DDoS attacks on my server

Started by Irtaviš Ačankif, November 06, 2012, 01:57:20 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Irtaviš Ačankif

My server seems to be under attack by a Chinese botnet...perhaps the government is trying to DDoS me? I am running an anti-blocking service prototype with the server. However, the bots seem to be attacking an unencrypted proxy honeypot which has nothing to do with the true anti-blocking service. It's super annoying though. The bots keep on reconnecting even though I closed the port on my firewall, wasting my CPU.

Is there any way to totally force the bots to stop? There are like 100 different IPs, all either China ISP gateway addresses or dedicated servers in Los Angeles which seem to do nothing but launch DDoSes. I'm thinking of tricking the bots to think there is a connection and then dropping it after a ridiculously long timeout. How would that work? Any Linux networking guys out there?

Also, why do they suppose this can take my server down? It's generating less than 2 megs of traffic (mainly because that port does nothing but return a "503 Service Unavailable" over HTTP/1.0), and blocking ports and IPs should be trivial since my server has a static IP.

Basically, this attack is not breaking my server, but the sheer amount (roughly 200/sec) of attempted connections is alarming and even though iptables is dropping the connections, the bots still persist. My CPU is way up there and SSHing is now very laggy.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

Human No More

#1
You might be able to get your host to filter them at the network level, and depending on their host (look at the whois info), sending a complaint to the abuse@ might help. Otherwise, it's just filtering with iptables as you have done, and possibly automating adding new rules via fail2ban or similar.
"I can barely remember my old life. I don't know who I am any more."

HNM, not 'Human' :)

Na'vi tattoo:
1 | 2 (finished) | 3
ToS: Human No More
dA
Personal site coming soon(ish

"God was invented to explain mystery. God is always invented to explain those things that you do not understand."
- Richard P. Feynman

bommel

#2
Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
My server seems to be under attack by a Chinese botnet...perhaps the government is trying to DDoS me? I am running an anti-blocking service prototype with the server.
I wouldn't be surprised if they do. All those countries trying to control the Internet and other sources of independent media just to fight freedom of speech and human rights... bah, I hate them. But that's another story.

Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
Also, why do they suppose this can take my server down? It's generating less than 2 megs of traffic (mainly because that port does nothing but return a "503 Service Unavailable" over HTTP/1.0), and blocking ports and IPs should be trivial since my server has a static IP.
You don't need to generate much traffic for DDoS attacks. For example, SYN flooding is a type of attack where a lot of TCP connections are opened but the three way handshake is not completed properly, so the connection is in a half-open state (according to your screenshot, it looks like it is this kind of attack, see all the SYN_SENTs). This takes just a few small IP packets. The server must wait for the  client to complete the handshake until a timeout occurs. If malicious clients open a lot of these half-open connections, server resources are occupied and proper clients cannot connect to the server anymore or with great trouble (DoS doesn't necessarily mean the server must crash but that it cannot service proper requests anymore).

Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
Is there any way to totally force the bots to stop? There are like 100 different IPs, all either China ISP gateway addresses or dedicated servers in Los Angeles which seem to do nothing but launch DDoSes. I'm thinking of tricking the bots to think there is a connection and then dropping it after a ridiculously long timeout. How would that work? Any Linux networking guys out there?
First of all, I think you should inform your provider and maybe show them your logs. If that helps is another story but maybe they can filter those IP ranges out for you or do some legal action. Regarding your idea: this depends on the type of attack. When it's a SYN flood attack, they don't want to open a connection anyway but block your resources, so your idea propably won't work. Filtering those connections out is a common action against such attacks but it occupies resources too. Some larger hardware firewall contain anti-DoS functionalities but you usually don't have those devices at home (expensive as hell).

Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
Basically, this attack is not breaking my server, but the sheer amount (roughly 200/sec) of attempted connections is alarming and even though iptables is dropping the connections, the bots still persist. My CPU is way up there and SSHing is now very laggy.
This is the purpose of DoS ;)

The general problem is, you don't need to be skilled to do this nowadays. There are freely available tools where you just have to enter a target IP address, hit enter and see how even large sites break down to a crawl.

By the way, did you announce your service somewhere? 'Cause if it is a targeted attack they must know about you.

Irtaviš Ačankif

Quote from: bommel on December 12, 2012, 04:50:32 PM
Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
My server seems to be under attack by a Chinese botnet...perhaps the government is trying to DDoS me? I am running an anti-blocking service prototype with the server.
I wouldn't be surprised if they do. All those countries trying to control the Internet and other sources of independent media just to fight freedom of speech and human rights... bah, I hate them. But that's another story.

Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
Also, why do they suppose this can take my server down? It's generating less than 2 megs of traffic (mainly because that port does nothing but return a "503 Service Unavailable" over HTTP/1.0), and blocking ports and IPs should be trivial since my server has a static IP.
You don't need to generate much traffic for DDoS attacks. For example, SYN flooding is a type of attack where a lot of TCP connections are opened but the three way handshake is not completed properly, so the connection is in a half-open state (according to your screenshot, it looks like it is this kind of attack, see all the SYN_SENTs). This takes just a few small IP packets. The server must wait for the  client to complete the handshake until a timeout occurs. If malicious clients open a lot of these half-open connections, server resources are occupied and proper clients cannot connect to the server anymore or with great trouble (DoS doesn't necessarily mean the server must crash but that it cannot service proper requests anymore).

Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
Is there any way to totally force the bots to stop? There are like 100 different IPs, all either China ISP gateway addresses or dedicated servers in Los Angeles which seem to do nothing but launch DDoSes. I'm thinking of tricking the bots to think there is a connection and then dropping it after a ridiculously long timeout. How would that work? Any Linux networking guys out there?
First of all, I think you should inform your provider and maybe show them your logs. If that helps is another story but maybe they can filter those IP ranges out for you or do some legal action. Regarding your idea: this depends on the type of attack. When it's a SYN flood attack, they don't want to open a connection anyway but block your resources, so your idea propably won't work. Filtering those connections out is a common action against such attacks but it occupies resources too. Some larger hardware firewall contain anti-DoS functionalities but you usually don't have those devices at home (expensive as hell).

Quote from: Uniltìrantokx te Skxawng on November 06, 2012, 01:57:20 PM
Basically, this attack is not breaking my server, but the sheer amount (roughly 200/sec) of attempted connections is alarming and even though iptables is dropping the connections, the bots still persist. My CPU is way up there and SSHing is now very laggy.
This is the purpose of DoS ;)

The general problem is, you don't need to be skilled to do this nowadays. There are freely available tools where you just have to enter a target IP address, hit enter and see how even large sites break down to a crawl.

By the way, did you announce your service somewhere? 'Cause if it is a targeted attack they must know about you.

Actually the reason why it were SYN_SENT was because I was filtering the connections. It used to connect and then each connection would use like 20 KiB/s of bandwidth pulling random HTTP files through the decoy proxy.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

bommel

Ah okay, then it isn't a SYN flood attack. So they are just trying to generate traffic/load by accessing random files? Strange... Then your idea might actually work, but maybe it is still better to let the firewall drop the connections.

Irtaviš Ačankif

Quote from: bommel on December 13, 2012, 02:49:36 AM
Ah okay, then it isn't a SYN flood attack. So they are just trying to generate traffic/load by accessing random files? Strange... Then your idea might actually work, but maybe it is still better to let the firewall drop the connections.
How would that actually work? I used iptables -DROP but that gives me whole bunches of SYN_SENTs.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

bommel

AFAIK iptables DROP is the most efficient way to do it locally (e. g. on the affected machine). It would be better if your provider drops these connections for you in the first place.

Toruk Makto

The Chinese IPs may be crawlers for the "great firewall of China" looking for content to censor. We used to get over 100 continuous active connections on the forums with these damned things going though almost every message on the site. I currently have large 3 blocks of their IPs firewalled out for this.

Lì'fyari leNa'vi 'Rrtamì, vay set 'almong a fra'u zera'u ta ngrrpongu
Na'vi Dictionary: http://files.learnnavi.org/dicts/NaviDictionary.pdf

bommel

Interesting detail. Long live the freedom of speech ;-)

Irtaviš Ačankif

Quote from: Toruk Makto on December 20, 2012, 08:23:31 PM
The Chinese IPs may be crawlers for the "great firewall of China" looking for content to censor. We used to get over 100 continuous active connections on the forums with these damned things going though almost every message on the site. I currently have large 3 blocks of their IPs firewalled out for this.
Could you share the 3 large IP blocks? It could prove useful to me.
Previously Ithisa Kīranem, Uniltìrantokx te Skxawng.

Name from my Sakaš conlang, from Sakasul Ältäbisäl Acarankïp

"First name" is Ačankif, not Eltabiš! In Na'vi, Atsankip.

Toruk Makto

Badly late reply (sorry!)...

There's actually five blocks now. From our ipfw rules:

$cmd 00015 deny ip from 124.115.0.0/24 to any in via igb0   # f*** Chinese webcrawlers that refuse to abide by robots.txt
$cmd 00016 deny ip from 182.118.16.0/21 to any in via igb0  # f*** Chinese webcrawlers that refuse to abide by robots.txt
$cmd 00017 deny ip from 60.169.78.0/24 to any in via igb0    # f*** Chinese rapidfire spam bots
$cmd 00018 deny ip from 123.151.42.0/23 to any in via igb0   # More f*** Chinese wecrawler bots that won't behave
$cmd 00019 deny ip from 117.135.129.0/24 to any in via igb0  # More f*** Chinese wecrawler bots that won't behave


Lì'fyari leNa'vi 'Rrtamì, vay set 'almong a fra'u zera'u ta ngrrpongu
Na'vi Dictionary: http://files.learnnavi.org/dicts/NaviDictionary.pdf