Reduce effects of DDoS attack ...

Cody Baker cody at wilkshire.net
Thu Oct 7 08:58:35 PDT 2004 

Another little note:  Are you absolutely positive that the other network 
is clean and not the cause rather than the victim.  We had a computer in 
our PC repair bay that a technician accidentally cconnected to the web 
before a virus scan.  It had a virus which ran a syn flood against some 
gaming website.  It was horrendously difficult to track down because it 
created a MASSIVE amount of traffic.  This traffic which is bleeding 
over could be ARP traffic from a virus scanning through subnets.  It 
would generate one ARP request for every IP address it attempts to 
contact, a scary thought when you have a virus scanning a few thousand 
IPs/second.  This huge amount of ARP traffic would be very detrimental 
to your router as well..

Thank you,

Cody Baker
cody at wilkshire.net
330.934.0659
http://www.wilkshire.net


Cody Baker wrote:

> The packets your 200.046.204 machines are receiving are most likely 
> ARP packets, which are Ethernet level broadcast.  They can't really be 
> stopped with out dividing the physical network in to two pieces or 
> VLANs.  If your router supports VLANs, you can divide your subnet to 
> one portion of that catalyst switch, and the offending network to 
> another portion.  This is a good policy in terms of security, but it's 
> not going to fix your problem.  Unless you're extremely well connected 
> to the Internet (something greater than 10MB/s), you're problem has 
> nothing to do with anything on your network, rather the pipe between 
> your network and the world is just congested.  The other possibility 
> is that your router isn't able to keep up with the load.  I would 
> suggest that your best bet is to talk to your upstream provider, see 
> if they can't block the attack in anyway.
>
> In regards to Matthew's response, the Cisco switch should be capable 
> of handling all but the most intense attacks.  In terms of the 
> Linksys, the only thing it's going to be seeing is the ARP packets, 
> and while those network wide broadcasts are detrimental, they're not 
> going to be the cause of 70% packet loss.
>
> Thank you,
>
> Cody Baker
> cody at wilkshire.net
> 330.934.0659
> http://www.wilkshire.net
>
> Marc G. Fournier wrote:
>
>>
>> I've got 5 servers sitting on a 10/100 unmanaged switch right now ... 
>> last night, a DDoS attack against a network "beside us" cause 70+% 
>> packet loss on our network, and I'm trying to figure out if there is 
>> anything I can do from my side to "compensate" for this ...
>>
>> I run ipaudit on all our servers, and a normal 30 minute period looks 
>> like:
>>
>> neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
>>    12107
>> neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
>>      112
>> neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
>>    12219
>>
>> where 200.046.204 is our C-class ...
>>
>> Now, when the DDoS attack is running, those stats change to:
>>
>> neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
>>     5815
>> neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
>>   594189
>> neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
>>   600004
>>
>> We're getting *alot* of traffic on our network that just is not ours ...
>>
>> Now, I can login to the servers, and load is negligible ... but 
>> packet loss is anywhere from 50->90%, so pretty much unusable ...
>>
>> Now, the shared 'switch' between our networks is a Cisco Catalyst 
>> 2900xl ... is there something that should be set on that so that I 
>> don't see that network traffic?  Basically, the only network traffic 
>> that I should/want to see is that for my network .. in this case, 
>> 200.46.204?
>>
>> Baring that ... is there anything that I can do on the FreeBSD side 
>> of things to reduce the impact of the "extra packets"?  Some way of 
>> "absorbing them"?  For instance, if the packet is coming in, and it 
>> isn't for that server, then I imagine it has to 'bounce' it back out 
>> again, compounding the problem, no?
>>
>> Also ... since the FreeBSD servers do seem to be handling the load, 
>> is it possible that the unmanaged switch that i have in place between 
>> the FreeBSD box and the Cisco switch is 'buckling under the load'?  
>> Not able to handle the packets fast enough, and therefore just 
>> drop'ng them?
>>
>> The unmanage switch is a 10/100 Linksys Switch ...
>>
>> Thanks for any responses ...
>>
>> ----
>> Marc G. Fournier           Hub.Org Networking Services 
>> (http://www.hub.org)
>> Email: scrappy at hub.org           Yahoo!: yscrappy              ICQ: 
>> 7615664
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
>
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list