DDOS Attacks. What you can do to help stop them!

[serraz]

I'm sure you are all aware of the recent DDOS attacks on multiple pools and services in the crypto community.

Our Pool was one of the pools hit in these attacks. These attacks are damaging the reputation of crypto coins and causing mass panics.

i'm sure most pools have invested or are investing in some form of DDOS protection most of which will keep logs of any attack that happens on your pool. Now these are great but if you claim to be DDOS proof you would be lying nothing is DDOS proof if the attack is big enough some might even see it as a challenge.

We can all help to stop these attacks or at least shutdown some bots and i will tell you how right now.

Khaos and myself have developed a script that will analyse log files captured from a ddos attack split it up into subnets, find what company is in charge of those addresses and send them an email with the logs attached stating that a DDOS has come from those IP addresses.

The company's must act on these emails as doing a DDOS is a crime. I know it will not stop these DDOS attacks and they can get more bots quite easily but it will reduce their attack power and help make users aware that their machines are compromised and how to stop this happening.

If you would like a copy of the script you can find it here. http://pastebin.com/ZN0bqrKS

Thanks for reading

[1715336135]

1715336135

[1715336135]

1715336135

[1715336135]

1715336135

[1715336135]

1715336135

[yacoin]

Rather impossible. Because somebody who has a botnet. With a 0day exploit or even a crappy older exploit, he can increase that botnet by 500-1000 bots in a week or two.

And your emails are going to shut down what? 200-300 of his bots in a week...

So it's a race.

You can't win.

And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.

The only way to stop DDOS is to pay for DDOS protection

[kha0S]

I would like to add, that from this first batch of emails sent (around 8000 emails), we have already received a huge number of reports stating servers "fixed" or simply disconnected for investigation. The problem affecting this machines was quite easy to fix.

That kind of prompt answer from SysAdmin teams should be praised and thanked.

Thanks!

../kha0S

[serraz]

Rather impossible. Because somebody who has a botnet. With a 0day exploit or even a crappy older exploit, he can increase that botnet by 500-1000 bots in a week or two.

And your emails are going to shut down what? 200-300 of his bots in a week...

So it's a race.

You can't win.

And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.

The only way to stop DDOS is to pay for DDOS protection

Agreed with you 100%. This is not a solution to stop them per say not is it a replacement for ddos protection and it never will be. You are correct we can never stop them. but if we can take down some of the bots and make users aware of certain programs used for botnets it could make the attackers job that little bit harder.

Again this is not going to stop ddos attacks or is it a replacement for ddos protection. Its a simple way we can help make users aware of exploits and unwanted programs on their machines and servers.

Surely shutting down 200 - 300 a week is better then a extra 200 - 300 bots in their army.

[kha0S]

We are not talking about a 0day exploit here. It's a misconfiguration on DNS servers allowing "attackers" to inflict a DNS amplification attack. In our case represented almost 10Gbps of unrequested UDP traffic.

Downtime caused: several hours
Time to fix: <1 minute

On the other hand:

Time to create the script: a couple of hours
Time to run it every time it happens from now on: 1 second

Cheers,
kha0S

Rather impossible. Because somebody who has a botnet. With a 0day exploit or even a crappy older exploit, he can increase that botnet by 500-1000 bots in a week or two.

And your emails are going to shut down what? 200-300 of his bots in a week...

So it's a race.

You can't win.

And even if you shutdown one botnet, there will be 10 others to take the DDOSers place.

The only way to stop DDOS is to pay for DDOS protection

[yacoin]

Doesn't even need to a be DNS reflective attack.

1000-2000 bots can pump out about 25-50 GB/s without DNS reflective attacks

[YipYip]

I'm sure you are all aware of the recent DDOS attacks on multiple pools and services in the crypto community.

Our Pool was one of the pools hit in these attacks. These attacks are damaging the reputation of crypto coins and causing mass panics.

i'm sure most pools have invested or are investing in some form of DDOS protection most of which will keep logs of any attack that happens on your pool. Now these are great but if you claim to be DDOS proof you would be lying nothing is DDOS proof if the attack is big enough some might even see it as a challenge.

We can all help to stop these attacks or at least shutdown some bots and i will tell you how right now.

Khaos and myself have developed a script that will analyse log files captured from a ddos attack split it up into subnets, find what company is in charge of those addresses and send them an email with the logs attached stating that a DDOS has come from those IP addresses.

The company's must act on these emails as doing a DDOS is a crime. I know it will not stop these DDOS attacks and they can get more bots quite easily but it will reduce their attack power and help make users aware that their machines are compromised and how to stop this happening.

If you would like a copy of the script please PM myself or Khaos.

Thanks for reading

Champion effort guys ++

[nearmiss]

great job guys, always good to see people sharing this type of stuff with the community for the greater good.

[Vladimir]

Just publish the script right here. Lots of people will find it maybe years down the road and use it. There is really no reason to hide those behind PM's.

[yacoin]

You can't protect yourself from a DDOS attack from running a script on your own server. You have to talk to the upstream providers. Make your own DNS server, block other DNS requests from other DNS servers, etc.

There's nothing you can do with an iptables script or anything of that matter to effectively stop DDOS on your servers.

