|
Moderator note: The instructions in this thread will do nothing to protect you from a DDoS attack. The only way to prevent an attack is to avoid your IP address becoming public. |
Hello everyone,
Introduction :
For people that don't know what a DDoS is, you might want to read the Wikipedia article before : Wikipedia - Denial of service attack. tl;dr : A cyber attack that consists in spamming the target with generally chunked or invalid messages. After a while the target's router can't handle the traffic, generating a lot of lag and sometimes overheating the router.
Two days ago I read that JP "itmejp" McDaniel got DDoS'ed while streaming his show "Real Talk" with Dan "Artosis" Stemkoski. This is not the first time that a stream or a tournament gets interrupted by this type of attacks. Some of the most known victims count team Evil Geniuses (EG), the "Real Talk" show, Destiny and countless tournaments like "Gigabyte eSports LAN Invitational". I think that in the future they will only get more frequent, thus threatening eSport's stability.
This post is mainly addressed to streamers, players and tournaments who rely on a stable Internet connection. It will try to explain one way of protecting yourself from DDoS.
Dilema :
When you talk of a DDoS attack in a case where your website is the victim, you can't do much about it. There is no tool or technique that will protect you from being DDoS'ed again. The best the market has to offer at the moment is tools that mitigate the attacks plus buying more bandwidth to support the attack. Blocking IP addresses isn't a solution either because every IP address connecting to your site could be a legitimate visitor or customer. So yeah, pretty grim situation ...
BUT you (streamer / player / tournament) are not a website, it means that not every IP address has to be able to connect to your router. The only IP addresses you really need to allow is Twitch.tv or Owned3D.tv (streams) and Starcraft II (or whatever other game you play).
How it works :
The solution is based on two "configuration modes" your router will run on. - The "default mode" : these are the default settings of your router. It's what you are using now.
and
- The "restricted mode" : which will block every IP address that is not a "vital" service. This mode will only be activated when you are streaming or playing.
The way you should use it is like this :
1) I'm browsing Internet -> "default mode" 2) I'm going to stream -> "restricted mode" 3) I stopped streaming -> back to "default mode"
By "vital service", I mean software that is in these categories :
- streaming : Twitch.tv, Owned3D.tv ...etc. - communication : Skype, Raid Call, TeamSpeak, Ventrilo, Mumble ...etc. - gaming : Starcraft (battle.net 2.0 in general), DotA, LoL ...etc. - top sites : Google, Team Liquid, Reddit, Twitter, Facebook ...etc.
If a website is not in the white-list and you are in "restricted mode", you just simply won't be able to reach it !
Using a program I wrote, you can generate a range of IP addresses that you will simply copy & paste to your router.
tl:dr; So basically it's an IP address filter that uses a white-list system rather than a black-list system.
Installation :
1) - Download Node.js from nodejs.org (choose the version for your operating system).
2) - Once you downloaded the program, install it.
3) - Now download server.js from mediafire and copy the file to your desktop
4) - For Windows : + Show Spoiler +Click on "Start" and type in "cmd" + ENTER For Ubuntu : + Show Spoiler +Click on "Dash Home" and search for "terminal"
5) - Then, in the command prompt type : "cd c:\documents and settings\<your user name here>\desktop"
6) - Now type : "node server.js"
7) - In a new browse tab navigate to : http://127.0.0.1:8080
8) - Follow the instructions on the page, submit and wait for 1 - 3 minutes
9) - Once you got redirected to the page with the white-list IP ranges, browse to http://192.168.1.1 (which is usually the address of your router)
10) - Log-in using your routers username & password. If you don't know it, try a blank username & password. Otherwise you can probably find it in the manual you got when buying the router or you can google the default username & password for your router brand / model.
11) - When you're logged-in find the menu which gives you the possibility to block a certain range of IP addresses and enter all the ranges returned by the website.
12) - Congrats ! You are now in "restricted mode".
To go back to "default mode", just remove all the IP ranges you added in step 11.
Technical details :
Since your router still has to block packets (messages) coming from banned IPs, it will still use some resources but this is nothing compared to a real DDoS where your router has to inspect the packet to verify the validity of the packet. (valid IP packet ? valid TCP packet ? valid HTTP/s packet ? ...etc).
In addition to that, the white-list system prevents your router's packet caching window to be polluted of DDoS packets.
The program is written in Node.js (server-side JavaScript). It's async and is using non-blocking I/O.
The program is a combination of a small http server, a parser and a DNS resolver.
The program is functional but lacks in options, one of the objectives would be to add them in the future "releases". Some more changes have to be made to speed-up the program and make it more convenient / easy to use.
