How to stop a DDoS attack (opens in new tab)

(blog.fastmail.com)

114 pointsrobn_fastmail10y ago27 comments

27 comments

A article I wrote on attempting to do this yourself (without cloudflare/other services) is here: http://harknesslabs.com/post/38104429912/fighting-spoofed-sy...

Its much easier to use cloudflare, but sometimes it just not possible to use them (it wasnt for us, due to needing hardcoded IPs in our DC)

pki10y ago

Cloudflare lets you announce your own IP space through their serivce on non-personal plans don't they?

vox_mollis10y ago

Not that I'm aware of. You're thinking of GRE tunnel DDoS mitigation providers like staminus and blacklotus.

asherkin10y ago

You need an Enterprise plan for that unfortunately, it's not even included in Business.

rmdoss10y ago

Starts at $5k per month last time I checked.

nullrouted10y ago

tl:dr Used cloudflare for DNS and Level3/Blacklotus for network filtering.

In DDoS attacks you have three models: On-Prem: Buy hardware and big fat internet pipes to filter traffic (expensive / time \ resrouce intensive) Hybrid: On-Prem devices that can mitigate X/Mbps and then starts announcing your routes after X to their cloud scrubbing centers which can filter it at a much higher capacity (best option) Cloud: Full on filtering by a provider where all your traffic goes through their scrubbing centers full time (usually adds latency, extremely expensive)

The hybrid model is the best and what most companies are going to as it allows you to filter smaller attacks out with little cost as well as scaling up to large 100 Gb/s+ attacks without having to buy massive amounts of hardware/transit.

prdonahue10y ago

How do you define "extremely expensive"? CloudFlare's Business Plan ($200/mo) includes advanced DDoS mitigation: https://www.cloudflare.com/ddos/.

Also, due to caching of assets in PoPs close to end-users (and TLS termination at the edge), the site is often much faster than without DDoS protection.

franimals10y ago

Well CloudFlare works if you're mainly worried about responding to HTTP(S) traffic. In this the company was responsible SMTP, POP, etc which CloudFlare doesn't really handle.

Additionally as is mentioned in the article - If the attacker knows your public IP address they can easily bypass CloudFlare by simply directing the traffic to you and not CF.

nullrouted10y ago

Cloudflare is a WAF/Proxy that can handle DDoS, it isn't a DDoS specific product. If your actual network space is getting hit (e.g. 8.8.8.8) cloudflare will not help you.

1 more reply

vox_mollis10y ago

How do you define "extremely expensive"?

Always-on scrubbing will typically run you $10k provisioning and $6-9k monthly for 100mbps of clean bandwidth from most of the providers.

1 more reply

rmdoss10y ago

DDoS is becoming an increasing pain lately.

If you only care about HTTP/HTTPS traffic, you can get very solid DDoS protection at cheap prices. We use and love the Sucuri ( https://sucuri.net ) which starts at $9.99 per month.

Some friends have good success with Incapsula and CloudFlare, but they get a bit more expensive to get full protection ($60 per month on http://Incapsula.com ).

All 3 can cover 99.9% of the people that doesn't expose SMTP/POP/FTP/DNS and other services.

If you run these yourself, BlackLotus.com and Arbor Cloud are a great help, but their prices start at 5 digits per month.

dimgl10y ago

The irony is that this website seems to be down right now.

http://downforeveryoneorjustme.com/blog.fastmail.com/2015/12...

Not sure if it's due to DDOS, but it's definitely not working on my end.

robn_fastmailOP10y ago

Datacentre confirmed a DDoS attack, which took a little while to mitigate. We're looking good now, but we're continuing to monitor.

alfiedotwtf10y ago

It's intermittent. Currently works fine for me though:

http://www.fastmailstatus.com/

mbrd10y ago

My Fastmail web access is currently taking 60+ seconds to load. The DDOS in the blog was last month so I'm not sure if it's related.

elwell10y ago

Posting a blog post with the title "How to stop a DDoS attack" unfortunately will invite the trolls.

robn_fastmailOP10y ago

Quite. As my dear colleague said this morning, "hubris" is the word of the day. Still, I'm not sorry we posted it.

1 more reply

andrew_wc_brown10y ago

When I was working for a startup that was getting DDOS the only thing that stopped it was this service.

https://www.dosarrest.com/

snowwrestler10y ago

Dos Arrest is excellent but expensive.

tracker110y ago

Cool article... how about "Dead or Alive" bounties for the people responsible? I'm only half joking, but given the distribution of the people responsible, and how much like the "old west" attacks on the internet today seem to resemble, not sure how bad of a solution it would actually be.

robn_fastmailOP10y ago

I don't know about bounties, because I'm not personally in favour of vigilantism, but I do take your point.

