MyBB Community Forums

(2014-12-02, 06:41 PM)Rakes Wrote: [ -> ]If you were hit by 1400 bots it wouldn't even get to that stage as your cpu would be too busy handling everything else

A forum that I work for has a record of almost 4500 visitors (15 minutes default setting), due to a DDoS attempt. It's absolutely possible with decent hardware to actually server that many visitors long enough to have them counted. The usual amount of people online within last 15 minutes is only ~400ish, so there were about 4000 potential bots online at that time.

--

When defending against DDoS attacks one has to be aware that there are essentially only two attack types: bandwith saturation and cpu saturation.

The first type will simply throw multiple Gb/s of data in your direction (which is very cheap and easy to do for an attacker), eventually starving your server bandwidth (or that of your hosting company, if it isn't prepared for things like that). There is no way that you can ever defend against this type of attack yourself (no amount of software/firewall tweaking will help), only a very good hosting company that has professional equipment in place can handle that type of attack. Cheaper hosting companies will simply disconnect your server for the duration of the attack hoping that the attacker stops disrupting their network when he sees that his target isn't responding anymore.

Most companies explicitely advert their DDoS-Defending capabilities, so look for them and for online reviews. Also look for questions like "How to DDoS a server at ...", "How to bypass a site protected by ..." and "Can't take down site hosted at ..." in shady forums and message boards. If your potential attackers have problems getting through those defenses, then it can't be a complete fail. There are also a few big companies that don't charge you an arm and a leg for their service, which have prices comparable to those of companies without that fancy DDoS protection.

The second type of attack is something that you could theoretically defend yourself against. Having 5000 fake visitors forcing your system to do the whole "rendering of a forum page including at least a dozen queries against your database" work can cripple your system. But simply answering their requests with a "404 not found" or a static website is something that even really cheap hardware can do without problems. The only actual problem is "how to identify actual visitors from fake visitors (e.g. bots)?" The answer is: Challenge them. This is what Cloudflare (amongst many other things) does. On highest security level it will challenge the visitor by instead of returning the target website just sending a small website with a little piece of javascript inside. The javascript is a rather simple calculation that will set its result as a cookie on the visitors machine. Now Cloudflare can decide with every request if that visitor has solved the challenge, which was: (a) actually receive, read, understand and execute Javascript within an html site, (b) be capable of handling cookies. Most bots can't do either (most can't even handle the answer that they get from your server - as they are only intended to do requests), so they will fail and therefore identify themselves.

This is also the point where CSF can help, as the only way to deplete your ressources with a barrier as mentioned above would be to do those "dumb" requests very, very often, which can and should trigger some of those security rules that you can set up with CSF. Also depending on your hosting companys setup it may identify the extremely frequent requests of websites as attacks and might even block them for you.

In that setup - a host that protects against network depletion plus lots of other rather low level attacks and your server set up to not spend a lot of CPU for bogus requests - you should be able to handle a lot of harassment without going down completely.

If you want to use Cloudflare as a protection mechanism against the second type of attack (which works well most of the time, as long as you are not on their "free plan" - btw. they charge only for the duration that you actually use their service, so increasing your contract to business level for a day or two when necessary because of attacks and then downgrading again to Pro or Free won't cost a fortune, only roughly 7 Dollar per day that you actually used the business level service), you would have to setup your firewall to only accept connections to your http port from their servers. They have a list of their server ip ranges on their website exactly for this purpose. Also you may want to whitelist those cloudflare servers at your hosting companies firewall/defense system to prevent them from accidentially blocking cloudflare servers '(and therefore all your visitors) from connecting to you.

Anyway, once you have both: network safety through your hoster and application safety through cloudflare (and blacklisted every ip in your firewall for http traffic except cloudflare servers), the attackers will have a hard time getting to you. All attacks of the first type will be handled by your hoster, all of the second type by cloudflare (or whatever personal setup you have created that is similar to cloudflare's concept of challenging visitors). And it doesn't matter if your servers IP is published, because your server will never answer to http requests that don't go through cloudflare (or your own security system in their image).

