×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Experience Handling DDoS Attacks On a Mid-Tier Site?

Unknown Lamer posted about 2 years ago | from the is-that-likes-windows-3.1 dept.

Networking 197

New submitter caboosesw writes "A customer of mine recently was hit by a quick and massive DDoS attack. As we were in the middle of things, we learned that there are proxy services of varying maturity to deal with these kinds of outbreaks from the small and mysterious (DOSArrest, ServerOrigin, BlackLotus, DDOSProtection, CloudFlare, etc.) to the large and mature (Prolexic, Verisign, etc.) Have you guys used any of these services? Especially on the lower price point that a small e-commerce (not pr0n or gambling) company could afford? Is a DDoS service really mandatory as Gartner now puts this type of service in the same tier as SEIM, firewalls, IPS, etc?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

197 comments

Change Apache to nginx (0, Offtopic)

CoderExpert (2613949) | about 2 years ago | (#39625257)

nginx [wikipedia.org] performs much better than Apache. The latter one is really bloated, which shows extremely quickly when you're under DDOS. nginx is designed to be lightweight and fast while still offering many features. It was originally created for Rambler, a huge Russian search engine and portal when other web servers couldn't handle their needs. It truly kicks Apache's ass.

Re:Change Apache to nginx (0)

Anonymous Coward | about 2 years ago | (#39625315)

Well that's just.. stupid advice

Re:Change Apache to nginx (-1, Redundant)

CoderExpert (2613949) | about 2 years ago | (#39625379)

If it helps against DDOS attacks, how is it stupid advice?

Re:Change Apache to nginx (2, Insightful)

dreamchaser (49529) | about 2 years ago | (#39625421)

If it helps against DDOS attacks, how is it stupid advice?

Because it doesn't really and you're just being a fanboi?

Re:Change Apache to nginx (1, Informative)

stanlyb (1839382) | about 2 years ago | (#39626149)

Actually it does, and that's one of the reason for using nginx as a proxy and cache server before the appache server.

Re:Change Apache to nginx (4, Informative)

Shoten (260439) | about 2 years ago | (#39625839)

It doesn't help against DDoS attacks. Not even remotely, not even a little bit. To put the advice to a metaphor, a DDoS attack is where there are so many people loitering in the front lobby of a business that people can't even get into the front door of a building. Using a different web server is like having a receptionist who speaks faster; it doesn't address the nature of the attack in the slightest way possible. These attacks are either driven by saturation of network links or by leveraging vulnerabilities in underlying database-driven applications (hint: a little-known SQL command called WAITFOR is often to blame); using nginx won't help in the slightest bit.

Christ...these attacks are over a decade old; read up or be quiet.

Re:Change Apache to nginx (1, Informative)

CoderExpert (2613949) | about 2 years ago | (#39626261)

You do understand that there are different kinds of DDOS attacks and flooding the available bandwidth is just one of them?

In fact most DDOS attacks rely on causing heavy load on the server. Bringing down server like that requires much less resources of your own than flooding it with pure traffic.

Geez, slashdot, this is one of the fundamentals of DDOS attacks.

Re:Change Apache to nginx (4, Informative)

PiSkyHi (1049584) | about 2 years ago | (#39626645)

Its quite normal in Slashdot for one person to rant, another rebuts everything cruelly and then another and another...

My take on this is that nginx is cool for static pages, we all should know that.... new optimisations in Apache 2.4 hope to address some of these and Apache is easier for me to configure for dynamic sites with controllers.

Regarding DDOS - neither of these will help... there are different types of DDOS attacks, sure. Any site that is dynamic in nature is screwed by any DDOS before it even saturates the entrance because an inability to disseminate requests in time causes the webserver to effectively stall. There are mitigations, one of the best is iptables rate limit for DOS attacks, of course defending DDOS attacks requires enough horsepower behind the scenes, so that when the entrance is saturated, requests can still be distributed usually by a load-balancer that places the bottleneck at the entrance alone - placing the site in the cloud with auto-scaling will solve this at a cost. Any type of DDOS attack that relies on an exploit though, requires a fix, removal or workaround before any horsepower mitigation can take place.

Re:Change Apache to nginx (1, Informative)

CoderExpert (2613949) | about 2 years ago | (#39626733)

Actually, any website that is properly optimized is already serving most of it content as static. That is what caches are for. And yes, you can (and should) cache even parts of the page. However, even with dynamic content there is a very clear difference between serving with apache or nginx. Sure, someone who really knows Apache can maybe hack it to work as fast, but how many persons actually know? Let's be realistic here.

Most of the time just switching to nginx and properly caching your content can mitigate DDOS attacks. Sometimes you may need more, but the point is that you should fix these bottlenecks first anyway.

Re:Change Apache to nginx (1)

PiSkyHi (1049584) | about 2 years ago | (#39626825)

That's too generic. I manage a heavily dynamic site and so we use both, since page caching is a waste of time, the cache has to be a little further down and the impact of using any particular brand of webserver application will be held back by the processing behind the entrance point.

Re:Change Apache to nginx (1)

Anonymous Coward | about 2 years ago | (#39626657)

Requests for static content -- the only area where anyone can make any kind of semi legitimized claim about Nginx's performance -- are never going to be about causing load on the server but about flooding its bandwidth. Dynamic content is where most DDoS attacks are successful especially for prolonged periods of time (perhaps even simply increasing cost without directly affecting service). Most people's shitty drupal and wordpress site are going to crumble easily regardless of what httpd.

Re:Change Apache to nginx (3, Informative)

rev0lt (1950662) | about 2 years ago | (#39625585)

So, are you saying nginx will work when you receive more TCP requests than your server can handle? Or the upstream router? Or when evey page render is a database hit? Nginx is a lot faster than apache when serving static content, and at the cost of some flexibility. Guess what? Most of the web isn't static content, even if it appears so. Do you think sessions and agent info are logged into ether? Get real.
And yes, I DO use nginx, and it rocks. It's just not the silver bullet you're talking about.

Re:Change Apache to nginx (4, Informative)

Bengie (1121981) | about 2 years ago | (#39626509)

1) A properly configured FreeBSD router/firewall will handle 200k+ connections per second
2) Configure the firewall to proxy TCP hand-shakes, so your web servers don't get flooded with syn packets unless the hand-shake actually finishes
3) Mid-grade nginx web server will handle 70k+ requests/sec
4) Setup your DNS to round-robin to several web servers

Between your firewall and your webserver rules, you should be able to filter most obvious DDOS's. That which you can't filter, you'll just have to brute-force it and suck it up.

