PaulDotCom mailing list archives
DDOS
From: lonervamp at gmail.com (Michael Dickey)
Date: Thu, 22 Apr 2010 16:24:48 -0500
Here are a few links that give some info. 1. Blog post about tarpitting in iptables to combat DDoS: http://www.secureworks.com/research/threats/ddos/?threat=ddos 2. Excellent DDoS incident response paper by Jordan Wiens: http://psifertex.com/download/Jordan_Wiens_GCIH.pdf The very last page includes a "Stickypit" script which might give an idea how to dynamically populate iptables while an attack is ongoing. Really, I think the hardest part would be profiling the incoming traffic to determine what is part of the DDoS so you can properly tarpit those connections but allow the good ones in. In Jordan's case, the attack payload was predictable. I've not used it, but sounds like "tarpit" module support can be compiled into the kernel. On Thu, Apr 22, 2010 at 1:29 PM, Karl Bailey < karlrobertbailey at googlemail.com> wrote:
We host a UK Government solution that has a VERY strict SLA. A government advisory body scheduled the pen test (& defined the scope), the pen test company were terrible, doing application specific testing during SLA hours, even though they had been told to do it only outside of these hours. They were given a 12 hour window on a Sunday to perform (according to the scope) destructive testing (which I think is STUPID against LIVE systems), the pen test company warned us a few days in advance the exploits they planned (all of which were DoS in some way shape or form). So yes, they did do DoS ... now I'm no pen tester .. I'm a sys admin with a keen interest in the black art of exploitation .. but in all honesty I could have done what this company did & produce a report that they did ... it was not the best experience in the world & I would not recommend the company to anyone .. I dread to think what they charged the UK government .. & I wish I could jump on that bandwagon. So ... anyone got any clever ideas for iptables to help prevent DDoS rather than Just DoS? Regards Karl On Thu, Apr 22, 2010 at 4:21 PM, Ben Greenfield <bcg at struxural.com> wrote:Just for clarification, are you saying that on a recent pentest the testers performed DoS attacks? Or just that they uncovered potential vulnerabilities that create a greater exposure to DoS attacks? If so, did you know in advance that an active DoS attack would be include as part of the testing scope? It's just not standard operating procedure in my world to perform a DoS on a pentest, and in fact it's extremely taboo. The only time we would ever perform DoS style attacks on a pentest is if the client explicitly asked us to, and those requests are usually just to help do load testing. On Thu, Apr 22, 2010 at 3:37 AM, Karl Bailey <karlrobertbailey at googlemail.com> wrote:We had a recent pen test that highlighted allot of problems on our infrastructure with DoS, things like slowaris causing issues, I've been considering using iptables to limit the number of connections from asingleIP ... not allot of help with a DDoS, but would have saved us allot ofgriefas the pen testing all came from 3 IP addresses, is there something alittlecleverererer iptables can do around dropping bad traffic? Regards Karl On Tue, Apr 20, 2010 at 10:36 PM, Geoff Shukin <shukin at gsenterprises.biz>wrote:Hi! I am curious to know what folks are doing to combat the issue of DDOS attacks. I have heard about solutions from Arbor and TopLayer butwonder ifthey are effective. Are there any other suggestions out there inPaulDotComland? We have seen DDOS attacks against one of our websites (using acombinationof ICMP, TCP SYN and UDP flood attacks). Firewall stops the attacks inthatthe web servers are ok but the firewall falls over with 100% CPU. Thanks Geoff
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100422/e4d93f76/attachment.htm