Reduce effects of DDoS attack ...

Marc G. Fournier scrappy at hub.org
Thu Oct 7 19:21:32 PDT 2004 

Actually, found out earlier today that this does, in fact, appear to be 
closer to the problem ... MS-SQL servers taht were infected by virii were 
on the network that was flooding us ... so what you describe below sounds 
like what probably happened :(


On Thu, 7 Oct 2004, Cody Baker wrote:

> Another little note:  Are you absolutely positive that the other network is 
> clean and not the cause rather than the victim.  We had a computer in our PC 
> repair bay that a technician accidentally cconnected to the web before a 
> virus scan.  It had a virus which ran a syn flood against some gaming 
> website.  It was horrendously difficult to track down because it created a 
> MASSIVE amount of traffic.  This traffic which is bleeding over could be ARP 
> traffic from a virus scanning through subnets.  It would generate one ARP 
> request for every IP address it attempts to contact, a scary thought when you 
> have a virus scanning a few thousand IPs/second.  This huge amount of ARP 
> traffic would be very detrimental to your router as well..
>
> Thank you,
>
> Cody Baker
> cody at wilkshire.net
> 330.934.0659
> http://www.wilkshire.net
>
>
> Cody Baker wrote:
>
>> The packets your 200.046.204 machines are receiving are most likely ARP 
>> packets, which are Ethernet level broadcast.  They can't really be stopped 
>> with out dividing the physical network in to two pieces or VLANs.  If your 
>> router supports VLANs, you can divide your subnet to one portion of that 
>> catalyst switch, and the offending network to another portion.  This is a 
>> good policy in terms of security, but it's not going to fix your problem. 
>> Unless you're extremely well connected to the Internet (something greater 
>> than 10MB/s), you're problem has nothing to do with anything on your 
>> network, rather the pipe between your network and the world is just 
>> congested.  The other possibility is that your router isn't able to keep up 
>> with the load.  I would suggest that your best bet is to talk to your 
>> upstream provider, see if they can't block the attack in anyway.
>> 
>> In regards to Matthew's response, the Cisco switch should be capable of 
>> handling all but the most intense attacks.  In terms of the Linksys, the 
>> only thing it's going to be seeing is the ARP packets, and while those 
>> network wide broadcasts are detrimental, they're not going to be the cause 
>> of 70% packet loss.
>> 
>> Thank you,
>> 
>> Cody Baker
>> cody at wilkshire.net
>> 330.934.0659
>> http://www.wilkshire.net
>> 
>> Marc G. Fournier wrote:
>> 
>>> 
>>> I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last 
>>> night, a DDoS attack against a network "beside us" cause 70+% packet loss 
>>> on our network, and I'm trying to figure out if there is anything I can do 
>>> from my side to "compensate" for this ...
>>> 
>>> I run ipaudit on all our servers, and a normal 30 minute period looks 
>>> like:
>>> 
>>> neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
>>>    12107
>>> neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
>>>      112
>>> neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
>>>    12219
>>> 
>>> where 200.046.204 is our C-class ...
>>> 
>>> Now, when the DDoS attack is running, those stats change to:
>>> 
>>> neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
>>>     5815
>>> neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
>>>   594189
>>> neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
>>>   600004
>>> 
>>> We're getting *alot* of traffic on our network that just is not ours ...
>>> 
>>> Now, I can login to the servers, and load is negligible ... but packet 
>>> loss is anywhere from 50->90%, so pretty much unusable ...
>>> 
>>> Now, the shared 'switch' between our networks is a Cisco Catalyst 2900xl 
>>> ... is there something that should be set on that so that I don't see that 
>>> network traffic?  Basically, the only network traffic that I should/want 
>>> to see is that for my network .. in this case, 200.46.204?
>>> 
>>> Baring that ... is there anything that I can do on the FreeBSD side of 
>>> things to reduce the impact of the "extra packets"?  Some way of 
>>> "absorbing them"?  For instance, if the packet is coming in, and it isn't 
>>> for that server, then I imagine it has to 'bounce' it back out again, 
>>> compounding the problem, no?
>>> 
>>> Also ... since the FreeBSD servers do seem to be handling the load, is it 
>>> possible that the unmanaged switch that i have in place between the 
>>> FreeBSD box and the Cisco switch is 'buckling under the load'?  Not able 
>>> to handle the packets fast enough, and therefore just drop'ng them?
>>> 
>>> The unmanage switch is a 10/100 Linksys Switch ...
>>> 
>>> Thanks for any responses ...
>>> 
>>> ----
>>> Marc G. Fournier           Hub.Org Networking Services 
>>> (http://www.hub.org)
>>> Email: scrappy at hub.org           Yahoo!: yscrappy              ICQ: 
>>> 7615664
>>> _______________________________________________
>>> freebsd-isp at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>> 
>> 
>> 
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy at hub.org           Yahoo!: yscrappy              ICQ: 7615664

More information about the freebsd-isp mailing list