Your web servers can handle more requests than you have bandwidth, the next bottle-neck is your database.

There is not "silver bullet" like you said, but a properly designed system should be robust enough to leave your bandwidth your bottle-neck Most web apps I see aren't designed to properly make use of SQL. It's like someone trying to shoe-horn procedural logic into a database. Gotta get your DB architect to work with the programmers.

A properly architected web app with a properly architected DB should be able to handle more requests than your bandwidth can handle.

The only real DDOS to worry about is a flood and you can't really stop that unless it's a simple up-stream change. Enough machines DDOS'n ping floods at you will take you down. Filter all you want at your router, you won't have the bandwidth. Would be too simple to filter up-stream. A bunch of random forged TCP packets will suck up your bandwidth. If the attack is well distributed, ain't not'n you can do about it.

There is not "Silver Bullet" like you said, but a properly designed system should have bandwidth as its bottle-neck

Re:Change Apache to nginx (1)

bleedingsamurai (2539410) | about 2 years ago | (#39625631)

You do realize that you can configure Apache to defend against DoS attacks, for example making the timeout threshold a shorter period of time.

If you are worried about bloat, why not go the whole nine yards and build your server from the ground up using Gentoo Linux or FreeBSD, compile everything from source and optimize binaries for the server's micro-architecture.

Re:Change Apache to nginx (2)

postbigbang (761081) | about 2 years ago | (#39625891)

Apache can be configured to drop sessions more quickly to get past the trauma, but the hosts need more configuration. Shortening TCP session duration is key, but so also is going to something else than BIND, which is also less survivable than other DNS servers, IMHO. There are some reasonable TOE card, router, and layer 2/3 switch configs that can also help cut down the pain.

Load balancing helps, watching syslogs for weird behavior and using a syslog manager to alert you when various events occur, all these do as much good as the expense of fortress-ware.

Re:Change Apache to nginx (1)

errandum (2014454) | about 2 years ago | (#39625695)

Ignore this, since it wouldn't help all that much. I'd say that https://www.varnish-cache.org/ [varnish-cache.org] can help, but to be honest, if you want to be up, just stick them on Amazon Cloud services or something. They'll have a really hard time getting to that, and you'll leave all the defending and whatnot to be someone elses' job

Re:Change Apache to nginx (3, Interesting)

Gwala (309968) | about 2 years ago | (#39626981)

Amazon AWS bills you bandwidth directly. A DDoS could get very expensive.

Best defense: Overprovisioning and cutoffs (5, Insightful)

LostCluster (625375) | about 2 years ago | (#39625325)

There's two key strategies to avoid being DDoSed... first, have more processor, network speed, and disk I/O resources than you need for normal load so that the attacker can't fill one of your computers pipes. Then, host your server or servers at multi-connected datacenters which can cut off large users of your server before it reaches your NIC card. Firewalls at the server can't get back the bandwidth lost to needless connections, but firewalls at the datacenter entry points can. Basically, make sure none of your time-sensitive loads reach 100% and you're fine.

Re:Best defense: Overprovisioning and cutoffs (2)

ScentCone (795499) | about 2 years ago | (#39625403)

Basically, make sure none of your time-sensitive loads reach 100% and you're fine

As long as the people running the datacenter aren't metering the noise that hits the interface set up to catch your traffic, whether or not they pass it along to your server. If you're burning up their resources, somebody's got to pay the pipe(r).

Re:Best defense: Overprovisioning and cutoffs (4, Funny)

TWX (665546) | about 2 years ago | (#39625427)

You forgot a key third strategy- not posting one's dilemma and site to a popular geek news and discussion forum. At least this submitter was smart enough to not post his URL, so he hasn't gotten slashdotted...

Re:Best defense: Overprovisioning and cutoffs (1)

Anonymous Coward | about 2 years ago | (#39625433)

Adding a reverse cache (such as https://www.varnish-cache.org/ [varnish-cache.org] ) in front of your smart web servers for static and mostly static content really helps until they overload your pipe or start hitting dynamic URL's.

Re:Best defense: Overprovisioning and cutoffs (0)

Anonymous Coward | about 2 years ago | (#39626161)

There was a case back when Anonymous DDOS'd someone in Australia. I think it was for the firewall, but not sure. The DDOS was so effective that 25% of OZ was down due to Telstra not being able to cope with the traffic. They had backup routes, and the primaries would fail because the traffic killed the link, and so the backups were DDOS'd as well, taking out the whole network. They should have dropped the route to the affected network and killed 255 IPs rather than every one of them they owned (I have no idea, but I'd guess they have an A, or at least multiple class B networks). A dedicated DDOS device, like an F5 Big IP running ASM would do more than you'd ever be able to do on the web server, but sometimes you just have to go upstream.

Re:Best defense: Overprovisioning and cutoffs (1)

shentino (1139071) | about 2 years ago | (#39626387)

So basically, surviving a DDoS is nothing more than a brute force battle of attrition where the goal is to have more resources than the other guy can take down.

Re:Best defense: Overprovisioning and cutoffs (3, Interesting)

Minupla (62455) | about 2 years ago | (#39626771)

Typically, yes (assuming your OS platform of choice doesn't have some other resource that can be remotely exhausted more cheaply then bandwidth). The problem is one of the standard defender delimas: The attacker needs bandwidth for a short period of time (typically), as their goal is to make you say "Uncle" weather that means paying their ransom, capitulating to some demand or whatever. You as a defender have to incur a cost for your defensive strategy that is either (relatively) low, non-scalable, and continuing (trying to out provision the attacker) or a high cost outsourcing solution. The attacker on the other hand rents 10,000 nodes for 200$/day. Figure that's about 5gigs conservatively (we'll say .5mbit upload as an average per node). Now assuming your data center will handle a sudden 5gig burst without cutting you off (good ones will, cheap ones will just cut you off) your hosting bill just went up by 54TB (5*3600*24/8) per day. That's not going to be sustainable for long.

That's why the outsourcing solution tends to be the way to go if you're being targeted by anyone willing to spend halfway decent money on attacking you. The ROI from the attacker POV looks pretty good. Say they ransom you for 50K (an average number for such things). If they have to keep you under DDOS for even a week till you cave, (378 TB worth of data) that nets them 48600. That's a pretty good business case from their point of view.

It's one of those moments when it sucks to be the good guys.

