Defending against Denial of Service attacks

From DevSummit
Jump to: navigation, search

Stories from the group

1. Code Pink would get ddos once a year. It got easier and easier over the years cause radical They used to use varnish caching and the rolled out alternate servers to

Some times you can identify the traffic

2. One time a page got put on Tumblr and it was an much of a problem as a ddos

3. Feminist frequency get numbers attacks won a regular basis and cloud flare is what they fall back on. Something other

  • Try Political reports about Nigeria will also get you ddos. Sahara reporters is a popular 65000 hits a hour as legit traffic
  • Varnish = is a proxy caching server. You can have as many as you want. They site in front of the web server and accept all the traffic. You can put them in a round robin so that you could have then. A round robin is that you have IP, a record for the same domain. It cycles through the different ip address. It allows you to server content quick without hammering the web server.
  • One problem with Varnish is that it will You can change the Varnish config to repose to different requests. Like target posts specifically. You can keep Varnish servers in reserve and switch the IP address. You are setting up a whole new set of IP addresses for the public while the bots are hammering the server form behind.
  • The goal for defense is that you never expose the actual real IP address of the site. You have everything set up ahead of time. If the attack is sophisticated enough it will be so hard your provider will null route the IP. If you have Varnish server you can implement another servers to take the place of the web server IP. There can be zero configuration involved is you set it up.
  • The TTL is 300 sec on most of his caching servers.
  • A smart bot can following you. A dumb bot not.
  • The goal is to never have to change the web server just the Varnish server.
  • What he has done historically to not have to break functionality in honor of keeping a site up is to set up a another domain.
  • If you are blocking post requests you can tell Varnish to to deliver the error that you want. With Varnish almost anything is possible accept running https. It will accept code and it has it’s own language is well. It is very flexible.
  • Example 6 servers nil routed cause the attack was tracking every single change in dns. One of the servers was in there co-lo so a bunch of their membership lots access. The attach would follow each new ip address. Within 50 minutes of rolling out a new Varnish server it was nil routed.
  • It’s the upstream provider not necessarily the host that nil routes you. They won’t un nil route an ip address if the attack is still going on. Linode is automated to do so.
  • Varnish is another kick ass tool in other way. If you need to most a server from point a to point b. You can use it through the transition. Very effective for infrastructure set up. It’s a great transparent caching proxy and in the moment theta you are dossed it can ramp up. It’s possible that a logged user with a cookie that they will never see cached content. If you are running a drupal or wordpress site you can work around and target specific cookies.
  • Why is that better than Cloudflare? It’s not. Cloudflare is just Varnish run by a company.
  • But we’re really not hear to talk about Varnish. There is an organization called Equality with deflect.ca equalit.ie
  • Deflect is a caching severs that also has various software plugins that allow you to detected parameters of the attacks. It’s based on the Apache Traffic sever, not Varnish. There’s a primary control server that communicates with edges. It runs nogios for mitorsing and it’s also a dns server.
  • Deflect is also a server you can put your site behind deflects. APC = Association for Progressive Communication works with internet rights in various and are related somehow.
  • Much like using Cloudflare, but its a non profit, foundation, open source, based on donation based. It’s both software that you download and it’s also a service that they provide. You can go to them and tell them you are in trouble and they will say hey direct your IP to us. they have very sophisticated tools. You can also install this yourself.
  • There are other attacks out there Slow Loris attacks and DNS attacks. DNS attacks, like poisoning dns. There are local caching servers that have dns records of what has been queried below them. If some one sits in the middle of that traffic they can pipe and evil url. Eventually they get a match.
  • When using this he uses easy DNS which allows you to create a hidden master. If you query the name server it will tell you one thing, but the control server in communicating with easy dns to tell it where to go really. - I think I missed something key in this part. Sorry.


  • Resources required X number of traffic servers. Equality runs about 20 different traffic servers. And they have them at different places w different hosts. You have this group of servers in a round robin and being rotated in and out of the dns. For them it’s a like a minute rotation. Based on external monitoring that will say when a server is having problems and automatically switch it out. It’s pretty sophisticated


  • Their development model. The roadmap is for them to build this as a distributed model.


  • could there be legal ramifications of this distribution - could you be arrested for what you are hosting. An interesting question.


  • Why does switching IP matter? The bots have to know where to target. Not all bots do a dns look up. The reason they don’t is maybe just the cost time of looking, also that it’s a 2 way connection when they make a query. Probably in the next year it will be distributed. It would be very smart peer to peer site caching. Would you have a choice about what you put your band with toward.


  • In the group it seems like it would be possible, but probably hasn’t yet been explored. These things depend on your level of trust in a network. You can create sets of edges and protect certain domains with certain edges.
  • How to do you prevent the traffic servers from getting null routed. I part it’s from never responding the to the requests themselves. cutting off the traffic in advance. Part is having enough protection in advance.
  • They are handling huge attacks with 20.
  • Rad has found that 3 big Varnish servers than 5 little baby ones.