DDoS Mitigation
Anyway, a website hosted on my linode was under DDoS attack last night by an unknown source, they managed in the course of a few hours to use up 75% of my monthly transfer limit, not ideal given my linode usually touchs the limit each month anyway.
My question is are there any systems I can put in place to prevent this happening again or at least mitigate its effects?
If it helps, my linode is a 540 currently running Debian 5.
5 Replies
http://www.linode.com/forums/viewtopic.php?t=1558
A lot of it boils down to what, exactly, the DDoS was – the trick to mitigating one is figuring out how it is impacting you and then figure out what is common to all the bad traffic (and makes it identifiably different from "good" traffic). It's a somewhat complex field, and there's no stick-this-in-your-rc.local instant fix, unfortunately.
For the record, it was not HTTP traffic, the first thing I did was turn off apache, it seems to have been a UDP flood or some other form of junk packets being sent to the server in high volume.
For the moment though the linode staff have helped control the situation, they've nullrouted the servers IP address until this attack subsides. Hopefully that should keep things in one piece.
Anyway, one of the early attacks (and not major) was on an IRCd that I ran. Basically they would have thousands of bots connecting every minute. Luckily I found that none of them replied to CTCP VERSION requests, so I developed a mIRC script that Versioned every connection and glined it if there was no response.
It wasnt a flat out DDoS, but I had this issue where I was almost hitting my bandwidth cap every month, only to check apache logs and find there were all these .br users downloading files from the files directory on my server. I eventually just blocked all .br IPs with IPtables… I removed the entries a few months ago and bandwidth usage hasn't changed so i guess they moved on.
Hoopycat was right, its all about finding what makes them different from the average user. I have heard of various bandwidth-usage limiting techniques, most involve IPTables.