Min

Re:Best defense: Overprovisioning and cutoffs (0)

Anonymous Coward | about 2 years ago | (#39626467)

You hit the key to all this. You have to filter before it reaches the server. Filtering out addresses, even before you let them make any additional requests on your server, will still bring you to a halt. The problem is, that given an unlimited amount of resources, any DDOS attack is going to work. No one server out there is ever going to be able to keep up with millions of distributed zombies. One technique we used to use was to have a buffer server sit in front of our web server. Use the buffer to queue up requests to the web server. True, they can still knock out your buffer server and no one can reach your web server for a while. But the buffer server will be able to filter out ip addresses faster. It will help the situation, not resolve it. Best thing is to just update your A records and wait for them to propagate, if the attack lasts longer than a day. Most DDOS attacks are not targeted at your site specifically unless you have pissed someone off. Change the address of your site, wait for the changes to propagate and within about 24 hours you will be back up and running. If you fall under DDOS again, then someone is coming after you hard. Might want to start thinking through who you fired recently in the IT department and seek a lawyer.

good defesne (0)

laserdog (2500192) | about 2 years ago | (#39625337)

use lan and have 1 computer connected to the internet that you have a very secure connection on

Re:good defesne (-1)

Anonymous Coward | about 2 years ago | (#39625627)

use lan and have 1 computer connected to the internet that you have a very secure connection on

"Secure"?? Are you a total idiot? This is a DDoS attack. It is not a compromise.

If you don't understand the difference, that's fine. Lots of people don't. But they have the good sense to shut the fuck up and realize they are out of their element.

Incidentally, it's spelled "defense". Or "defence" if you're British. It is not spelled "defesne". I see you are just as careless with the subject line as you are with the content of your posts. Fail.

If people like you would just shut the fuck up and waddle your inevitably obese lardasses out of the way, the world would be a better place for everyone else.

Re:good defesne (0)

Anonymous Coward | about 2 years ago | (#39625789)

At first I thought you had fallen victim to the troll. And I thought you were an idiot. Then I realized I just fell victim to _your_ even better troll. At least....I hope you're trolling.

Re:good defesne (1)

Robadob (1800074) | about 2 years ago | (#39625927)

Recently a friends web-dev company was hit with a ddos over the course of a weekend to multiple sites across their hosting. Turns out that the ddos attack was actually testing for a point of php injection (or so they think), by the 3rd day the ddos had stopped. However all index.php, footer.php, header.php and some other common named files across many directories contained malicious code which rewrote this malicious code every time one of them was ran. Sure his above statement may not be totally correct, however ddos can equal a compromise (not that a 'secure connection' would stop php injection afaik).

Re:good defesne (0)

Anonymous Coward | about 2 years ago | (#39625981)

Relax, it turns out laserdog is retarded. Take a look at some of his/her previous comments if you don't believe me. Don't pick on the slow kids.

Caching reverse proxies (0)

Anonymous Coward | about 2 years ago | (#39625393)

It helps a lot to use caching reverse proxies.

Bonus points if the proxies identify and tar-pit patterns used in the attack that aren't commonly used by human beings, such a unusual timings or unusual requests.

There's not a lot to recognize if the bots are just doing an HTTP GET of your main page, but if they are playing games with SYN/ACK timings or if they are using non-typical traffic like ping, your front ends can be a big help.

This is over and above, or rather past and beyond, the protection your ISP or anti-DDOS-service-provider will provide you.

Load balancing and an experienced sysadmin (4, Insightful)

FireballX301 (766274) | about 2 years ago | (#39625395)

The load balancer to take the brunt of the attack and distribute traffic to multiple mirrors, and the sysadmin to watch the attack and start blacklisting IP ranges. Your service provider should have some kind of service in place unless you got the cheapest of cheap hosting solutions.

With that being said, hiring a third party ddos mitigator is entirely a cost benefit analysis that should be done on your end. Can whoever's providing your hosting now provision some extra servers and some harried sysadmins to keep you floating? See if you can ask for additional service support from your current provider.

Re:Load balancing and an experienced sysadmin (5, Informative)

SethJohnson (112166) | about 2 years ago | (#39625541)

watch the attack and start blacklisting IP ranges.

In most cases, your customers are going to exist in one or a few countries. It would be valuable ahead of time to add redirect rules to your iptables for entire ranges of IP addresses located in countries that don't host your customers. Redirect these IP ranges to a sacrificial server on a different pipe to the backbone. That way, when some of your customers are abroad and need access to your services, they can still get some amount of response.

Additionally, you can proactively parse your user accounts for IP addresses and build a whitelist ruleset for your iptables to implement in a defcon 0 situation. Don't use this as a normal operations mode, just when the shit has really hit the fan and you need to block everyone except your known-good account holders.

Seth

Re:Load balancing and an experienced sysadmin (5, Insightful)

Snowhare (263311) | about 2 years ago | (#39625717)

Having been the target of an HTTP-DDOS attack, I can tell you that manually blacklisting IP ranges is really ineffective. A DDOS botnet is comprised of thousands of machines that have been randomly infected by whatever vector the botnet operator used: Emails, web drive-by, etc. The result is that the source addresses are scattered widely with little relation between most participating addresses.

To defend against the attack, I wrote up an automatic firewall blacklisting program that detected and blocked each participating IP address individually in near-realtime. I was blocking more than 31,000 separate addresses before the DDOSers finally gave up trying to down the attacked website. Wierdly, there appears to have been no motive at all for the attack, yet they spent weeks attacking the target machine and actively trying to tune their attack to get past my filtering.

Re:Load balancing and an experienced sysadmin (1)

Anonymous Coward | about 2 years ago | (#39626005)

Could you post a link to your program's source code? Or, if you don't want to, could you give us some pseudocode?

Re:Load balancing and an experienced sysadmin (1)

Taco Cowboy (5327) | about 2 years ago | (#39626163)

Could you post a link to your program's source code? Or, if you don't want to, could you give us some pseudocode?

Yeah, I'd second that

Re:Load balancing and an experienced sysadmin (5, Interesting)

Snowhare (263311) | about 2 years ago | (#39626595)

The essence comes down to two things. Neither is particularly complicated in principle, although getting it right can be a bit fiddly.

1) Detect attacking IPs.

