Saturday, February 6, 2016

networking - Fighting Off Network Flooding



my website sometimes gets attacked by people. You can see such an attack at 18:00 and later on a bigger attack at 22:30. Basicly the servers network card gets flooded by incoming requests.



My machines is a dedicated quad core, 12GB ddr3, 4x SAS 15k RPM drives in RAID10 with CentOS5.6 64bit.




On this server I run Nginx as my webserver. During an attack I am unable to access my site because the whole network seems to be flooded. Once it stops, everything is back to normal, without the need to restart anything.



I have hardened my SYSCTL a little, see settings here: http://pastebin.com/eFfAcWkr
My IPTABLES config, its quite basic really. Only need port 80, 443, 21 and my SSH port open : http://pastebin.com/MsHSka08



My question is: What can I further do to fight off these kind of attacks? Also, is there a way for me to find out what kind of attack it was exactly?*



Green line is incoming data, blue one is outgoing data.




Network Attack


Answer



Welcome to the wonderful world of (Distributed) Denial of Service or DDoS. Short answer: talk to your ISP and ask them to help you filter out a DoS. Longer answer:



Since it sounds like your network is getting saturated, there is not a whole lot you can do with your network or systems to defend against these attacks -- their aim is to flood you with so much traffic your downstream bandwidth is clogged with junk. To fix this, you'll need to involve your ISP. If you're lucky, the attacks are simple DoS attacks with an identifiable, non-spoofed source address. Your ISP can apply filters to these pretty easily. If you're unlucky, the attacks are using spoofed source addresses and/or distributed amongst a botnet, making it much harder to filter (since there are a wide number of sources). There are still things your ISP can probably do, but they get a bit more complicated. To really defend yourself, you need to look at DDoS mitigation services like those offered by Arbor Networks, VeriSign, etc. Unfortunately, these tend to be quite expensive. Another option might be to look at deploying to a Content Distribution Network like Akamai (at the expensive end) or Cloudflare (at the free end, albeit Cloudflare isn't a full CDN).



As for figuring out what kind of attack it is, you can probably get a clue from the traffic itself. Run tcpdump or equivalent and see what sort of packets you're getting. It could be anything from ICMP (e.g., ping floods) to UDP (e.g., a DNS amplification attack) to TCP (syn flooding). Based on the traffic though, I'd bet on a simple stateless flood attack (i.e., ICMP or UDP). This is actually fortunate since a higher level attack, e.g., a bunch of zombies from a botnet flooding HTTP requests to port 80 or 443, is much harder to deal with.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...