Help defend server

[sjizzle]

Hello,

Do you guys have any idea how to defend against DDoS attacks?

Next to that, what if it happens what are the best things you can do ?

Thanks,

[Kaiosown]

Install iptable and etc also a free firewall search on google

[sjizzle]

I have an iptable and a firewall however, the ddos attack keep eating up my RAM and CPU.

[Kaiosown]

If the attacker ip is banned everything should be good

[TheLuda]

Best choice is to lock out the IPs traffic with iptables, indeed.

[sjizzle]

He is now connecting from behind software that hides his IP.

The attacks are coming for all different IPs which makes it hard to block..

[Atari]

Aren't DDos attacks only sufficiently filtered out by a hardware firewall? I doubt there is much to filter when the attacker has reached the machine itself already and is spamming requests.

[TheLuda]

If it's syn flooding, you might try http://antmeetspenguin.blogspot.de/2011/01/detecting-and-preventing-syn-flood.html.

[sjizzle]

When it's a SYN flood the CPU and Memory utilization wouldn't be overloaded. Anyway thanksTheLuda for you quick help, I will maybe implement this as a prevention, but first I need to do more research on this.

In our case, both CPU and Memory are dealing with a high load and will eventually crash the server.

[antiroot]

Have you checked any of your log files to see what exactly they are trying to access? Perhaps they found something that just causes high load on the server which you could optimize or require authentication. Blocking their IP is not probably not an ideal solution as yourself and others have pointed out "spoofing" an IP / using a proxy is extremely easy, even for a novice script kiddie.

I think the first step is just determining what they are trying to access since there will be different steps whether it's http, ssh, ftp, etc

If log files are not helpful, you could try using tcpdump while they are attacking the server to see what kind of traffic is actually bringing the server to a crawl

[sjizzle]

Would it cost much overhead if there are for example 30.000 or 40.000 IPs in it ?

Btw, antiroot I'll recheck everything again thanks for the help everyone.

[greydor]

1000/2000 people want to connect

Best help against DDoS: Don't run a public WoW server

[Nighoo]

You might first sniff your traffic to have a clue what's going on. But you know the attacks come from different ip addresses, but not what he/she/it is doing?

[sjizzle]

We've a Debian server with 16 GB of ram and a ssd disc, our cpu is low and memory arround 7% when the server is up. But when the attacks start CPU increase and RAM will be full within minutes. Maybe I can post a PCAP file if someone is interested ?

[Nighoo]

feel free to upload your sniff file

[Skifty]

/push

[hendradell]

Try Use DDOS Deflate.........is powerfull Anti DDos