HTTP Flood DDOS bots aren't (at least not yet) smart enough to look and behave EXACTLY like people using web browsers. They do wierd things like load web pages repeatedly while never loading images/running javascript/loading CSS stylesheets. They make sequential requests from the same IP address - but with different user agents. They might load a web page that uses cookies - but never return the cookies that are set. Or they might return a cookie - but from a different source address or with a different user agent. They might send user agents that haven't been in widespread use in half a decade. They might not set the 'referer' header, or some other header that a browser DOES set correctly. They probably don't follow HTTP redirects. What you are looking for is any behavior that distinguishes the good traffic and the bad traffic.

So I 'tailed' the web server log and analyzed it in one to ten minute chunks to detect abnormal accesses. All detected addresses were added to a persistent database of blacklisted addresses.

2) Add the detected attacking addresses to an efficient firewall.

A naive firewall blacklist might try to just put each addresses in one big long list. This doesn't scale well beyond a couple of hundred attacking addresses. On the older machine I had, I used a 'divide and conquer' approach: I created a few hundred filter chains based on a /n subnet division of the attacking ip addresses. I then wrote a set of rules that divided incoming traffic into those chains based on the /n they were a member of. That made the number of rules required to filter n attacking IP addresses scale as about O(log n). If I had had a more recent kernel I could have used a hashed map of addresses to take that down to O(1).

After that it became a slow game of cat and mouse. The attacker would alter his attack to try and slip by the detection, I would update the detection software to detect something else he wasn't getting perfect if he managed to by-pass the filters. After about two weeks they quit attacking the web server.

The largest issue I had really was that I was starting my defense from a 'standing start': I had to write all the needed scripts from scratch while the attack was still on going.

Re:Load balancing and an experienced sysadmin (1)

Anonymous Coward | about 2 years ago | (#39626829)

Damn, I'd pay good money to watch this movie!

Re:Load balancing and an experienced sysadmin (1)

jaymemaurice (2024752) | about 2 years ago | (#39627005)

I've done something similar to this with my router - it would BGP null route the zombies by distributing the /32 route with a community tag and the upstream router would use policy routing to null route the routes in that community... unfortunately, trying to find an upstream ISP that supports such null routing is now hard to find.

Re:Load balancing and an experienced sysadmin (1)

Nesa2 (1142511) | about 2 years ago | (#39626781)

I've used WatchGuard appliance and it did just that under DDOS attack. It also has a timer you can set for how long the IPs that are found performing an attack will be blocked for... worked really well with minimal setup effort, but it can be costly appliance depending on company size.

I've used some other appliances as well that did not have this feature, and it has caused issues under DDOS. You could also setup scripts with iptables under any UNIX flavor you pick to do just that as well.

Re:Load balancing and an experienced sysadmin (0)

Anonymous Coward | about 2 years ago | (#39626905)

some harried sysadmins need to do something special like anything. thats why this harried sysadmin is here asking for opinions and possible actionables.

your reply is almost saying putting your problems on someone else.

Riorey? (0)

Anonymous Coward | about 2 years ago | (#39625451)

Had a client two installed a pair of boxes from a company called Riorey that supposedly automagically block DDoS traffic. It won't help the saturation on your uplinks but at least your servers are spared. It demo'ed well but I have no clue how well it works in the real world. Never got a chance to see it in action. Which is good, I guess.

Lived Through This (4, Interesting)

ScentCone (795499) | about 2 years ago | (#39625459)

It was a lot cheaper to pay a third party proxy a $400/month rate for 45 days (until the asshats attempting the extortion got bored and went away) than it wold have been to provision more server horsepower, pay for the bandwidth, and pay T&M for the DC's NOC to help with firewalling. A quick DNS change, use the credit card, hold your breath until it stops. Quick, cheap, and you can go on to other things.

Re:Lived Through This (1)

LordLucless (582312) | about 2 years ago | (#39625689)

What was the name of the service you used?

Re:Lived Through This (4, Informative)

ScentCone (795499) | about 2 years ago | (#39626315)

For that event, we used Zen Networks. They're at www.zenprotection.net, which describes their services pretty well. Not affiliated in any way, but they did solve the problem for us over the short stretch it was required. Honestly, we didn't shop around much ... the site in question was very much on fire. Not like a slashdotting, of course, but some fairly determined Eastern European punks looking for cash. They made my clients angry enough to have them asking, "Is there something we can do back to these guys?" We didn't, of course. Would have been a waste of time.

Re:Lived Through This (1)

LordLucless (582312) | about 2 years ago | (#39626463)

Yeah, been there. Luckily enough, the guys that tried it with us were incompetent, and we could filter their attack because of it, but always on the lookout in case the next ones that try it are a bit smarter.

Re:Lived Through This (1)

Taco Cowboy (5327) | about 2 years ago | (#39626041)

It was a lot cheaper to pay a third party proxy ...

How do you determine if the third party proxy has sufficient bandwidth to handle the DDoS + regular traffic?

Re:Lived Through This (3, Informative)

ScentCone (795499) | about 2 years ago | (#39626285)

How do you determine if the third party proxy has sufficient bandwidth to handle the DDoS + regular traffic?

They have a performance guarantee, and don't get paid if they can't keep up at the promised level. Any of the ones you'll want to use will have a dashboard that shows you a more-or-less-real-time view of the blocks/passes, and how much of the purchased throughput you're using.

Don't post your link on Slashdot? (1)

Anonymous Coward | about 2 years ago | (#39625465)

Yay. Someone finally got that right.

Gambling (1)

Teppy (105859) | about 2 years ago | (#39625497)

I'm interested in this. I'm in the process of launching a real-money gambling MMORPG, and gambling sites (well, so I've been told) tend to get extorted. I spoke to Prolexic today and was shocked at how expensive they are: $3000/month minimum, plus setup fees.

Have any fellow Slashdot readers tried running a gambling site without such protection? Is it reasonable to assume we'll be enough under-the-radar at first to avoid the attacks?

What Are The Odds (4, Insightful)

sycodon (149926) | about 2 years ago | (#39625551)

That all these "services" are part of a protection racket?

"Oh...having DDOS problems? Just sign up with our service and we can help you out."

  While not as crude as burning down building, DDOS attacks are a perfect persuader to grow your business.

I figure this is half tin foil hat and half probably real, given the things organized crime has been into in the past. It's perfect actually, you don't have to hurt people, the attacks can't be traced and your "protection" can be fine tuned to avoid looking suspicious.

Re:Gambling (0)

Anonymous Coward | about 2 years ago | (#39625575)

I wouldn't worry about it until its a problem. The industry I am in is high risk according to our provider but we didn't upset the wrong people for 7 years.

