experts hope Cisco will be throughout 2010 -in the black. While most companies where floundering at a sharp...

WaveMaker Brings New Ease To Open Source...
Few days ago WaveMaker announced profitability, showing an increase on sales by over 53% in the...

SonicWALL Releases Improved Network...
There might be a few ways in which networks that aren't secure can prove useful - perhaps companies could go all secret agent-y and try to feed their competitors...


How To Combat A DDoS Attack On Your Network

By Dave Taylor

If you're reading this, odds are you are under attack. Your Web server is being crushed under the extraordinary load of thousands or even millions of bogus requests. How do you deal with it?

Before we jump into that, a quick definition, courtesy of Wikipedia:

A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods, though most commonly it's due to malware or trojan attacks, either pre-scheduled or triggered by an external event.

There are a number of ways to deal with a DDoS attack, but to find out best practices, I checked with a top sysadmin, who offered this advice based on a recent experience he had with a client site:

As you may know, one of our ecommerce customers suffered a devastating DDoS attack which started early Friday morning and lasted until we finally contracted with a DDoS mitigation service late Saturday night. The service was implemented by pointing the "A" record for the domain to their server. The cost of the service was $350 per month plus $150 setup.

The effects of the attack stopped instantly once DNS resolved to their IP.

There are several of these companies around. All seem to have about the same price structure for the same services. I didn't do much research but choose the first one to respond on a Saturday. All likely had support available on the weekend but sales staff apparently get time off.

Gathering the information on the attack has been somewhat difficult since during the attack our server was virtually shut down. In fact the only way we were able to get access to shell was to change the DNS to point to a different server then establish an ssh login and run "top" or something similar to keep it open when we switched it back.

It is interesting to note that the attack followed DNS according to the TTL set. We had had it down to 10 seconds as we were in the process of moving the account from one server to another when the attack occurred. The attack followed the DNS within 10 seconds or less. There was very little residual attack activity after the DNS switched and that stopped within a minute or two.

So here is what we think we encountered based on information from the colo support's anecdotal observations and information from the mitigation service after we blocked the attack. It is interesting to note that the mitigation service does not log activity so the information they provided is from spot observations rather than reliable metrics.

1. Incoming IPs were estimated at reaching as much as 100/sec. Each IP attempted to open between 5 to 25 connections

2. IPs were from all around the net but a sufficient number were from the US so that trying to isolate by country was useless (the customer was not regional but does business across the US).

3. At any one time the number of unique IPs was between three and four hundred. Since the software on the mitigation servers expires the IPs it blocks after 15 minutes and we did not see many instances of the same IPs recurring, the IP pool must have be in the thousands.

Continue reading this article.

About the Author:
Dave Taylor is known as an expert on both business and technology issues. Holder of an MSEd and MBA, author of twenty books and founder of four startups, he also runs a marketing company and consults with firms seeking the best approach to working with weblogs and social networks. Dave is an award-winning speaker and frequent guest on radio and podcast programs.
About NetworkNewz
NetworkNewz editors, writers and contributors focus on both the big picture and the details of networking. At NetworkNewz our goal is to deliver to you The Key To Network Management.

NetworkNewz is brought to you by:

-- NetworkNewzis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2010 iEntry, Inc. All Rights Reserved Privacy Policy Legal

archives | advertising info | news headlines | newsletters | comments/feedback | submit article

The Keys To Network Management Ask Questions in the Networking Forum NetworkNewz About Us iEntry NetworkNewz Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact