Author Topic: DDoS attacks on my server  (Read 1885 times)

0 Members and 1 Guest are viewing this topic.

Offline Irtaviš Ačankif

  • Palulukan Makto
  • *****
  • *
  • Posts: 1318
  • Karma: 33
  • wgmk is love wgmk is life
DDoS attacks on my server
« on: November 06, 2012, 01:57:20 pm »
My server seems to be under attack by a Chinese botnet...perhaps the government is trying to DDoS me? I am running an anti-blocking service prototype with the server. However, the bots seem to be attacking an unencrypted proxy honeypot which has nothing to do with the true anti-blocking service. It's super annoying though. The bots keep on reconnecting even though I closed the port on my firewall, wasting my CPU.

Is there any way to totally force the bots to stop? There are like 100 different IPs, all either China ISP gateway addresses or dedicated servers in Los Angeles which seem to do nothing but launch DDoSes. I'm thinking of tricking the bots to think there is a connection and then dropping it after a ridiculously long timeout. How would that work? Any Linux networking guys out there?

Also, why do they suppose this can take my server down? It's generating less than 2 megs of traffic (mainly because that port does nothing but return a "503 Service Unavailable" over HTTP/1.0), and blocking ports and IPs should be trivial since my server has a static IP.

Basically, this attack is not breaking my server, but the sheer amount (roughly 200/sec) of attempted connections is alarming and even though iptables is dropping the connections, the bots still persist. My CPU is way up there and SSHing is now very laggy.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

Offline Human No More

  • Palulukan Makto
  • *****
  • *
  • Posts: 1591
  • Karma: 15
  • Misplaced.
    • Tree of Souls
Re: DDoS attacks on my server
« Reply #1 on: December 12, 2012, 03:03:03 pm »
You might be able to get your host to filter them at the network level, and depending on their host (look at the whois info), sending a complaint to the [email protected] might help. Otherwise, it's just filtering with iptables as you have done, and possibly automating adding new rules via fail2ban or similar.
« Last Edit: December 12, 2012, 03:09:49 pm by Human No More »
"I can barely remember my old life. I don't know who I am any more."

HNM, not 'Human' :)

Na'vi tattoo:
1 | 2 (finished) | 3
ToS: Human No More
dA
Personal site coming soon(ish

"God was invented to explain mystery. God is always invented to explain those things that you do not understand."
- Richard P. Feynman

Offline bommel

  • Palulukan Makto
  • *****
  • *
  • Posts: 3865
  • de Germany
  • Karma: 22
  • Addicted to music!
Re: DDoS attacks on my server
« Reply #2 on: December 12, 2012, 04:50:32 pm »
My server seems to be under attack by a Chinese botnet...perhaps the government is trying to DDoS me? I am running an anti-blocking service prototype with the server.
I wouldn't be surprised if they do. All those countries trying to control the Internet and other sources of independent media just to fight freedom of speech and human rights... bah, I hate them. But that's another story.

Also, why do they suppose this can take my server down? It's generating less than 2 megs of traffic (mainly because that port does nothing but return a "503 Service Unavailable" over HTTP/1.0), and blocking ports and IPs should be trivial since my server has a static IP.
You don't need to generate much traffic for DDoS attacks. For example, SYN flooding is a type of attack where a lot of TCP connections are opened but the three way handshake is not completed properly, so the connection is in a half-open state (according to your screenshot, it looks like it is this kind of attack, see all the SYN_SENTs). This takes just a few small IP packets. The server must wait for the  client to complete the handshake until a timeout occurs. If malicious clients open a lot of these half-open connections, server resources are occupied and proper clients cannot connect to the server anymore or with great trouble (DoS doesn't necessarily mean the server must crash but that it cannot service proper requests anymore).

Is there any way to totally force the bots to stop? There are like 100 different IPs, all either China ISP gateway addresses or dedicated servers in Los Angeles which seem to do nothing but launch DDoSes. I'm thinking of tricking the bots to think there is a connection and then dropping it after a ridiculously long timeout. How would that work? Any Linux networking guys out there?
First of all, I think you should inform your provider and maybe show them your logs. If that helps is another story but maybe they can filter those IP ranges out for you or do some legal action. Regarding your idea: this depends on the type of attack. When it's a SYN flood attack, they don't want to open a connection anyway but block your resources, so your idea propably won't work. Filtering those connections out is a common action against such attacks but it occupies resources too. Some larger hardware firewall contain anti-DoS functionalities but you usually don't have those devices at home (expensive as hell).

Basically, this attack is not breaking my server, but the sheer amount (roughly 200/sec) of attempted connections is alarming and even though iptables is dropping the connections, the bots still persist. My CPU is way up there and SSHing is now very laggy.
This is the purpose of DoS ;)

The general problem is, you don't need to be skilled to do this nowadays. There are freely available tools where you just have to enter a target IP address, hit enter and see how even large sites break down to a crawl.

By the way, did you announce your service somewhere? 'Cause if it is a targeted attack they must know about you.
« Last Edit: December 12, 2012, 05:08:14 pm by bommel »

Offline Irtaviš Ačankif

  • Palulukan Makto
  • *****
  • *
  • Posts: 1318
  • Karma: 33
  • wgmk is love wgmk is life
Re: DDoS attacks on my server
« Reply #3 on: December 12, 2012, 08:28:00 pm »
My server seems to be under attack by a Chinese botnet...perhaps the government is trying to DDoS me? I am running an anti-blocking service prototype with the server.
I wouldn't be surprised if they do. All those countries trying to control the Internet and other sources of independent media just to fight freedom of speech and human rights... bah, I hate them. But that's another story.

Also, why do they suppose this can take my server down? It's generating less than 2 megs of traffic (mainly because that port does nothing but return a "503 Service Unavailable" over HTTP/1.0), and blocking ports and IPs should be trivial since my server has a static IP.
You don't need to generate much traffic for DDoS attacks. For example, SYN flooding is a type of attack where a lot of TCP connections are opened but the three way handshake is not completed properly, so the connection is in a half-open state (according to your screenshot, it looks like it is this kind of attack, see all the SYN_SENTs). This takes just a few small IP packets. The server must wait for the  client to complete the handshake until a timeout occurs. If malicious clients open a lot of these half-open connections, server resources are occupied and proper clients cannot connect to the server anymore or with great trouble (DoS doesn't necessarily mean the server must crash but that it cannot service proper requests anymore).

Is there any way to totally force the bots to stop? There are like 100 different IPs, all either China ISP gateway addresses or dedicated servers in Los Angeles which seem to do nothing but launch DDoSes. I'm thinking of tricking the bots to think there is a connection and then dropping it after a ridiculously long timeout. How would that work? Any Linux networking guys out there?
First of all, I think you should inform your provider and maybe show them your logs. If that helps is another story but maybe they can filter those IP ranges out for you or do some legal action. Regarding your idea: this depends on the type of attack. When it's a SYN flood attack, they don't want to open a connection anyway but block your resources, so your idea propably won't work. Filtering those connections out is a common action against such attacks but it occupies resources too. Some larger hardware firewall contain anti-DoS functionalities but you usually don't have those devices at home (expensive as hell).

Basically, this attack is not breaking my server, but the sheer amount (roughly 200/sec) of attempted connections is alarming and even though iptables is dropping the connections, the bots still persist. My CPU is way up there and SSHing is now very laggy.
This is the purpose of DoS ;)

The general problem is, you don't need to be skilled to do this nowadays. There are freely available tools where you just have to enter a target IP address, hit enter and see how even large sites break down to a crawl.

By the way, did you announce your service somewhere? 'Cause if it is a targeted attack they must know about you.

Actually the reason why it were SYN_SENT was because I was filtering the connections. It used to connect and then each connection would use like 20 KiB/s of bandwidth pulling random HTTP files through the decoy proxy.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

Offline bommel

  • Palulukan Makto
  • *****
  • *
  • Posts: 3865
  • de Germany
  • Karma: 22
  • Addicted to music!
Re: DDoS attacks on my server
« Reply #4 on: December 13, 2012, 02:49:36 am »
Ah okay, then it isn't a SYN flood attack. So they are just trying to generate traffic/load by accessing random files? Strange... Then your idea might actually work, but maybe it is still better to let the firewall drop the connections.