--

Final words: Been there, done that. Have been kicked out by a hoster for "disrupting their service", migrated to a few different hosters, tried the ip hiding thing - which is possible but really, really hard to pull off, especially because people could just "guess" the ip if they know your hosting company and therefore the possible IP-ranges that your server probably is located in. Now that we have found a really good DDoS-proof hoster and have the above mentioned security concept in place, we had almost no problem. Any attack will (depending on its nature) be handled within minutes by the hoster, cloudflare, or both. And it doesn't cost a fortune, in fact the current setup price is comparable to that from when we started.

Thank you very much Evenprime.
Very good information + advice.

New development: The hosting got hit by a UDP flood attack, and can't restore services anymore.
Even CISCO Guard which has been put into place can't handle this attack.
Suggestions?

Which host are you with?

(2014-12-02, 08:52 PM)Evenprime Wrote: [ -> ]

(2014-12-02, 06:41 PM)Rakes Wrote: [ -> ]If you were hit by 1400 bots it wouldn't even get to that stage as your cpu would be too busy handling everything else

A forum that I work for has a record of almost 4500 visitors (15 minutes default setting), due to a DDoS attempt. It's absolutely possible with decent hardware to actually server that many visitors long enough to have them counted. The usual amount of people online within last 15 minutes is only ~400ish, so there were about 4000 potential bots online at that time.

--

When defending against DDoS attacks one has to be aware that there are essentially only two attack types: bandwith saturation and cpu saturation.

The first type will simply throw multiple Gb/s of data in your direction (which is very cheap and easy to do for an attacker), eventually starving your server bandwidth (or that of your hosting company, if it isn't prepared for things like that). There is no way that you can ever defend against this type of attack yourself (no amount of software/firewall tweaking will help), only a very good hosting company that has professional equipment in place can handle that type of attack. Cheaper hosting companies will simply disconnect your server for the duration of the attack hoping that the attacker stops disrupting their network when he sees that his target isn't responding anymore.

Most companies explicitely advert their DDoS-Defending capabilities, so look for them and for online reviews. Also look for questions like "How to DDoS a server at ...", "How to bypass a site protected by ..." and "Can't take down site hosted at ..." in shady forums and message boards. If your potential attackers have problems getting through those defenses, then it can't be a complete fail. There are also a few big companies that don't charge you an arm and a leg for their service, which have prices comparable to those of companies without that fancy DDoS protection.

The second type of attack is something that you could theoretically defend yourself against. Having 5000 fake visitors forcing your system to do the whole "rendering of a forum page including at least a dozen queries against your database" work can cripple your system. But simply answering their requests with a "404 not found" or a static website is something that even really cheap hardware can do without problems. The only actual problem is "how to identify actual visitors from fake visitors (e.g. bots)?" The answer is: Challenge them. This is what Cloudflare (amongst many other things) does. On highest security level it will challenge the visitor by instead of returning the target website just sending a small website with a little piece of javascript inside. The javascript is a rather simple calculation that will set its result as a cookie on the visitors machine. Now Cloudflare can decide with every request if that visitor has solved the challenge, which was: (a) actually receive, read, understand and execute Javascript within an html site, (b) be capable of handling cookies. Most bots can't do either (most can't even handle the answer that they get from your server - as they are only intended to do requests), so they will fail and therefore identify themselves.

This is also the point where CSF can help, as the only way to deplete your ressources with a barrier as mentioned above would be to do those "dumb" requests very, very often, which can and should trigger some of those security rules that you can set up with CSF. Also depending on your hosting companys setup it may identify the extremely frequent requests of websites as attacks and might even block them for you.

In that setup - a host that protects against network depletion plus lots of other rather low level attacks and your server set up to not spend a lot of CPU for bogus requests - you should be able to handle a lot of harassment without going down completely.

If you want to use Cloudflare as a protection mechanism against the second type of attack (which works well most of the time, as long as you are not on their "free plan" - btw. they charge only for the duration that you actually use their service, so increasing your contract to business level for a day or two when necessary because of attacks and then downgrading again to Pro or Free won't cost a fortune, only roughly 7 Dollar per day that you actually used the business level service), you would have to setup your firewall to only accept connections to your http port from their servers. They have a list of their server ip ranges on their website exactly for this purpose. Also you may want to whitelist those cloudflare servers at your hosting companies firewall/defense system to prevent them from accidentially blocking cloudflare servers '(and therefore all your visitors) from connecting to you.