They tell gambling and porn are their biggest markets though!

Re:Gambling (3, Interesting)

Minupla (62455) | about 2 years ago | (#39626179)

I used to run infosec for one of the mid-tier online gaming operations run out of the Caribbean. We got extorted by one of these gangs, and ended up paying Prolexic (they were Digidefense at the time) to solve this for us.

As for weather you can risk doing without it depends strongly on what your user tolerance for downtime is and how bursty your revenue stream is. The lower the tolerance and/or the more bursty the revenue stream the more vulnerable you are to these sort of attack methodology, as the opposition pays for the time they are actually attacking you, so if you can weather the attack they'll eventually give it up. If on the other hand they can cost you significant sums of cash by taking you out for 6 hrs (say sports betting, target the opening day games), that increases your susceptibility to these attacks.

Feel free to drop me a line if you have any more questions (my /. listed email will get to me).

Min

Post-mortem: Admin investigates attack (5, Informative)

microTodd (240390) | about 2 years ago | (#39625509)

Remember this really cool slashdot story about a sysadmin on the receiving end of a DDOS?

http://slashdot.org/story/01/05/31/1330202/post-mortem-of-a-dos-attack [slashdot.org]

The original writeup link is dead but I found it here (warning: PDF). This was a really cool story.

http://www.stanford.edu/class/msande91si/www-spr04/readings/week1/grcdos.pdf [stanford.edu]

Still waiting for Spoofarino ... (1)

Taco Cowboy (5327) | about 2 years ago | (#39626313)

I've lost count of how many years I've been waiting for the Spoofarino utility

And I'm not alone, other people also been talking about that utility

http://www.spywarepoint.com/gibsons-spoofarino-utility-t54570.html [spywarepoint.com]

Re:Still waiting for Spoofarino ... (0)

Anonymous Coward | about 2 years ago | (#39626479)

Yep. When released, he might DDOS himself of the internet. Because his G.E.N.E.S.I.S. (a cheap and incomplete knockoff of SYNcookies) won't protect him from those kinds of packets.

Wow deja vu (0)

Anonymous Coward | about 2 years ago | (#39625511)

My company was in this exact situation recently. We were hit by a 3Gbps attack when our average traffic is probably under a few Mb/s for a busy time and we're in the ecommerce industry.

Unfortunately our host decided it was too much of a threat to their other customers to let us go back online without signing up to one of the services mentioned in the op. The cost of which is very steep for a small to medium business to absorb.

What alternatives do we have? I thought load balance through AWS but there would be alot configuration and security to consider, not to mention running the risk of a huge bandwidth bill!

Annoyingly we haven't had an attack since, but we don't want to leave ourselves vulnerable as the attackers no they were successful once before.

Re:Wow deja vu (1)

rev0lt (1950662) | about 2 years ago | (#39625675)

I'd suggest stop using a shared host, and looking for a real provider. Choose a dedicated server or colo solution (or AWS if you need the redundancy and HA), hire a good reputable company to set it up and mantain it for you. 3Gbps traffic is child's play even for small companies, and even if your dedicated server/colo is hit by this kind of stuff (3Gbps), I doubt it will be prejudicial to other clients.

Re:Wow deja vu (0)

Anonymous Coward | about 2 years ago | (#39625827)

I'd suggest stop using a shared host, and looking for a real provider. Choose a dedicated server or colo solution (or AWS if you need the redundancy and HA), hire a good reputable company to set it up and mantain it for you. 3Gbps traffic is child's play even for small companies, and even if your dedicated server/colo is hit by this kind of stuff (3Gbps), I doubt it will be prejudicial to other clients.

You say 3gbps is small fry, how much would you pay to colocate such a setup that has 1mbps tiny traffic burstable to 5gbit for an hour for example? I assume this would be some sort of load balancing situation.

We would also need filtering on this massive traffic, or a way over powered server to handle all the requests. Assuming that an iptables line isn't going to cut it?

Unfortunately we do have a dedicated server with our hosting already with a 100mbit port which is fine for our normal max 1 mbit of traffic, we moved away from shared long ago.

Recently I'm really doubting their service though as they left us hanging during the attack. They told me 3 Gbps was the biggest attack they've ever seen (tech support bullshit?). Although it could have affected other customers easily if the packets had took down an shared upstream router.

The server logs didnt even show evidence of an increase in traffic so it must of took out a little chunk of their network almost immediately.

The host itself seems to be a fairly fast growing company. The service is more expensive than similar dedicated servers, and it was managed so it seemed like the best path to go.

Now it just feels like were getting ripped off, having to use an extra service just to guarantee someone won't take us offline on a whim.

Seems like time to move hosts but I feel like its all going to be the same story if it happens again and thats the last thing you want.

Re:Wow deja vu (1)

shentino (1139071) | about 2 years ago | (#39626421)

I agree. It seems like your hosting was using the attack as an excuse to try shoving an upsell down your throat.

Any transaction that allows someone else to take advantage of your own misfortune should be viewed skeptically.

Seen it (1)

Anonymous Coward | about 2 years ago | (#39625517)

Manage your own IP ranges and disable any IPs that are not in use via your IP registry provider. You can run an IDS/IPS that can alert you to an attack in progress.

Have good upstream providers, preferrably ones that use the new DDOS prevention/detection appliances, and ones that can respond to block routing to attacked IPs temporarily if necessary.

This is what I've done (0)

Anonymous Coward | about 2 years ago | (#39625523)

I've purchased a few virtual private servers for about $5 - 10/month and configured nginx to do a reverse proxy to the "master" web server / VPS / MySQL database running the web application. I had a DDoS attack eat up about 30gb (I didn't have bandwidth graphs) and this solution saved me a lot of headache. Also, a prerequisite for the virtual private servers are they are on shared Gigabit network connections. Some good companies are Ramhost (it never slowed down for a second), BuyVM (limited stock unfortunately), Hostigation (best cPanel and VPS deal on the planet!) and QuickPacket.

I had the domain resolve to multiple A records, which was a cheap VPS setup as a web server that did the reverse proxy.

Once I did this, the attack seemed fizzled and I went on with my project. I was attacked because about 5 - 10 other similar sites were attacked in a relatively close time period and I'm the guy who minds his own business

Misunderstanding (4, Informative)

lanner (107308) | about 2 years ago | (#39625581)

The mere question of how to mitigate a DDOS indicates a fundamental lack of understanding of how IP networking and DDOS works.

