To begin let’s see What is a DDoS attack? , Also known as “Attack of distributed denial of service” is a special type of DoS on a joint and coordinated between several teams .
These attacks achieve the goal to knock down the target machine depleting bandwidth or surpassing the processing capacity . To finish familiar with those terms to say that the machines responsible for carrying out the attack are known as “Zombie” and the total mix botnet.
Detect DDoS Attack
My knowledge on the subject are quite limited but what it is I am sure that many times some administrators confused with a DDoS attack any anomaly in the network or server , to make sure that this is a DDoS attack we have to have a lot of httpd processes, eximd, ftpd, etc., these are often the objectives common to these attacks’ to ‘and those who manage to generate enough cargo to the system to collapse for lack of resources . < >
If we have doubts on the subject and we do not have the necessary knowledge I strongly recommend reading this post, I will try to simplify the explanation to the fullest as a guide for those users who need a quick answer to the question
Am I suffering a DDoS attack ?
As discussed above, we must
see how we have IP connections and service to people connecting
these connections within our server, in this way can take away the doubts on whether this is really a DDoS attack.
netstat-ntu | awk ‘(print $ 5)’ | cut-d:-f1 | sort | uniq-c | sort-nr
netstat-na | grep SYN_RECV | awk ‘(print $ 5)’ | cut-d. -f1-4 | cut-d:-f1
| Sort-n | uniq-c | sort-n
If we were before an attack and taking as an example the following data get a list like this:
IP Server: IP 192.168.0.3
tcp 0 0 192.168.0.3:80 192.168.0.5:60808 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60761 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60876 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60946 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60763 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60955 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60765 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60961 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60923 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61336 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61011 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60911 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60758 SYN_RECV
Stop DDoS attack
Suppose that this is an attack and of course what we need now is to stop it … I strongly recommend it to go to sites that document the steps necessary to
stop a DDoS attack
Trying to stop a DDoS
- Blocking an attack iframe
- Distributed Denial of Service (DDoS) Attacks / tools
- Preventing DDoS attacks
- What should we do if we are under attack?
- Protecting Web Servers from Distributed Denial of Service Attacks
Performance of “botnets” so graphic
As discussed above a botnet is a collection of robots
controlled by a user for unethical ‘to’ and who can control all the infected computers remotely (usually through the IRC).
The operator of the botnet sends viruses / worms / etc to users.
- The PCs come in the IRC or using other means of communication.
The Spammer buys access to the operator of the botnet.
The Spammer sends instructions via an IRC server or another channel for PCs infected …
… causing them to send spam mail servers.
Map illustrating DDoS attacks in the first quarter of 2007 .
Case “quienteadmite.com” real example of DDoS attack
This is a clear case of DDoS attacks that have suffered several sites in the blogosphere Hispanic in the last month, it all started when Engadget published this post
warning of possible fraud
, and the alleged fraudster becomes assumed guilty to tear down this website and some other as Error500 and Reddit, these last two pages had been limited only to echo the news.
After this history has been complicated ‘to’ and it is virtually impossible to summarize all that has been going on … I leave with you some links for those interested in history:
Fallen for freedom of expression
So it works quienteadmite
- Thanks for “I am also genbeta.com”
- DDoS attacks continue (to Reddit)
- Galli tires of the niñatos
- “I have closed ricardogalli.com insurance related to the topic of DDoS”
- Interview with the alleged perpetrator of the attacks
- understand all this a bit ‘to’ and for those who are not familiar with the authors and the origin of these sites on those comments, I will try to give you the
information needed to understand
: < >
Ricardo Galli : Creator of Reddit and Spanish activist of free software.
: One of the most popular blog on technology and which published the news that the attacks originated.
Meneame : Website based on community participation in which subscribers send stories to other users of the site vote.
Site quienteadmite.com : Site that offers services to find out who you blocked in the Messenger (Not advisable not utilicéis)