Anyway, once you have both: network safety through your hoster and application safety through cloudflare (and blacklisted every ip in your firewall for http traffic except cloudflare servers), the attackers will have a hard time getting to you. All attacks of the first type will be handled by your hoster, all of the second type by cloudflare (or whatever personal setup you have created that is similar to cloudflare's concept of challenging visitors). And it doesn't matter if your servers IP is published, because your server will never answer to http requests that don't go through cloudflare (or your own security system in their image).

--

Final words: Been there, done that. Have been kicked out by a hoster for "disrupting their service", migrated to a few different hosters, tried the ip hiding thing - which is possible but really, really hard to pull off, especially because people could just "guess" the ip if they know your hosting company and therefore the possible IP-ranges that your server probably is located in. Now that we have found a really good DDoS-proof hoster and have the above mentioned security concept in place, we had almost no problem. Any attack will (depending on its nature) be handled within minutes by the hoster, cloudflare, or both. And it doesn't cost a fortune, in fact the current setup price is comparable to that from when we started.

Nice copy & paste from google lol

(2014-12-08, 12:53 AM)Root Dalez Wrote: [ -> ]Nice copy & paste from google lol

If you've found the same text somewhere else, then someone copied it from this thread.

@Jabberwock: Sorry to hear that. I'd recommend our hoster, as it has proven capable of defending against some of the biggest attacks that have ever been recorded on the internet, e.g. in 2010 the attacks that were run against Wikileaks.

(2014-12-08, 02:07 AM)Evenprime Wrote: [ -> ]

(2014-12-08, 12:53 AM)Root Dalez Wrote: [ -> ]Nice copy & paste from google lol

If you've found the same text somewhere else, then someone copied it from this thread.

@Jabberwock: Sorry to hear that. I'd recommend our hoster, as it has proven capable of defending against some of the biggest attacks that have ever been recorded on the internet, e.g. in 2010 the attacks that were run against Wikileaks.

Yea cuz like nothing has changed on almost 5 years, I'd be more than happy to prove you wrong as i know with a fact that the host you're using does not provide you such services with first hand experience.

Ok then, please do prove me wrong. Maybe you don't know the hosting company that we use, so I'll just write it:

OVH (the hoster that we use) does provide very good DDoS protection for all it's customers. They are very experienced at doing that. The forum that I work for experiences 1 DDoS attack per month and every time OVH automatically detected and resolved the situation within less than five minutes.

I do not know of any case where OVH shut down a server that was the target of a DDoS (like many hosting companies do if they aren't prepared for this kind of trouble). In fact, they promise the contrary and have held that promise for pretty much 1 year now (and at least a dozen DDoS attacks of various kinds).

The DDoS protection service is standard for all their offerings, not only business servers (ovh.com), but also small business/enthusiast servers (soyoustart.com) and even for the cheap lime beginner servers (kimsufi.com).

But as I said, they can only protect you against network based attacks (e.g. udp floods). If someone uses bots to overload your http server with fake page requests, they won't be able to do much for you.

(2014-12-08, 03:45 PM)Evenprime Wrote: [ -> ]Ok then, please do prove me wrong. Maybe you don't know the hosting company that we use, so I'll just write it:

OVH (the hoster that we use) does provide very good DDoS protection for all it's customers. They are very experienced at doing that. The forum that I work for experiences 1 DDoS attack per month and every time OVH automatically detected and resolved the situation within less than five minutes.

I do not know of any case where OVH shut down a server that was the target of a DDoS (like many hosting companies do if they aren't prepared for this kind of trouble). In fact, they promise the contrary and have held that promise for pretty much 1 year now (and at least a dozen DDoS attacks of various kinds).

The DDoS protection service is standard for all their offerings, not only business servers (ovh.com), but also small business/enthusiast servers (soyoustart.com) and even for the cheap lime beginner servers (kimsufi.com).

But as I said, they can only protect you against network based attacks (e.g. udp floods). If someone uses bots to overload your http server with fake page requests, they won't be able to do much for you.

OVH 'VAC protection' has been repeatedly bypassed many times in the past - by people who know what they're doing.

Please show proof for whatever you are saying and if you know a good hosting provider please also specify.
I need protection not against bots accessing my site, as for that I can code a simple DDoS challenge like what CloudFlare does.

Marisa - What do you mean?
Evenprime - Thanks. Seems like a serious company. Maybe I'll consider it.
Euan T - Arvixe