Ddos mitigation techniques and articles

[Christy]

I recently came across a very good tutorial on how to use a tcp dump or packet capture to analyse and identify unique characteristics of the attack, which is used to develop a custom Dos blocking rule. They used a publicly available Dos tool on themselves(lab) ,captured the data(pcap or tcp packet dump, don't remember), identified the uniqueness of the attack(flags, headers or data, some stuff don't remember), used it to make a block rule, I don't remember if it was a Snort rule or a general firewall rule. It also demonstrated the effect of a new rule on a current rule set (its place or priority relative to other rules).

The problem is no matter how much i try, i just cant remember the article, blog or software. I was on my phone browser while i read it, just skimmed across it, left it for proper reading later, dint bookmark it & i regret it.
I initially thought it was "Snort" based by the VRT guys, but its not there. Crap... I've been digging since Raymond mentioned a Dos attack. No luck.

If anybody finds good articles please post here.

[Raymond]

DoS and DDoS are very different attack.

DoS attack normally only works on a specific software and version because a vulnerability is found. Using the latest version should prevent DoS attacks. DoS attack can be done by 1 person.

As for DDoS, there is no easy way to block that other than those really expensive routers that are made to filter DDoS attacks. DDoS attacks requires hundreds and thousands of hacked computers to perform the attack.

[Christy]

Yup , my bad, read Ddos as Dos.
Corrected.


---------- Post added at 06:20 PM ---------- Previous post was at 06:02 PM ----------

Yup, i get it. LOIC and HOIC etc are used to DDos, when run by one person its a Dos attack, when thousands do it simultaneously Ddos. But for LOIC& HOIC like tools, the signature is the same isnt it, the header flags etc.. for every connection.Ddos is essentially exhausting your bandwidth, processing power.
I thought the site was being Dos'd.

You'd still have a IP logs for both attacks , would be fair to publish them, wouldn't it.

Quite unbelievable the shear volume of Dos tools, the recent killapache,thcssl,ssh-ebury almost one every week.Even worser, Ddos attacks @ 10$ an hour, good lord .

[Raymond]

Won't be fair to publish the IP address of the attacker because those machines that are used to attack are normally hacked computers that is being controlled by the botnet master. They don't even know that their computer is being used for illegal activities.

The only way against a DDoS attack is to have a bigger backbone which can absorb the attacks.

[Christy]

I`d say better to keep those IP's banned,even if doesn't actually have any effect . Hoping he runs out of Ips(unless its something like the Mariposa bot-net,12 million IPs , that's really something ). This blog doesn't post political content, or support anything that usual Anon type attack targets. Wonder what the actual motive is??? The site does have personal info of subscribers, email id's a spammer might want that, but but for that he'd rather do a silent compromise and hive it off rather than a DDos , i guess. Maybe its just for the lulz...

All those bright guys in the world and wonder why no software solution exists. AI algorithms usually can detect such stuff, learn with experience, weighted error summing and all. I remember the Jackson death casing Google a DDos scare.

And isn't the bigger backbone solution, a brute solution rather than a smart one. Theoretically,I think, if the attacker has more bandwidth and processing power than the backbone in question, we end up loosing.

[Raymond]

Last time I mentioned about a crypter tool and had a screenshot which caused the author of the tool to blackmail me. Either have the screenshot removed or get a DDoS.

Well it's only a screenshot and since he asked, so I removed it.

Sometimes it could be something as small as just mentioning a software name or putting up a screenshot that causes someone to be unhappy.