Fighting a Denial of Service Attack

Quick overview: one of the sites my company runs has been targeted, and we've been getting slammed since about 2am. They come from all over the world, with various user agents. No obvious pattern I can discern. We've been swatting them manually, and we throttled that domain so it can't take our entire network out like it was doing this morning, but the targeted domain is still crawling.

Has anyone here been a target of a confirmed denial of service attack? If so, do you have any wisdom to share?

Is this against a specific service? Like web? Many caching services also double as DDOS filters in many respects.

Another option is to contact your ISP and start seeing what options they have to combat it.

Another option that has worked in the past is to place something really capable at the border between your network and your upstream providers. In one case I saw a pair of nice OpenBSD routers do the trick with pf and carp. I've also seen some nice IDS/IPS systems that claim to do the same (never had one really work though).

In the end, if you can identify the traffic, and you are removing it, you will win. It'll just be a TKO more than a KO.

Thanks, Edwin. I've forwarded that to our CTO.

Mojo, it's not a whole service - it's against a specific website on a specific subdomain. Since this is an N-tier app, it's hammering our network like the fist of an angry god. My guess is it's aimed at that specific one because it's associated with the state our WHOIS information says we're located in, by someone dumb enough not to understand that ISPs obfuscate that info through their own systems.

Judging by the logs I've been able to get, due to the extreme variance in user agents and IP range, my guess is it's probably a zombie farm.

If you can get network traffic packet dumps, you could try to determine what kind of attack it is and maybe be able to construct a way to dump that traffic on your firewalls.

Hard to say from where I sit. DDOS can be a bitch, but they aren't the death sentences they used to be.

We're doing much better this morning. We've swotted over 200 IP's and traffic is back within the normal curve.

Thanks, Edwin. I'll forward that along to our CTO.