BlogWhat you do if kids perform denial of service attack on your website ?

Nowadays DDoS attacks became a profitable field of cybercrime activity. You can find dozens of offers through search engines for eliminating competitors.

But what you do when you are a victim of such atack ?

First of all you will rage: WHAT THE F$%#K, HOW STUPID ONE SHOULD BE TO DO SUCH THINGS ?

Well, I recommend you to not make enemies. This is actually not something that you do. It is something you should avoid doing.

Do not insult any religious group of people, nor any other big groups of people.

But if somebody still attacks website of such a polite and smart person as you, do one of the following.

  • Use network of proxies around the world to mitigate attack.
    It could be cloudflare or any other similar service.
    Advantage of such approach: it is cheap
    Disadvantages:
    • no guarantee that attacker do not attack your original IP address ( here they collect IP addresses of websites behind cloudflare: http://www.cloudflare-watch.org/ );
    • necessity to reconfigure web server and add all subdomains behind proxy, which could be difficult in some configurations.
  • Buy an expensive anti-DDoS protection from one of companies, which specialize in this area. For example Prolexic. Their pricing depends on flow that you receive, amount of visitors, number of websites to protect. It can be about $1.5k for average-size web portal ( do we still use "web portal" or it is outdated ? )
  • To buy super-expensive device, made just for mitigating DDoS attacks. Such as Cisco Anomaly Guard ( Catalyst 6500 ) for $35 000. You will need two of them, so in total $70 000, plus Support for about $4500. This is good if your company is one of big internet service providers.

In all other cases the best strategy is to cooperate with your provider to block IP addresses of attackers. You send a complain to your ISP. Your ISP complains to his uplink and his uplink in order forwards email to datacenters which host vulnerable servers.

Another thing you can do is to collect IP addresses of compromized servers, who perform attack on your website and send abuse reports to abuse@ email of hosting company. All hosting companies should have email like abuse@example.com


The following will help you to automate process of sending abuse emails

  • Collect IP addresses of attackers, record several packets they send with tcpdump: In case of HTTP flood use the following command:
    tcpdump -i eth7 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • 2. Collect WHOIS information on those IP addresses. Just go through list of them and execute whois command, which will show you email address for abuse reports.
  • 3. Compose abuse report. Example:
    Hello  
    I wanted to report that one/some of your IP addresses was/were used by botnet to DDOS websites of our company:     
    
    The attack started on 10 May at about a 03:17 ETC+2 TZ  
    
    We belive some of your computers are infected with virus.  
    Please take all necessary actions in order to prevent virus from spreading over Internet. 
    It already cause big loses to our company and our to customers.  
    
    Thank you in advance.
  • Attach dump of packets which you made and send email to owner of those IP addresses.
11 May, 2013 One of many DDoS attacks we have mitigated
One of many DDoS attacks we have mitigated