In particular, one issue I have is ŵith the "add web site" (the second textarea in the html page) feature that let's people white-list some of the key website they often use. The way this works is that the user input gets parsed, then, for each domain, it sends a DNS resolution request and waits for the answer containing the IP addresses of all the servers the sites is using. For example :
- If you have 100 websites you want to white-list, the program, since it's async will send instantly 100 DNS requests without waiting for the answer to the previous one.
What happens is that after +/- 20 concurrent requests (on my linux) the next DNS requests will fail, probably because the network card / DNS server is overloaded.
In the end, the best way would be to have a file (like a DNS table) that feeds the program all the IP ranges the websites operate on. If you want to know more about this read the "Contribution" section.
If you are a using an external DNS server (like Google DNS or OpenDNS), you might want to add these IP addresses too. It might not be necessary since the program already does the DNS requests one time, the next time they should be cached, but you never know.
One feature I wanted to add is an auto-configuration of the router like this : - the user inputs his routers username & password - the program ssh's the router - and changes the config files
Sadly almost every router is different making it impossible to code.
I didn't test cross OS compatibility yet.
On the To Do list theres is :
- Skype support. I'm not really sure what the best way is to achieve this. I'm probably going to write a function that will parse netstat results. If you have a better idea, don't hesitate to PM me !
- Winrar the Node.js executable, the scripts and a batch file as a launcher that will run in the temp file so that people don't have to install Node.js.
Contribution :
If you want to contribute to the project, you could help me get these informations so that I can add support for as much programs and website as possible. I made a quick list of information that could help me add more options.
A list of all the domain names or server IP addresses of : - Owned3D.tv - Raid Call - Battle.net 2.0 - DotA - LoL
To make the DNS request I'm using a CSV file (Coma Separated Values) of the top 500 domains that gets pared by a Node.js script. I wasn't able yet to generate a table with all the IP addresses due to the restriction to the number of requests the program can do. (For more information read the "Technical details" part).
Here is the CSV and the script in question :
- Parser & DNS resolver : click here to download
- CSV data used : click here to download
Ideally, the goal would be to have a file containing the IP addresses of the top 1000 Alexa websites to make the white-list more practical.
Conclusion :
This is far from being a miracle solution to DDoS ! You have to take in account that you only have to use the program in "emergency" cases. Especially for tournaments who have large networks they have to rely on and where : "no lag in game / on the stream" >>> "being able to browse every website there is on the Internet". And as data gets added, more websites will be supported making the program a lot more convenient to use !
I hope that this program will be helpful to the most people possible ! If you have questions or need more details PM me or simply post in this thread ! ^^
EDIT : Here is a link with more advice to mitigate DDoS effects : http://www.leaguepedia.com
-- LunaSea
PS : Sorry for the wall of text and the lack of English vocabulary ! :D
|
wow, nice work. Seems like this could help a lot of people out.
|
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers).
|
this is a great post, keep it bummed
|
On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address. 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff.
I'm sorry but you are plainly wrong. Two points I want to make :
1) When we talk about "Denial of Service" attacks in eSport, it's generally kids paying renting a few computers on Internet.
2) You can send 1Gbit of garbage packets if you want, but if my router blocks your IP address I will easily survive the attack even with a home router.
3) The bottleneck is your router not what's before (your ISP's wires).
|
On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers).
Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
|
On September 04 2012 05:13 Tao367 wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
There is actually a way with the netstat command.
|
|
If I'm wrong and this solution works, you have invented something that will make you very rich. I'd suggest you headed to the patent office right away !. I've got a lot of real life experience mitigating large scale DDoS attacks, and if what you are suggesting works, trust me, I would already be doing it.
Sadly, I am totally correct, and your method does next to nothing. Your router still has to discard the packets, which means it has to receive the packets, which means your internet pipe is being saturated to the point of being unusable.
|
I'm going to add the link to my post.
|
On September 04 2012 05:13 Tao367 wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
I'm pretty sure that you know nothing and in fact you can obtain IP addresses through almost ANY program that allows you to connect to someone else. There doesn't need to be "huge" news about it because most people already know about it.
On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers).
His post isn't incorrect. Typically though a DDOS attack does not come from just one IP, so it would be better for someone to have access to several internet connections (high monthly bill) or to be able to switch their IP on the fly.
You can't stop people in most situations from obtaining your IP You can't make angry kids happy as a streamer. You can be on good terms with your ISP.
On September 04 2012 05:19 Pumplekin wrote: If I'm wrong and this solution works, you have invented something that will make you very rich. I'd suggest you headed to the patent office right away !. I've got a lot of real life experience mitigating large scale DDoS attacks, and if what you are suggesting works, trust me, I would already be doing it.