You (the ISP customer) have no ability to control what packets are sent to you over your uplink circuits. You can control what you send, but you have no ability to control what you receive.

Read the sentence above. Repeat as necessary.

Even if you knew with 100% certainty which packets were "bad" packets and which were "good" packets, if your uplink is saturated, dropping them on your edge router/firewall/whatever is 100% ineffective.

The best mitigating strategy is that you need to have an agreement with your ISP and plan in place prior to an attack. Identify the hostile addresses, give them to your ISP, and they will null-route those sources either within their core or even at the edges of their networks to prevent entry. Your ISP has the capacity to mitigate a DDOS attack, you as the little customer do not.

Ah, but you CAN do something (5, Informative)

Anonymous Coward | about 2 years ago | (#39625775)

Even if you knew with 100% certainty which packets were "bad" packets and which were "good" packets, if your uplink is saturated, dropping them on your edge router/firewall/whatever is 100% ineffective.

Your "best strategy" advice is very good, but it is not the "only strategy."

As others have said, you can also have multiple entry points all sharing the same back end. Each of these entry points can be on their own hosting provider. In principle, you can arrange for the front-end/back-end connection at your front-end provider to NOT share a physical wire with the "public" side of your front-end, so if it gets hit hard it crowd out traffic going to/from the back end.

Here's an example:

I run poormeddosvictim.com. I have servers at 3 sites around the country, 1.666.3.4 1.2.666.4, and 1.2.3.666.

For some reason, some mining company on Mars thinks I am evil so they keep DDOSing me.

Hosting provider A is widely connected. I advertise 1.666.3.4 so all but one of A's pipes see direct connections. I use A's remaining pipe to connect back to my back-end. I work with A so the traffic to the back-end never shares a wire or router with incoming traffic. Bang on A's incoming pipes all you want, I'll still be able to talk to my back end unless you crash me entirely.

I have similar arrangements with hosting providers B and C.

I put my back end at hosting provider D and, just for grins, have a backup back end on hosting provider E that syncs up regularly with the back-end on D.

Re:Misunderstanding (1)

Lando (9348) | about 2 years ago | (#39625915)

Depends on the type of DDOS you are receiving. If it is a distributed DDOS then you can't do much other than having multiple pipes into the system; however, if there are not too many systems launching the ddos then you can have your provider drop those packets before they are sent down the pipe, ie you can determine what gets sent to you.

For a distributed attack you can host a couple of gateways on a larger pipe that talk to a local backend. When I was handling mission critical stuff back in the day that is how I handled things. Put a proxy server at a couple of OC3 hosting companies and have those machines talk to my backend so that a ddos can't saturate my pipe. Static pages where appropriate, etc. Used to be that Microsoft's hosting was pretty bad at handling dropped connections so for clients that used them I'd throw up an apache proxy server in front to handle dropped connections, load balancing, etc.

I'm sure I'd have to evolve a bit from the ways I used to handle these problems since there a larger botnets and such nowdays, but it really depends on the attack. There are multiple ways to control what packets do reach your system though, ie not all ddos attacks are the same. Some are attacking the IP stack, some attempt to saturate the line and some try to exploit holes in the software you use.

For most sites, unless it's mission critical I wouldn't worry about it until/unless it becomes a problem.

Re:Misunderstanding (3, Funny)

Anonymous Coward | about 2 years ago | (#39626045)

...a distributed DDOS...

Would that be a DDDOS? And what would you do if it were a distributed DDDOS? I bet you'd be totally hosed then.

Re:Misunderstanding (2)

Lando (9348) | about 2 years ago | (#39627059)

Heh,
      Good point. I guess my mind automatically equated DDOS with a DOS. I've called it DDOS so long that I didn't even think about what DDOS stood for. Thanks for the reference check.

Re:Misunderstanding (5, Interesting)

Zaelath (2588189) | about 2 years ago | (#39625945)

From our experience packet flooding attacks are rare, most are application layer attacks because they're cheaper:

- If your landing page is dynamic chances are a small site can be choked at the database from a few hundred zombies, and it's much harder to detect the zombies from the genuine clients in a safe automated fashion
- If you don't have a lot of CPU at your firewall layer you can't create long enough rule tables to stop the bad traffic as you detect it
- Often you can simplify your rules but just starting by blocking China, Russia, Korea, then smaller countries that are hosting bots.

If they are genuine flood attacks:

The idea that your ISP will block a "list of addresses" is comical, it's not nearly responsive enough, and if you're lucky your ISP will agree to block countries and only if you have a business account which you're paying over the odds access fees for. Some will even null route YOUR IP instead of the attackers to save their own infrastructure: http://www.abc.net.au/4corners/content/2009/s2658405.htm [abc.net.au]

ANDREW FOWLER: The Russian cyber attack was so sustained it backed up through Telstra's network, knocking out the whole of Alice Springs, part of Adelaide, and Telstra central in Sydney.

DAN CRANE, FORMER TECHNOLOGY MANAGER, MULTIBET: And that's when they sort of started to panic a bit I think because all of a sudden it wasn't just a, you know run of the mill attack, this was a pretty hardcore attack because that's when it started, that's when it took out Alice Springs, that's when it degraded Adelaide and that's when it melted their routers in Sydney so that's when they said that's it, we don't want a bar of it.

ANDREW FOWLER: According to Dan Crane, Telstra stopped accepting any of Multibet's internet traffic from entering Australia.

Not to mention even creating this list is a continual task. Botnets rent out "so many connections", but the computers that are active at any time rotate in and out of the pool. We saw probably around 1000 computers at a time hitting the firewall, but from a pool of more like 100,000 addresses we discovered over the course of a week. We initially took a strategy of programmatically blocking individual IPs as they came in at a response rate of about 5 seconds with some scripting, but soon moved to blocking entire countries that we didn't do business with and doing some daily post processing of the IP list as well to consolidate IPs into /27s and sometimes as far as /24s

Our last client to have this issue used Black Lotus and they seemed to do a good job for the price and be quite responsive, though they were still learning their trade at that time... I don't think they were terribly cheap. And botnets are much much cheaper, so unless you're lucky and it's someone that loses interest and not a competitor attacking you it can end up making your web hosting very expensive.

Re:Misunderstanding (1)

mysidia (191772) | about 2 years ago | (#39626023)

You (the ISP customer) have no ability to control what packets are sent to you over your uplink circuits. You can control what you send, but you have no ability to control what you receive.

