[Answered] Tommy Server Down??

[wolstech]

They don't care about us They just get upset because they aren't allowed to phish here.

[ziad87]

How do they DDoS? Do they just keep wasting bandwidth? Can't there be a way to add some extra firewall rules?

[wolstech]

Sort of.

 

They use a botnet (hence the first D, "distributed", in DDoS), so the connections come from random IPs making a conventional firewall useless. We do already restrict too many connections from an IP during these attacks, which helps, but they just bring more/different bots instead. The firewall uses quite a bit of resources to detect and refuse these connections too. A hardware firewall appliance would be more efficient here.

 

The actual attack method varies.

 

One method (was used on Johnny) entails wasting server resources by opening a ton of connections and just leaving them open all day without closing them. This causes the server to leave Apache processes open waiting for the content of their request that never comes. The connections do eventually time out, but the attacker just reopens the connections when that happens. This means decreasing the max connection time actually increases load (process for timed out connection closing, and new process for replacement connection starting), making it useless as a mitigation.

 

The second is request flooding. In that method, they just send requests for a targeted website over and over again as fast as possible, which results in the server using its resources to fulfill these requests over and over again, leaving it little time for legitimate requests to be processed.

 

Consider that a typical request involves: Apache receiving the request and finding the file, then launching PHP. PHP then runs the script in the file, which often asks MySQL for data. PHP then sits there in memory waiting for that data, then when it gets it, uses that data, finishes its script and returns a webpage to Apache to send out. Doesn't seem to bad when you're handling a few hundred at a time, but when you want to suddenly do 1 million of them concurrently, it becomes an issue...the server gets backlogged, and/or runs out of memory and crashes.

 

This also often manifest as invalid requests or junk packets with no or useless data being sent...these aim to clog up the network as opposed to waste the CPU's time. This is what I believe was happening on Tommy. The result is the same: legitimate requests cannot get through and the websites on the server get slow or go down.