Shorewall users - Aug 2012 - DDoS

I know someone who for the past 4 days has been having the heck ddosed out of
him.  He runs a gaming server, and ran a report on the ddos;  he has 8 pages of
that and a few hours ago there were 16 pages.  They''re attacking his
machine on random ports and he blocks UDP traffic on those ports, but they keep
attacking on other ports.  So far he''s banned over 800,000
IP''s.  Running Debian 6.0.4.

Is there any way to solve something like this?


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

CACook@quantum-sci.com wrote:
>Is there any way to solve something like this?
In a word, no.
Well there is, but it''s not very useful as it means unplugging from 
the internet !

The whole point of a good DDoS is that there are so many source IPs 
involved that it''s impossible to block them easily. You could try 
blocking net blocks - eg a /24 for every IP you see - but if the 
traffic comes from (say) a residential ISP it means you end up 
blocking legitimate users from that ISP.

The other issue if it''s UDP traffic is that the source addresses are 
probably spoofed anyway. It depends on the network infrastructure at 
the attacking end, but it''s often easy to send traffic with spoofed 
source addresses. Even if the site admin''s gateway routers are 
configured to drop "out of subnet" traffic (as mine are), that still 
gives the attacker a block to use - hence the suggestion to drop 
netblocks rather than individual IPs. If neither the site admin nor 
their ISP apply any source filtering, then in effect the attacker has 
the full IPv4 address range to throw at you.

I''ve read articles about the effect this has on high profile sites - 
especially bookmakers'' sites. According to the article I read a while 
ago, they can expect a DDoS attack shortly before a big event 
followed by an extortion demand - ie "this is what we can do, give us 
<some large amount of cash> or we take you down in the run up to 
<large sports event>". It avoided details, but the article went on to
say they''ve developed way of dealing with it - which I suspect 
involve a lot of available bandwidth, a lot of server capacity, and 
automated systems to detect ''non-human'' access patterns and
block the
source addresses.


And of course, whatever you do at your site - you''ve already had the 
traffic using up your inbound bandwidth. That can only be avoided 
with assistance from your upstream ISP - ie it means filtering before 
the traffic comes down your access pipe.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Monday, 20 August, 2012 00:07:43 Simon Hobson wrote:
> The other issue if it''s UDP traffic is that the source addresses
are
> probably spoofed anyway. It depends on the network infrastructure at 
> the attacking end, but it''s often easy to send traffic with
spoofed
> source addresses. Even if the site admin''s gateway routers are 
> configured to drop "out of subnet" traffic (as mine are), that
still
> gives the attacker a block to use - hence the suggestion to drop 
> netblocks rather than individual IPs. If neither the site admin nor 
> their ISP apply any source filtering, then in effect the attacker has 
> the full IPv4 address range to throw at you.
It is all UDP traffic, so I am sure these IPs are being spoofed.  Seems like the
solution then would be for the ISP to block all incoming UDP except on 53?  At
least until the DDoS is over.  I guess UDP is stateless so his ISP''s
machines wouldn''t know an incoming DNS was requested, so the port has
to be left open.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/