Yes you do have lots of potential control. It's just expensive to exercise. Because you have to have multiple datacenters and multiple uplink circuits, to have any control (without intentionally breaking connectivity).

You buy transit and peer with major providers in different datacenters and anycast your server IP address space.

Apply appropriate BGP communities and prepending to manipulate which datacenter traffic from different places around the world winds up at.

In this manner you can 'diffuse' DDoS attacks by having a distributed infrastructure.

DDoS is highly effective against one target with a single presence. As soon as you have multiple points of presence though, you can divide and conquer

Each DoS attack node is only capable of sending traffic to one of your anycast nodes -- the selection depends on where the DoS attack node is located net-wise, e.g. which provider. Something you can actually manipulate, once the infrastructure is in place.

Also, if the DDoS attack nodes are concentrated on a particular network, it is likely they will all impact one target, leaving the vast majority of your presence unaffected.

Re:Misunderstanding (5, Informative)

Liquid-Gecka (319494) | about 2 years ago | (#39626229)

This is a bit of a naive explanation.

Let me explain how a DDoS mitigation strategy works for many of the companies listed in the summary. They setup datacenters in 10, 15, or more places all hosting a proxy. Some of these solutions use DNS to route traffic around problems (GSLB) while others like CloudFlare use Anycast which is awesome and super hard to get right. Each of these services are typically setup with tons of bandwidth capacity, well over 10Gb, but often times into the 100Gb range. They also often have deals with upstream providers that can filter traffic at the edges meaning it never makes it onto the internet in the first place.

Since you servers are not exposed to the internet, and the ones are are have far, far more horsepower to deal with this than a DDoS will even manage from the client side they can easily just churn through the attack, discarding connections and never letting them hit your limited servers. This is how they can easily survive Anonymous style DDoS attacks.

The other thing is to ensure you have turned of every "feature" your load balancer is giving you. SSL termination at the LB, full session management, etc. All of these cost load balancer CPU which is easy to take advantage of, even if there is a DDoS mitigation system in front of your site. You can't just add a few more servers either. Adding capacity to a load balancer is nearly impossible to do mid-attack.

Even more interesting is that you can often times trick the crappy ddos software by doing things like excessively slow responses (tarpitting) making its loop take ages to try again. This is pretty much using the tactics of a DDoS directly against the attackers.

Another common tactic is to add attackers to a view in your bind config that resolves your hostname to 127.0.0.1 just for them. This works if you do not have long TTLs and they are using hostnames. If they are using direct IPs then you simply move your traffic to a second IP and drop the one they are attacking. Best case is if you can do this via BGP announcements so the traffic simply will fail to route and everybody wins.

And yes, I do this professionally but not for any commercial product.

DDoS != DoS (0)

Anonymous Coward | about 2 years ago | (#39625759)

The OP indicated that their issue was a DDoS attack, not a DoS attack. Everyone's advice relating to caching, load balancers, processor capacity, etc. are irrelevant.

Question: How to protect against DDoS attacks without regard to the availability of the target of the attack
Answer: If your carrier supports it, initiate an RTBH on the targeted IP. If not, contact the helpdesk and have them null route it.

Question: How to protect against DDoS attacks and keep the target of the attack online
Answer: Get a lot of money, and then either use a third party service that has the capability to off-ramp your traffic in a reliable manner (i.e. VeriSign) OR have sufficient upstream capacity to absorb that attack (because no amount of filtering will help if you are saturated) and employ a real filtering system (RioRey, Arbor, etc).

Question: How to protect against DDoS attacks and keep the target of the attack online without spending thousands:
Answer: Good luck.

Re:DDoS != DoS (2)

davidwr (791652) | about 2 years ago | (#39625923)

You are partly correct but you are oversimplifying things.

You assume that in a DDOS attack, your upstream capacity is 1) over-saturated and 2) the only thing that is over-saturated, or at least that nothing else would be saturated if your upstream capacity were bigger.

If your DDOS attack is not saturating your upstream, either a) you are successfully fending it off, or b) you are still suffering but increasing your upstream capacity is not the answer.

In the case of b), the suggestions you call irrelevant are worth looking at.

Remember, not all DDOS attacks are massively distributed. Sometimes it may be only 100 or 200 machines hitting you in a given moment. Sometimes it's 100 or 200 thousand machines or more trying to bang on your door. Sometimes it's in between.

Re:DDoS != DoS (1)

mysidia (191772) | about 2 years ago | (#39626037)

Question: How to protect against DDoS attacks without regard to the availability of the target of the attack Answer: If your carrier supports it, initiate an RTBH on the targeted IP. If not, contact the helpdesk and have them null route it.

NO. That is not a DDos protection strategy. That is a "white flag" strategy. It is essentially surrender, because you are intentionally making the attack succeed against the target then.

Outsource it (2)

Minupla (62455) | about 2 years ago | (#39625955)

I've lived through this (although in my case the twits doing it were holding us for ransom) Prolexic was the solution we went with and I endorse it. The economics of the situation strongly favor outsourcing to a third party. It's a service you'll likely need for a short period of time, provisioning it yourself would entail obtaining equipment and specialized expertise that you would have to commit to over a long period of time. A Prolexic can afford to obtain better equipment, and have specialized staff who can configure it to block the latest attack because they're dealing with it for clients constantly.

Min

Fire your marketing department (0)

Anonymous Coward | about 2 years ago | (#39625961)

Getting "hacked" and then sending a press release is a golden goose... since its a S
Denial of service attack you can be pretty sure no info was taken, so customer data should be safe. Happened to us and we spun it into a media story that boosted sales 4 times. Hey, they tries to take us down, but we're still here. Spin any story the right direction and it's truckloads to the bank. So yeah, hire a good marketing team and take advantage of all the reporters calling. FREE Publicity, talk about your no-brainer.

First Hand Experience at Small Company (4, Interesting)

Anonymous Coward | about 2 years ago | (#39626065)

Posting AC as I would prefer not to expose my employer in anyway.

I went through this exact situation the week before last Thanksgiving last year. I work for a gifting retailer that makes all of its money in Q4. Not a good situation. We're a small - mid sized business with about $20 million in sales from our Ecommerce site.

We went the cheap route first. The proxy service cost about $500/month and guaranteed 10 Mbps clean traffic to the site. Our DNS was changed swinging our domains to the proxy service and ACLs put in place on the "backend" to only allow connections from our new gateway in the proxy.

