November 23, 2009 at 18:19Malicious DDOS and protection
An interesting story has happened with one of my projects, I want to share with you, maybe it will seem interesting to someone.
Since my project was often tortured by DDOS, it was decided to transfer it to HighLoad Lab, which provide protection against DDOS attacks for free.
Everything was super, they proxied traffic through themselves to our server. On our server, all incoming IP addresses were blocked, except for HighLoad.
But on the night of November 13-14 the server began to terribly slow down, I could not understand why: there was no load, iptables did not accept anything, but the brakes were noticeable even when working in ssh.
In the afternoon, the server crashed. I still did not know the reasons, and the first thing that occurred to me was the old slackwar core, which had not been updated for a long time. It was decided to go to Krasnogorsk, to Rednet’s office and rearrange the system to the fresh Debian, but everything turned out to be far from what I planned ...
While I was sorting through the possible reasons in my mind, the phone rang. On the wire was the chief administrator of krasnogorsk.ru . He said that the accident occurred due to a DDOS attack, which occurred during the replacement of equipment, when the protection and cleaning systems were turned off.
Since our server was located at the home provider, it was primarily client traffic (normal Internet users) that suffered the
attack. They noticed the attack on the COMCOR backbone and chopped off our IP address. At peak, the attack reached 300 Mbps.
The attackers knew our old IP address and the attack was carried out specifically on it, bypassing traffic purification systems, and of course, no iptables in block all mode will help.
Now the server has been transferred to an IP unknown to anyone, the traffic goes through HighLoad Lab, they configured the web server’s mail through Gmail, and all outgoing connections to download avatars from the links were disabled, since the attacker could download a picture from his server and find out our new IP.
User request -> external ip anti-dos of the server -> traffic cleaning system -> their nginx -> cleaned traffic goes to our server -> nginx -> apache -> and back to the user along the same chain. The most important thing is not to burn the attacker the real IP address of the web server.
Help with design and editing: as3k
Since my project was often tortured by DDOS, it was decided to transfer it to HighLoad Lab, which provide protection against DDOS attacks for free.
Everything was super, they proxied traffic through themselves to our server. On our server, all incoming IP addresses were blocked, except for HighLoad.
Problem
But on the night of November 13-14 the server began to terribly slow down, I could not understand why: there was no load, iptables did not accept anything, but the brakes were noticeable even when working in ssh.
In the afternoon, the server crashed. I still did not know the reasons, and the first thing that occurred to me was the old slackwar core, which had not been updated for a long time. It was decided to go to Krasnogorsk, to Rednet’s office and rearrange the system to the fresh Debian, but everything turned out to be far from what I planned ...
Cause
While I was sorting through the possible reasons in my mind, the phone rang. On the wire was the chief administrator of krasnogorsk.ru . He said that the accident occurred due to a DDOS attack, which occurred during the replacement of equipment, when the protection and cleaning systems were turned off.
Since our server was located at the home provider, it was primarily client traffic (normal Internet users) that suffered the
attack. They noticed the attack on the COMCOR backbone and chopped off our IP address. At peak, the attack reached 300 Mbps.
Why didn’t the HighLoad filters save?
The attackers knew our old IP address and the attack was carried out specifically on it, bypassing traffic purification systems, and of course, no iptables in block all mode will help.
Total
Now the server has been transferred to an IP unknown to anyone, the traffic goes through HighLoad Lab, they configured the web server’s mail through Gmail, and all outgoing connections to download avatars from the links were disabled, since the attacker could download a picture from his server and find out our new IP.
Now the circuit is something like this:
User request -> external ip anti-dos of the server -> traffic cleaning system -> their nginx -> cleaned traffic goes to our server -> nginx -> apache -> and back to the user along the same chain. The most important thing is not to burn the attacker the real IP address of the web server.
Help with design and editing: as3k