My hub has recently been getting ddos'd on the hub port.
Added: SuspendAccepts(iTime) to lua for suspending listening sockets when hub is attacked
that above did stop the connects from showing in the hubsoft accpts and parts total but does not stop them from getting in the hubsoft, if you check the CMDs box you can still see the connect requests and the hub becomes bogged down, effectively killing the hub.
(the attacks show as hundreds of connect requests per second from different random ips directed toward the hub port)
Is there anything that can be done to fight this kind of attack?
I have had to change my hub port, stop registering my hub on the various hublists and have closed the hub to regs only, this seems to be working for the moment, but this hurts my hub as we are just a small independent hub that was started in 1999.
Please if anyone has any ideas, I am willing to try just about anything that is feasable.
Well, if it's realy a ddos attack you have just to install a decent firewall...
Maybe you set SuspendAccepts to very low time, try higher value ::)
Quote from: PPK on 21 October, 2006, 13:39:13
Maybe you set SuspendAccepts to very low time, try higher value ::)
How do I set SuspendAccepts?
Quote from: Stormbringer on 21 October, 2006, 11:54:49
Well, if it's realy a ddos attack you have just to install a decent firewall...
Firewall my hub port would stop it, but it would also stop the hub. ;D
QuoteFirewall my hub port would stop it, but it would also stop the hub.
Yeah, realy? Don't think so, all owner that I know use a firewall (uffffffffff), and we all own a hub without problem.
Learn how to configure him and you will see that it's not a problem, and you will solve your problem by the same way ;-)
Quote from: Stormbringer on 22 October, 2006, 02:19:14
Yeah, realy? Don't think so, all owner that I know use a firewall (uffffffffff), and we all own a hub without problem.
Learn how to configure him and you will see that it's not a problem, and you will solve your problem by the same way ;-)
First, I said nothing against using a firewall, but I do not know of any settings in a firewall that can protect your hub from an attack like this. They target your ip or no-ip address and your hub port, and the attacks are coming from thousands of different random ips(you can not block them all) directed at the tcp port of your hub.(block the port of your hub and no one gets in anyway) Maybe I am mistaken calling it a ddos attack, or maybe I am just ignorant and do not know what I am talking about. What firewall would you suggest? What settings should I look to set to block the attack without blocking my users?
Quote from: Nada@WTB on 22 October, 2006, 04:29:11
First, I said nothing against using a firewall, but I do not know of any settings in a firewall that can protect your hub from an attack like this. They target your ip or no-ip address and your hub port, and the attacks are coming from thousands of different random ips(you can not block them all) directed at the tcp port of your hub.(block the port of your hub and no one gets in anyway) Maybe I am mistaken calling it a ddos attack, or maybe I am just ignorant and do not know what I am talking about. What firewall would you suggest? What settings should I look to set to block the attack without blocking my users?
Well, there is no cure, because even if you ban the IPs with e. g. Outpost, the attacks still come and your bandwidth will be eaten up anyway.
Quote from: bastya_elvtars on 22 October, 2006, 13:29:48
Well, there is no cure, because even if you ban the IPs with e. g. Outpost, the attacks still come and your bandwidth will be eaten up anyway.
You are correct, I spoke with the head IT guy for a large company and he said basically the same thing. Oh well, I hope I have taken the target off our backs for the moment by going private and staying off updated hublists. Thank you guys for your input.
Hi
Doesn't routers have an option to defend against DoS? And anyone knows how this protection works?
QuoteDoS protection
You can setup this item if you want to enable DoS protection.
Enabled Disabled
Quote from: Naithif on 22 October, 2006, 19:34:35
Hi
Doesn't routers have an option to defend against DoS? And anyone knows how this protection works?
It would still choke his connection. The only remedy would be if packets were stopped earlier, e. g. at the ISP's router.
Quote from: Nada@WTB on 21 October, 2006, 21:57:44
How do I set SuspendAccepts?
SuspendAccepts have only one parameter, time in seconds. PtokaX close listening sockets (attacker will get connection refused, and not take your badwith) and start them again after time given in SuspendAccepts ::)
if it DDoS then it doesnt matter if they get time out or not, your bandwidth will decrease until eventually your connection drops .... technically, even if you close your hub, if they know what they are doing, you will still go down..... your best defence against this is to find the attackers real ip, block it in your router/firewall, and then hope they are dumb enough to think your connection is down... g'luck
-/ p_HaTTy
When you block attacker IP in firewall then get same connection refused as if you suspendaccepts ::)
Quote from: PPK on 23 October, 2006, 17:55:01
When you block attacker IP in firewall then get same connection refused as if you suspendaccepts ::)
but as i said, if they know enough, they can check still if u are online... via another port... 23 for example, and suspendaccept will block access for other users, eventually allowing connections again, therfore attacker connects again, knows u r up, then attacks again, if he is always unable to connect, that is a different story ....
Quote from: pH?tt? on 23 October, 2006, 18:37:29
they can check still if u are online
They don't need to check... connection refused = machine running but not accepting connections on this port ;D
ye true, but if firewall set correct, it wont say connection refused, it would be timeout.
Quote from: pH?tt? on 23 October, 2006, 20:43:09
ye true, but if firewall set correct, it wont say connection refused, it would be timeout.
It's just a matter of block policy indeed. But also the machine shouldn't response ICMP echo requests (ping) and any other stuff, it needs to be stealthed. Outpost can do such stuff, but if I ran a hub, I'd protect it with a hardware firewall that I build. :-)
(I know pf 3.7+ has max-src-conn-rate, don't know about IPFW and iptables having this, but I bet they do have such stuff).
Quote from: Naithif on 22 October, 2006, 19:34:35
Hi
Doesn't routers have an option to defend against DoS? And anyone knows how this protection works?
AFAIK mostly used protection method is IP cookies; firewall keeps tracks of connections and when an attack has started it only allows connections requests from IPs connected before.
Like if the attack has started at 10:00:00, firewall only allows the IPs that were already connected at 09:59:00 to reconnect or etc.
This seems to be a crude way to stop DoS ;D
Thanks for the info
I can recommend using Visnetic Server Firewall (http://www.deerfield.com/products/visnetic-firewall/) because efficiency is tested here ;)
But a note; Visnetic might be hard to set-up properly and would be a bad decision if you're running clientside applications more than serverside applications on the installed system.
For the first sight it offers the same key features as a router (at least a good router :D :D)
Block Ping
SPI
DoS protection (of what you've said it works the same on that firewall as on a router)
Port Scan Detection
IP Address Ban List
MAC Address Filtering
HTTP Filtering