Things were fine for about 24 hours when the attack was stepped up. The service was seeing 450 Mbps inbound to our main domain. That is not a mistake - 450 Mbps is easily attained using a botnet or simply focusing the attention of some lurkers on pastebin links. We now had to change DNS AGAIN to "upgrade" to their better platform that could handle this attack. As we started this work, we also began talking to a couple of the higher end services...

After the $500/month service capped out and blew a gasket, we made the tough decision to go with the Cadillac. It was costly and they had us over a barrel (day before Thanksgiving, cheap service not working out, "sure would hate to see your site go down on Black Friday" mob pressure). But we knew even half a day of lost demand would pay for the yearly service (yes, it is yearly - no month to month option).

The difference was amazing. As soon as we had swung our DNS over to the new guys, the attack was mitigated within 5 minutes and abated within 20. This, of course, leads the paranoid to wonder whether it was the service doing the attacking to begin with, but we are a high profile target in the minds of the Occupy movement, so it made sense (I do not share my employers sense of community - it is only a job).

We have been attacked since then and every time the attack was mitigated within 5 minutes. If you require this type of uptime, build this service into your budget from the beginning.

Re:First Hand Experience at Small Company (1)

shentino (1139071) | about 2 years ago | (#39626461)

I guess it's expensive to be unpopular.

Re:First Hand Experience at Small Company (2)

ScentCone (795499) | about 2 years ago | (#39626785)

I guess it's expensive to be unpopular.

No, it's expensive to be hated by a small group of people who happen to not mind being network abusing dicks so they can put on a show of hurting your business. There are plenty of people who don't like the Occupy nonsense, but most of them are too busy doing something constructive to sit around figuring out how to DDoS attack George Soro's hundreds of web properties.

Re:First Hand Experience at Small Company (0)

Anonymous Coward | about 2 years ago | (#39626805)

What's interesting about luxury retail is that it is the first to hurt during a recession - the 1%'ers cut out the added expense of silver chamber pots - and the last to recover afterward. The misconception is that that the businesses that cater to the affluent are affluent themselves. That is frequently not the case. Luxury businesses frequently fail because of this phenomenon.

Re:First Hand Experience at Small Company (0)

Anonymous Coward | about 2 years ago | (#39626775)

Google does not bring up any results for Cadillac DDos or Cadillac Proxy. Can you mention their website?

Unfortunate name (1)

Livius (318358) | about 2 years ago | (#39626199)

No matter how many times I see it, my first thought on seeing "DOS attack" is that a virus downloaded MS-DOS onto a computer.

Which would almost be the worst thing to happen to a computer.

Akamai is a good alternative (2)

K3ba (1012075) | about 2 years ago | (#39626223)

I recommend Akamai's services as a CDN for static content (eliminates a lot of load from your own servers), a proxy for dynamic content (shield/reverse proxy effect services) as well as a protection against (D)DoS attacks. They have a number of great case studies ( http://www.akamai.com/html/customers/index.html [akamai.com] ) which are well worth the time looking through, as they have successfully mitigated attacks against small, medium and large websites. Their (repackaged) Kona Security Services are surprisingly good.

MaxCDN & CloudFlare (1)

Jonah Hex (651948) | about 2 years ago | (#39626243)

I have had a few large spikes and MaxCDN and CloudFlare have kept my site up with no issues, so the real answer is distributed caches and you get what you pay for. - HEX

Stop, Think, and then act. (0)

Anonymous Coward | about 2 years ago | (#39626247)

Having experienced a few of these in the past, most attacks exhaust something other than bandwidth. Often times its pps taking out the firewall/load balancer/ switch/application server, while the bandwidth usage is actually quite low. So its highly dependent on how you are getting attacked. Many ddos will also be UDP packets vs a tcp service. Switches and firewalls still deal with the traffic and get over whelmed. Most ISPs are willing to put in simple ACLs that can mitigate these sorts of attacks. The best thing you can do, is examine the attack, and see how it is different from your normal traffic and then talk to your ISP to see if they can create an ACL to get rid of the traffic. This is the biggest key, classify the attack, and then look at your options to deal with it. Rarely do people hit your services as they are intended to be used to execute a dos, its just not economical when compared to the just as effective, but easier to deal with attacks.

I would dissuade from most 3rd party services, there are many other ways to deal with attacks that are sustainable and rely off network engineer skill, rather than a checkbook. Most of the ddos mitigation 3rd party solutions add significant latency. Most will pipe your traffic through a standard piece of network gear that applies a standard commercially available ruleset. Arbor Networks is used heavily by many of the top ddos mitigation groups, but there are others in the space you might look into, but arbor is a good place to start your google from.

the best people to ask (0)

Anonymous Coward | about 2 years ago | (#39626365)

would be those that linked from slashdot

provider (0)

Anonymous Coward | about 2 years ago | (#39626397)

You could host your site through Godaddy. They apparently have a ddos infrastructure that rivals prolexic and mitigate attacks for their customers for free...

Don't ask on /. (4, Insightful)

Nethead (1563) | about 2 years ago | (#39626793)

This is a discussion you need to take to the NANOG list. Don't ask the amateurs, ask the professionals. The answer will involve ACLs, BGP settings, and community strings. If you don't have your own ASN then you need to push the issue upstream and work with your provider. Period. If you do have your own ASN and are running BGP then you need to read the NANOG list (and learn to take shit from Randy Bush, et al. They know what they are talking about.) Asking on /. can only make things worse.

Re:Don't ask on /. (1)

dgrotto (2588895) | about 2 years ago | (#39626851)

+1 - From personal experience, if you do not have your own ASN and a STAFF of BGP engineers, outsource. Using the basic proxy service from the "large and mature" services mentioned above, plan to pay $5k - $6k per month for the privilege of an available website.

easy (1)

bhcompy (1877290) | about 2 years ago | (#39626855)

1) acquire a Gibson
2) change username/password of superuser account from 'god'
3) profit, since Gibsons easily survive ddos attacks/flooding as evidenced by the documentary released over a decade ago detailing attempts to hack a Gibson

a mirror (1)

Max_W (812974) | about 2 years ago | (#39627037)

Use a mirror in another data-center for your e-commerce website. Post link on the main website to the mirror or mirrors.

Update mirrors with a script.

The ideas (prejudices) of monarchy, monotheism, etc. are set firmly in our heads, but why your e-commerce should have only one and only URL? Let it have 2 or 3 URLs.

We use a mirror for the 4th year, and it is the 4th year of sanity for me.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...