[nog] DoS and DDoS mitigations

Marian Marinov mm at siteground.com
Wed Feb 27 12:03:25 EET 2019 

On 2/21/19 5:38 PM, Marian Marinov wrote:
> Hi guys,
> 
> I'm trying to generate a good overview of the DoS/DDoS attacks that everyone of us is receiving, for my Network Security Courses in FMI Sofia.
> 
> So the information I'm searching for is, first the type of attacks and second, what mitigations you use for different types of attacks.
> 
> For example, we at SiteGround receive mainly two types of attacks:
> - UDP floods (large pps)
> - HTTP connection floods(connection exhaustion)
> 
> These days it is rear for us to receive a TCP Syn flood.
> 
> What we employ is basic iptables rules and linux sysctl controls, for attacks that do not exceed the capacity of the receiving machines and Radware for attacks that we can't mitigate.
> 
> In the cases, when the attacks are even above the capacity of the Radware we are null routing the IPs for a few hours, until the attack subsides.
> 
> So would you guys share your solutions?
> 
> Best regards,
> Marian
> 

Let me start with some obvious protections that I employ on my linux machines, when they are the receiving end of a DoS/DDoS:
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_challenge_ack_limit = 200
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_sack = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_thin_dupack = 1
net.ipv4.tcp_thin_linear_timeouts = 1
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 12
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent2 = 12
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 30

The above sysctls help a lot with handling the incoming traffic.
The next thing is to reduce the amount of attack traffic and what I usually do is, tcpdump 10k packets and based on the characteristics of the traffic, write a few rules in the PREROUTING chain of the mangle table, that reduce the packets actually
handled by the tcp stack.




-- 
Marian Marinov
Chief System Architect of SiteGround.com
Jabber/GTalk: hackman at jabber.org
ICQ: 7556201
IRC: hackman @ irc.freenode.net
Mobile: +359 886 660 270

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ludost.net/pipermail/nog/attachments/20190227/8b1f582e/attachment.sig>

More information about the Nog mailing list