Sadly, I am totally correct, and your method does next to nothing. Your router still has to discard the packets, which means it has to receive the packets, which means your internet pipe is being saturated to the point of being unusable.
Did you actually test the method vs a DDOS attack? I don't know how the program works, but if it were to disallow a connection the packets would be simply lost, and not received and then denied.
|
On September 04 2012 05:19 Pumplekin wrote: If I'm wrong and this solution works, you have invented something that will make you very rich. I'd suggest you headed to the patent office right away !. I've got a lot of real life experience mitigating large scale DDoS attacks, and if what you are suggesting works, trust me, I would already be doing it.
Sadly, I am totally correct, and your method does next to nothing. Your router still has to discard the packets, which means it has to receive the packets, which means your internet pipe is being saturated to the point of being unusable.
Again, like I said in my post, yes your router has still to discard the packets but it is vastly faster than what your router usually does which is inspecting the complete packet and checking every protocol requirement and checksum.
The reason nobody does this is that it's impractical for websites because you don't know if an IP is a visitor or an attacker. Some sites did already implement by banning IPs of whole countries (generally middle eastern countries, India, China ...etc) to prevent DDoS attack of coming from that direction.
|
A lot of the leaguepedia advice makes sense, but some of the stuff about TCPview isn't likely to be useful.
If I was DDoS'ing a typical home user, the home users PC would never see the traffic because it would be dropped by the router (for not matching any valid NAT table entries).
If you have an atypical setup (say you plug directly into a cable modem without a router), then TCPview/Wireshark and the like would be useful tools to look at the garbage being sent at you, not that it would help you do much about it).
|
On September 04 2012 05:21 NoobSkills wrote: Did you actually test the method vs a DDOS attack? I don't know how the program works, but if it were to disallow a connection the packets would be simply lost, and not received and then denied.
No I did no test it against a DDoS attack yet.
The way the program works is the following :
- you set a number of websites / online software / individual IP addresses you want to white-list
- the program generates a bunch of IP address ranges your router should block
- you add all those ranges to the router
Now when you receive a packet, the router will check the IP address of the sender and looks if it's part of the white-list. If it's not, it will be denied connection, discarded and the packet will be lost.
|
As you say, blocking attacking addresses (or potential attacking addresses) on your CPE is likely to mean it takes less CPU cycles (assuming it is doing this in software) to decide to discard the packet, but the problem isn't the CPU on your CPE, the problem is the TX buffer at whatever you connect to at your ISP.
You still haven't explained how you solve the problem of this being full 100% of the time (and therefore it discarding packets, either by tail drop or RED or WRED or whatever strategy it uses to manage full buffers).
|
On September 04 2012 05:30 Pumplekin wrote: A lot of the leaguepedia advice makes sense, but some of the stuff about TCPview isn't likely to be useful.
If I was DDoS'ing a typical home user, the home users PC would never see the traffic because it would be dropped by the router (for not matching any valid NAT table entries).
If you have an atypical setup (say you plug directly into a cable modem without a router), then TCPview/Wireshark and the like would be useful tools to look at the garbage being sent at you, not that it would help you do much about it).
Yes, I defiantly agree with this. The only reason I added the link is to give people as much information on how to mitigate (not fully protect) a DDoS attack as possible.
|
On September 04 2012 05:13 LunaSea wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address. 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff. I'm sorry but you are plainly wrong. Two points I want to make : 1) When we talk about "Denial of Service" attacks in eSport, it's generally kids paying renting a few computers on Internet. 2) You can send 1Gbit of garbage packets if you want, but if my router blocks your IP address I will easily survive the attack even with a home router. 3) The bottleneck is your router not what's before (your ISP's wires).
Im sorry but you don't know what you are talking about.
The first criticism of your suggestion was correct.
However what you said would help ... the problem though is that your connection is STILL clogged even if your network wont be.
That said some of what you said is decent security advice.
ANYONE with an up connection as large as your down can saturate your connection. Its not hard, its not clever and there is next to nothing you can do about it from behind a router.
|
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router? That's essentially worthless - router CPUs are not overburdened during an DDoS attack. The network resources are.
|
On September 04 2012 05:38 pmp10 wrote: Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router? That's essentially worthless - router CPUs are not overburdened during an DDoS attack. The network resources are.
Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets.
|
Sadly, while you are using technical words, I don't think you really know exactly what they mean.
I'd suggest stopping digging a bigger hole for yourself and be thankful TL is a relatively nice and friendly place
|
|
|
|