Honestly, I think the ease in which people can be anonymous is major problem here. Anyone with an internet connection can buy botnet time with Bitcoin and accept a ransom in the same way. It makes it incredibly difficult to follow the path back to the attacker.

At this point pretty much the only thing you can do is collect data and share it with CERT and other relevant law enforcement. I don't have a good sense of how effective they can be, but it makes sense that the more data they have, the better chance they have at identifying specific botnets and follow the path back to the owners.

NickHaflinger10y ago

'A botnet consists of many (usually hundreds or thousands) of normal home or work computers [running Microsoft Windows] that have malicious software installed on them.'

j / k navigate · click thread line to collapse

27 comments

DanBlake10y ago

A article I wrote on attempting to do this yourself (without cloudflare/other services) is here: http://harknesslabs.com/post/38104429912/fighting-spoofed-sy...

Its much easier to use cloudflare, but sometimes it just not possible to use them (it wasnt for us, due to needing hardcoded IPs in our DC)

pki10y ago

Cloudflare lets you announce your own IP space through their serivce on non-personal plans don't they?

vox_mollis10y ago

Not that I'm aware of. You're thinking of GRE tunnel DDoS mitigation providers like staminus and blacklotus.

asherkin10y ago

You need an Enterprise plan for that unfortunately, it's not even included in Business.

rmdoss10y ago

Starts at $5k per month last time I checked.

nullrouted10y ago

tl:dr Used cloudflare for DNS and Level3/Blacklotus for network filtering.

prdonahue10y ago

How do you define "extremely expensive"? CloudFlare's Business Plan ($200/mo) includes advanced DDoS mitigation: https://www.cloudflare.com/ddos/.

Also, due to caching of assets in PoPs close to end-users (and TLS termination at the edge), the site is often much faster than without DDoS protection.

franimals10y ago

Well CloudFlare works if you're mainly worried about responding to HTTP(S) traffic. In this the company was responsible SMTP, POP, etc which CloudFlare doesn't really handle.

Additionally as is mentioned in the article - If the attacker knows your public IP address they can easily bypass CloudFlare by simply directing the traffic to you and not CF.

nullrouted10y ago

Cloudflare is a WAF/Proxy that can handle DDoS, it isn't a DDoS specific product. If your actual network space is getting hit (e.g. 8.8.8.8) cloudflare will not help you.

1 more reply

vox_mollis10y ago

How do you define "extremely expensive"?

Always-on scrubbing will typically run you $10k provisioning and $6-9k monthly for 100mbps of clean bandwidth from most of the providers.

1 more reply

rmdoss10y ago

DDoS is becoming an increasing pain lately.

If you only care about HTTP/HTTPS traffic, you can get very solid DDoS protection at cheap prices. We use and love the Sucuri ( https://sucuri.net ) which starts at $9.99 per month.

Some friends have good success with Incapsula and CloudFlare, but they get a bit more expensive to get full protection ($60 per month on http://Incapsula.com ).

All 3 can cover 99.9% of the people that doesn't expose SMTP/POP/FTP/DNS and other services.

If you run these yourself, BlackLotus.com and Arbor Cloud are a great help, but their prices start at 5 digits per month.

dimgl10y ago

The irony is that this website seems to be down right now.

http://downforeveryoneorjustme.com/blog.fastmail.com/2015/12...

Not sure if it's due to DDOS, but it's definitely not working on my end.

robn_fastmailOP10y ago

Datacentre confirmed a DDoS attack, which took a little while to mitigate. We're looking good now, but we're continuing to monitor.

alfiedotwtf10y ago

It's intermittent. Currently works fine for me though:

http://www.fastmailstatus.com/

mbrd10y ago

My Fastmail web access is currently taking 60+ seconds to load. The DDOS in the blog was last month so I'm not sure if it's related.

elwell10y ago

Posting a blog post with the title "How to stop a DDoS attack" unfortunately will invite the trolls.

robn_fastmailOP10y ago

Quite. As my dear colleague said this morning, "hubris" is the word of the day. Still, I'm not sorry we posted it.

1 more reply

andrew_wc_brown10y ago

When I was working for a startup that was getting DDOS the only thing that stopped it was this service.

https://www.dosarrest.com/

snowwrestler10y ago

Dos Arrest is excellent but expensive.

tracker110y ago

robn_fastmailOP10y ago

I don't know about bounties, because I'm not personally in favour of vigilantism, but I do take your point.

NickHaflinger10y ago

'A botnet consists of many (usually hundreds or thousands) of normal home or work computers [running Microsoft Windows] that have malicious software installed on them.'

j / k navigate · click thread line to collapse