Fog Creek Software
Discussion Board




fighting DOS attacks

Any advice on the following?

We're renting a server from an (unnamed) hosting company and have been frustrated by service outages caused by DOS attacks directed at the hosting company network.  This happens once or twice a month, usually off hours, but last week it went down during prime business hours (8 AM - noon).  Our server goes down, the vendor web site goes down (and I assume) hundreds of other sites go down.

When I complained about the most recent outage, I got this response.  Is it legitimate, or could the company do better?  Needless to say, we're thinking hard about switching vendors.

*****
The outage was caused by an attack on our network.  We do our very
best to keep our network as secure and safe as possible, but when
faced with a denial-of-service attack launched from machines outside
our control, there is very little that we can do.  We were eventually
able to block the attack, but these kinds of attacks are usually
launched from many hundreds or thousands of machines simultaneously,
so tracking down and blocking the sources is not a task that is
easily or quickly achieved.

Unfortunately, the current networking protocols used on the Internet
provide few tools to stop these attacks once they are begun, and while
we keep our own network as safe as we can internally, there is nothing
we can do to prevent an attack being launched from outside.

****

Will
Tuesday, March 18, 2003

This may be an interesting read http://grc.com/dos/grcdos.htm
It is a story about what happend to grc.com in May 2001.
They talked to their ISP and even FBI, then reverseengineered the
attack tool. Yes they were pretty determined..

"Nothing more than the whim of a 13-year
old hacker is required to knock any user,
site, or server right off the Internet."

Fredrik Svensson
Tuesday, March 18, 2003

If CNN can't deal with DOS attacks, do you think your little hosting company can?

T .rM
Tuesday, March 18, 2003

http://grcsucks.com/

Steve Gibson has been debunked many many times. People have developed whole careers on debunking him.

Not to say he didn't get DOS'd, but only that what he says should be taken with a grain of salt.

trollbooth
Tuesday, March 18, 2003

Thanks for the links.  Kind of sensational, but interesting.

Back to my fundamental question-- can a hosting company do anything about DOS attacks?  This firm claims not, but my intuition tells me if I switch companies, I'll be better off. 

Will
Tuesday, March 18, 2003

Oh, did not know that. Guess I fell for the scam if it is a scam :)
Thanks for informing me. Is there any good site out there
where experts are discussing the problem ?
A DOS  Defence HOWTO ? for us who not need to follow
BugTraq for our daily work. I am interested in Security, but I
just find time occationally to read articles about it..

Fredrik Svensson
Tuesday, March 18, 2003

If your hosting company is running off of a little T1 or two dragged across town from a bigger company, they are going to be way more suseptible to DOS attacks than a large hosting company with a data center located in a major NOC with tons of bandwidth going to multiple backbones.

There's nothing they can do to stop all DOS attacks, but the more bandwidth they have and the more diverse their connetivity, the more likely they'll be able to deliver at least some packets during an attack.

Joel Spolsky
Tuesday, March 18, 2003

I worked for an ISP for 3 years and the best we could do was notify our upstream provider and try and attempt to locate the suspected attacker and notify their ISPs. We did on one occasion notify the FBI who in turn said that unless we had a million dollar loss  (actually I think it might have been more like 100k ;) that they would not investigate. The DOS eventually ended after 24 hours.

Unfortunately some attackers compromise multiple hosts and use a coordinated DDOS, where the attacking clients are spread all over the world. It can be a real PITA to track down suspected attackers.

But what you are saying makes some sense. All ISPs that we were in contact with received DOS attacks. But some have more bandwidth and can handle such attacks. Some also have monitoring software linked to their "war rooms" to notify them of suspected attacks and they can reroute around such problems (as is the case at DIGEX). I mean it's pretty hard to saturate a full OC-24 like some providers have. BUT any provider can be DOS'd, plain and simple.

I don't know any HOWTO's on preventing DOS attacks but one security site I like to read occasionally is www.phrack.com

trollbooth
Tuesday, March 18, 2003

The debunking of Steve Gibson has also been debunked, with people making whole internet reputations on debunking the debunkers etc.

Steve has said sensational stuff.  And he uses very direct non-technical gloss to his stuff etc.  And he likes coloured capitalised headings.

Don't forget that his detractors are equally 'selling' their own PR etc.

There was even a case where Thomas C Greene (the only non-funny writer at the register) went on a head to head radio interview with Steve to debunk Steve, and ended up admitting he hadn't checked his sources!  Ha.

IMHO Steve has done a lot for non-technical awareness of issues, etc.  Way to go Steve!

And reading his site is always entertaining.  Can't complain about that..

Nice
Wednesday, March 19, 2003

If your ISP is repeatedly dropping the ball on you for wathever reason, do leave. What causes the outages is none of your concern. You are interested in the straight preformance data first. The only use you have for the reasons of the outage given is to estimate wether this is likely to happen again, or wether this was an exceptional one time only circumstance.
"We were hit with a DDOS (several times) and our link could not take it" is not indicative of a special one-off circumstance. They do not indicate they have taken steps that will avoid the same from reoccurring. You should not have a critical system at such a place.

Just me (Sir to you)
Wednesday, March 19, 2003

When Gibson started ranting about the end of the Internet because of the introduction of raw sockets into Windows they really came out of the woods to try and debunk him.

I simply take everything I read on the internet with a grain of salt. Or maybe a mound of salt.

trollbooth
Wednesday, March 19, 2003

*  Recent Topics

*  Fog Creek Home