Plus, 10 GB/s is very low

[kha0S]

I guess you didn't read serraz email...
The script doesn't create automatic rules. The firewall rules are already there. That's not the point!
The script generates the attack reports emails and sends them to contact according to "whois" info for the attacking IP.
This emails are monitored by sysadmin/netadmin teams, who actually act really fast.

Cheers.
kha0S

P.S.: Yes, it's low. But for a pool it's the difference between finding a block or not...

You can't protect yourself from a DDOS attack from running a script on your own server. You have to talk to the upstream providers. Make your own DNS server, block other DNS requests from other DNS servers, etc.

There's nothing you can do with an iptables script or anything of that matter to effectively stop DDOS on your servers.

Plus, 10 GB/s is very low

[Vladimir]

Yacoin. It is not about stopping it. It is about reducing zombie nets so that they are weaker for the next victim/attack. And yes admins do read those emails and do act on them. I used to be one of those admins, I should know.

[yacoin]

Yacoin. It is not about stopping it. It is about reducing zombie nets so that they are weaker for the next victim/attack. And yes admins do read those emails and do act on them. I used to be one of those admins, I should know.

What did you administer?

[serraz]

Just publish the script right here. Lots of people will find it maybe years down the road and use it. There is really no reason to hide those behind PM's.

Great point i will post it up here as soon as i have access to a machine with a decent connection.

[serraz]

Script has been added my original post

[fcmatt]

I am confused. You mean ppl who ddos do not even spoof their src ips from subnet related to the one they are on or random?
Sending out emails might mean sending emails to the wrong isps.

[serraz]

I am confused. You mean ppl who ddos do not even spoof their src ips from subnet related to the one they are on or random?
Sending out emails might mean sending emails to the wrong isps.

Once they are notified they can see if there was traffic or not and decide weather it was spoofed or actually coming from their machines. this just sends a notification for them to do internal investigating.

[paul21]

Booters cost like $5/month and the pools need corporate grade protection to counter them; it's not cheap (2-4k/month for TCP applications like Stratum). If we manage to knock off 50% of the nodes, the booter price might go to $10/month or something so it's still a losing battle. These aren't the sophisticated attacks that mtgox has to deal with, but a simple UDP flood. Most hosts that offer DDoS protection, from my shopping experience, max out at 10Gbit/1-5MPPS, and I consistently saw attacks stronger than that with CNC (peak was 22Gbit, 75% of the attacks were over 10).

Some prices for dedicated DDoS protection I found: (not shared like awknet or VPS)
Staminus     $1k/month for 10Gbit/1MPPS (not strong enough)
BlackLotus $675/month for 10Gbit/6MPPS
Some other  $1k/month + $4k setup for similar

The solution I've come up with is to just use a suite of reverse proxies:
buyvm/etc VPS (10Gbit/5MPPS)
Minecraft-oriented VPS/Dedicated (Varies)
Cloud Load Balancer

For example, I used an amazon elastic load balancer and some micro instances for forwarding. By using the ELB, amazon soaks up the packet floods and does some filtering. I also use cloudflare free, but there's a risk. If your site gets a http-layer attack, and you're not on the 200/m plan, cloudflare will change your DNS record and effectively direct the traffic to your server. The pro is a packet flood goes to the CDN node, and that's not associated with any single domain, so it blocks those (you can route longpolling through cloudflare since it's HTTP traffic)

[Vladimir]

paul21: yes I confirm that what you posted is consistent with my experience.

tl;dr get a decent sysadmin and treat him well and your DDOS issues can be solved to a large degree.

[serraz]

Booters cost like $5/month and the pools need corporate grade protection to counter them; it's not cheap (2-4k/month for TCP applications like Stratum). If we manage to knock off 50% of the nodes, the booter price might go to $10/month or something so it's still a losing battle. These aren't the sophisticated attacks that mtgox has to deal with, but a simple UDP flood. Most hosts that offer DDoS protection, from my shopping experience, max out at 10Gbit/1-5MPPS, and I consistently saw attacks stronger than that with CNC (peak was 22Gbit, 75% of the attacks were over 10).

Some prices for dedicated DDoS protection I found: (not shared like awknet or VPS)
Staminus     $1k/month for 10Gbit/1MPPS (not strong enough)
BlackLotus $675/month for 10Gbit/6MPPS
Some other  $1k/month + $4k setup for similar

The solution I've come up with is to just use a suite of reverse proxies:
buyvm/etc VPS (10Gbit/5MPPS)
Minecraft-oriented VPS/Dedicated (Varies)
Cloud Load Balancer

For example, I used an amazon elastic load balancer and some micro instances for forwarding. By using the ELB, amazon soaks up the packet floods and does some filtering. I also use cloudflare free, but there's a risk. If your site gets a http-layer attack, and you're not on the 200/m plan, cloudflare will change your DNS record and effectively direct the traffic to your server. The pro is a packet flood goes to the CDN node, and that's not associated with any single domain, so it blocks those (you can route longpolling through cloudflare since it's HTTP traffic)

We do have protection in place. read up to my previous posts this is not going to stop DDOS attacks not by a long shot.

If enough people use this script we might be able to make their job that little bit harder by shutting down bots and spreading awareness of tactics they are using. In the end its up the the person if they want to use it or not i just figured others might also find this useful