Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bandwidth consumption 2

Status
Not open for further replies.
bluemax72

bluemax72

Programmer
Jun 10, 2003
10
0
0
PK
Hi guys,
I have got a big problem. My server is under a DDoS attack. The problem is Bandwidth consumption. I am getting useless traffic which is consuming my bandwidth and the HTTP requests are valid. I am using a CISCO Core Router whose model is 7513. The bandwidth capacity which i am recieving is 155 MBPs i.e. T1. Please help me.

Blue Max
 
Sort by date Sort by votes
Find out the source IPs of the DDOS traffic, and block them at the router using ACLs. Then report the little jerks to their abuse@theirISP.com



I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
I have tried to find the source of IP Addresses but they are spoofed. Secondly the attack is from many countries. I don't know which address is causing attack and which is not. Actually the problem is that somebody has spread a Code Red sort of virus on the net against me. Plzzz help me. I need you people.

BLUE MAX
 
Upvote 0 Downvote
Blue,
It's more likely that the source is generating a bunch of spoofed ip's rather than it being a multitude of zombies directed just at you. Review your logs and see if a pattern in the IP's develope. Do they go through a cycle and start again? Are they all accessing the same set of "Valid" pages?
 
Upvote 0 Downvote
Notify your ISP as well. Their security department can assist you in tracking down the source of the DDoS traffic. They don't want that traffic on their network any more than you want to be DoS'd.

Makes me wish that more ISPs did source filtering as well as destination filtering.


pansophic
 
Upvote 0 Downvote
Well, this topic was originally about bandwidth consumption. So the quick and dirty way to fix this issue, is to keep an eye on the logs, and each IP that attacks you (spoofed or not) put it in the 'known hackers' group on your firewall, and block them at the first rule. Might be a bit of a pain, but it would work.

An IDS would be great here. IF you got it configured correctly. Some IDSs have the ability to proactivley shut down connections by making configuration changes on your firewall or router. ie If attack is detected, block source IP. Presto....no more DDOS.

But, you could add the IPs by hand though. It might take a while, but then again, it could take you a while to implement another soultion.

Take pansophic's advice though. Report the traffic to your ISP, include your log files as well.

I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
One of the problems with blocking spoofed addresses is that I can easily spoof the address of legitimate customers, and your firewall/IDS will gleefully block them. To me, that is a worse form of DoS, because I can hit you in the pocketbook.


pansophic
 
Upvote 0 Downvote
Very true. Didn't think of that. Gave an 'off the top of my head' answer. Whoops!
You could put an IDS (Snort) in front of (or behind)the firewall, and configure it to kill the connection of inbound DDOS attacks. Might help with the bandwidth issue, and wouldn't blacklist spoofed IP's permanently.
It might give your IDS a nasty headache though. [smile]

How would you go about this? Preventig DDOS isnt a realy problem, but I never considered the monitary damage from bandwidth consumption.



I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
Hi guys,

I told my router administrator to give me log files. but he said the attack is so much hard that the log files cannot be maintained because the router overloads. i dont think it is possible. I think he is inefficient.I am using CISCO Core Router 7513. what do u people say about this? And secondly i would like to thank all of u for giving me so much help and i hope u will keep on helping me like this in the future too. Thanks alot.

BLUE MAX
 
Upvote 0 Downvote
Log files can't be maintained eh? Well, then either he's, like you said, inefficient, or you guys really are getting hammered.
Either way, you need to report these attacks to your ISP, as well as the ISPs of the source addresses. I really don't believe that the log files cannot be maintained somehow either. Your router guy needs some help. Are you running a firewall? You might want to think about that as well. What logs are you looking at that gives you this information in the first place?

If this is crippling your business, then I suggest you block the spoofed IPs at the router. Even given pansophic's arguement, I would block them until the situation is resolved. That's my opinion.

I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
Hmmm sounds like your under a distributed reflection denial of service attack...

If I was under an attack that made it impossible for me to look at the logs I would simply deiconnect the router from the wan and read the logs.



 
Upvote 0 Downvote
distributed reflection denial of service attack

Noooo, someones been buying into the GRC hype again ;)

I'd definately contact your ISP, block out any IP's that are flooding you until such time as it can be resolves (or they get bored).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
182
AllenH12
AllenH12
cwhite432
  • Locked
  • Question
Sonicwall TZ 105 application bandwidth management
Replies
1
Views
55
cwhite432
cwhite432
Bgarret
  • Locked
  • Question
Sonicwall TZ205w Bandwidth issue
Replies
1
Views
47
joepc
joepc
ndinc
  • Locked
  • Question
ASA Bandwidth limitation on single IP
Replies
3
Views
62
Supergrrover
Supergrrover
forrie
  • Locked
  • Question
Bandwidth limiting for product testing
Replies
4
Views
33
ISPKing
ISPKing

Part and Inventory Search

Sponsor

Back
Top