Offline Irtaviš Ačankif

  • Palulukan Makto
  • *****
  • *
  • Posts: 1318
  • Karma: 33
  • wgmk is love wgmk is life
Re: DDoS attacks on my server
« Reply #5 on: December 13, 2012, 11:03:29 am »
Ah okay, then it isn't a SYN flood attack. So they are just trying to generate traffic/load by accessing random files? Strange... Then your idea might actually work, but maybe it is still better to let the firewall drop the connections.
How would that actually work? I used iptables -DROP but that gives me whole bunches of SYN_SENTs.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

Offline bommel

  • Palulukan Makto
  • *****
  • *
  • Posts: 3865
  • de Germany
  • Karma: 22
  • Addicted to music!
Re: DDoS attacks on my server
« Reply #6 on: December 13, 2012, 11:12:39 am »
AFAIK iptables DROP is the most efficient way to do it locally (e. g. on the affected machine). It would be better if your provider drops these connections for you in the first place.

Offline Toruk Makto

  • LearnNavi Admin
  • Toruk Makto
  • Palulukan Makto
  • *****
  • *
  • Posts: 6118
  • nv Eywa'eveng
  • Karma: 215
  • . Txepsiyu Markì .
    • Learn Na'vi
Re: DDoS attacks on my server
« Reply #7 on: December 20, 2012, 08:23:31 pm »
The Chinese IPs may be crawlers for the "great firewall of China" looking for content to censor. We used to get over 100 continuous active connections on the forums with these damned things going though almost every message on the site. I currently have large 3 blocks of their IPs firewalled out for this.

Lì’fyari leNa’vi ’Rrtamì, vay set ’almong a fra’u zera’u ta ngrrpongu
Na'vi Dictionary: http://files.learnnavi.org/dicts/NaviDictionary.pdf

Offline bommel

  • Palulukan Makto
  • *****
  • *
  • Posts: 3865
  • de Germany
  • Karma: 22
  • Addicted to music!
Re: DDoS attacks on my server
« Reply #8 on: December 23, 2012, 02:14:37 pm »
Interesting detail. Long live the freedom of speech ;-)

Offline Irtaviš Ačankif

  • Palulukan Makto
  • *****
  • *
  • Posts: 1318
  • Karma: 33
  • wgmk is love wgmk is life
Re: DDoS attacks on my server
« Reply #9 on: December 23, 2012, 10:22:46 pm »
The Chinese IPs may be crawlers for the "great firewall of China" looking for content to censor. We used to get over 100 continuous active connections on the forums with these damned things going though almost every message on the site. I currently have large 3 blocks of their IPs firewalled out for this.
Could you share the 3 large IP blocks? It could prove useful to me.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

Offline Toruk Makto

  • LearnNavi Admin
  • Toruk Makto
  • Palulukan Makto
  • *****
  • *
  • Posts: 6118
  • nv Eywa'eveng
  • Karma: 215
  • . Txepsiyu Markì .
    • Learn Na'vi
Re: DDoS attacks on my server
« Reply #10 on: January 04, 2013, 03:11:52 pm »
Badly late reply (sorry!)...

There's actually five blocks now. From our ipfw rules:

$cmd 00015 deny ip from 124.115.0.0/24 to any in via igb0   # f*** Chinese webcrawlers that refuse to abide by robots.txt
$cmd 00016 deny ip from 182.118.16.0/21 to any in via igb0  # f*** Chinese webcrawlers that refuse to abide by robots.txt
$cmd 00017 deny ip from 60.169.78.0/24 to any in via igb0    # f*** Chinese rapidfire spam bots
$cmd 00018 deny ip from 123.151.42.0/23 to any in via igb0   # More f*** Chinese wecrawler bots that won't behave
$cmd 00019 deny ip from 117.135.129.0/24 to any in via igb0  # More f*** Chinese wecrawler bots that won't behave


Lì’fyari leNa’vi ’Rrtamì, vay set ’almong a fra’u zera’u ta ngrrpongu
Na'vi Dictionary: http://files.learnnavi.org/dicts/NaviDictionary.pdf

 

Become LearnNavi's friend on Facebook Follow LearnNavi on Twitter! Watch LearnNavi's videos on YouTube

SMF 2.0.15 | SMF © 2017, Simple Machines
Privacy Policy
| XHTML | RSS | WAP2 | Site Rules

LearnNavi is not affiliated with the official Avatar website,
James Cameron, LightStorm Entertainment or The Walt Disney Company.
All trademarks and servicemarks are the properties of their respective owners.
Images in the LearnNavi.org Forums and Gallery may not be used without permission.

LearnNavi Affiliates:
ToS

LearnNavi is the community to learn Na'vi, the Avatar Language
"A place where real friendships are made." -Paul Frommer

AvatarMeet | Learn Na'vi Forum | Learn Na'vi Wiki | Na'viteri

LearnNavi