What can you do to counter a DDoS attack?

Joel,

From the end user there is likely very little you can do yourself. The best tactic as a reaction to a DDOS would be to contact your upstream(s) and have them null route the IP’s that are attacking you. This would not stop the attack but it would make is so the attack was not reaching your server and you could continue with normal operations.

As a proactive step you can purchase DDOS protection services from ISP’s or from 3rd party providers to clean your traffic before it reaches you. These can be expensive and the small guys normally cant afford this. A hardware solution would probably not be a fit in this instance as I am assuming your friend does not have a huge amount of bandwidth and even with a hardware device in place to protect the server it would still saturate the upstream bandwidth.

Steve basically hit it with the fact that DDoS is successful because of the amount of bandwidth the target has (i.e. relatively little).

The only real solution is to get it blocked as close to source as possible, though given that most DDoS attacks use compromised systems to send the packets, this is pretty useless.

The best point is at your service provider, or whoever is upstream of them, as they have the best chance of minimizing the effect. Anywhere else, and you either can't stop every source, or you have too little bandwidth to handle it.

You can also move your site in the hopes that the attackers will not bother to update the IP addresses in their tools and move on. Obviously not effective against a determined hacker. You can contract for more servers and more bandwidth.

Effective DDoS defense takes the form of many proxy servers (SQUID) that are load balanced and lots of bandwidth.

Read Barrett Lyon's excellent answer to this question: http://verbophobia.blyon.com/ddos_top_10/

Most DDOS attacks today are DNS based, so attackers don't have to update your IP address, it's done for them. As soon as the Dynamic DNS record is updated the DDOS will follow it to whatever IP address is specified in near real time. This is why some people use a DDOS cleaning service. (especially spammers) These services usually have very large pipes (Bandwidth) and take over the Dynamic DNS record over for you. Once the DDOS is pointed at them, they strip out the illegitimate traffic and forward the legitimate traffic back to your IP space. This is expensive but it works. Changing your IP would only work if:

A) Your server etc only used an IP address and no DNS

(and if it's something like a UDP flood)

B) Your new IP address is not routed via the same provider because if your provider is getting crushed or your block is being null routed, you're still down.

Many DDOS attacks today can be in excess of 10 or even 20 Gigabits of data per second. Changing to another IP address in the same IP range or anothe block from the same provider subnet using the same route is often times still going to leave your connection down. You will however have the added benefit of ip unreachable responses to help further complicate the problem.

Using QOS seems like a good idea and for some types of less bandwidth intensive attacks it is but for DDOS floods by the time packets get to you to be filtered by QOS they've already done their job. If an attacker is just denying service to a single port or they are using SYN or ACK attacks a firewall could definitely help. QOS might help but how much if the sources are distributed what will it filter based on, requests, IP range? On the other hand, for any flood attacks aimed at simply using bandwidth, I doubt QOS would help at all. As I said before if the packet has made it to your gear to be filtered, its already done it's job.

My advice, use a firewall at your network entrypoint(s), Use IPtables on your machines for services, and use a DDOS service with Dynamic DNS if you can afford it.

I know this is over a year old but it's good information for some people to have.

Most DDOS attacks today follow the DNS record so attackers don't have to update your IP address, it's done for them. As soon as the Dynamic DNS record is updated the DDOS will follow it to whatever IP address is specified in near real time. This is why some people use a DDOS cleaning service (especially spammers) that usually have very large pipes (Bandwidth) and take the Dynamic DNS record over for you. Once the DDOS is pointed at them, they strip out the illegitimate traffic and forward the legitimate traffic back to your IP space. This is expensive but it works. Changing your IP would only work if:

A) Your server etc only used an IP address without DNS

(and if it's something like a UDP flood)

B) Your new IP address is not via the same provider because if your provider is getting crushed you're still down.

Many DDOS attacks today can be in excess of 10 or even 20 Gigabits of data per second. Changing to another IP address in the same IP range or on the same provider subnet is often times still going to leave your connection crushed however you will have the added benefit of ip unreachable responses to help further complicate the problem.

Using QOS seems like a good idea but by the time packets get to you to be filtered by QOS they've already done their job and ate up a little of your bandwidth. IF they are just denying service to a single port or they are using SYN or ACK attacks a firewall would definitely help and QOS might help but how much if the sources are distributed? On the other hand, for any flood attacks aimed at simply using bandwidth I doubt QOS would help at all. As I said before if the packet has made it to your gear to be filtered, its already done it's job.

My advice, use a firewall at your network entrypoint(s), Use IPtables on your machines for services, and use a DDOS service with Dynamic DNS if you can afford it.