DOS / DDOS Attacks / Firewall Testing

[Scott Greczkowski]

Other than the caching snafu this morning, it has been working well. I have been looking at the logs and it is catching a lot of stuff.

Our stats show that today we are sending 970 pages per minute.

Also blocked some major attacks as well... in fact I didnt realize how many people (or bots) are alwayhs trying to break in and do harm to the website.

 

[teachsac]

Scott,

Did you see our message in the staff area?

S~

 

[Jimbo]

Nah, not lucky. Just smart like me using an obsolete OS that is no longer on the hacker radar.

Ahhh, Still running Window 98 !

 

[navychop]

3.1 forever!

As long as you set your clock pre-2000.

 

[Hall]

Our ISP where we host our servers has notified us that our servers are frequently being hit by DOS / DDOS and other cyber attacks. They have recommended that I put our web server behind a firewall to stop these attacks and they suggested a few options.

I would have thought that this was a feature or benefit that a webhosting service would provide !

If this was happening frequently, were they manually dealing with it ?

 

[Scott Greczkowski]

Obviously you have never worked in a commercial webhosting environment When you co locate servers you send them your servers, they put them in a rack plug them in and turn them on, from there on out, you are on your own.

However for some of the attacks they have blocked them from coming into their router, but they can't keep doing this for me which is why they suggested the firewall.

In 24 hours it has blocked over 30,000 threats against the server. Very happy with it so far!

 

[Hall]

In 24 hours it has blocked over 30,000 threats against the server. Very happy with it so far!

Most of those threats are probes, I presume ? Something like "let's see if this machine is vulnerable to this... nope, move on to the next one" ?

 

[Scott Greczkowski]

Look at the picture I posted last night it shows what the attacks were that it blocked.

 

[TheKrell]

If you have a moment, can you explain how a firewall in the cloud can even work? It's a web proxy server? So all traffic that requests access to SG goes to the firewall first? I'm surprised SG is still fast.

 

[Scott Greczkowski]

Yes it goes through their firewall first.

http://sucuri.net/website-firewall/

Everything you request goes through them to our server and then goes out to them to you. Its fast because of the caching that is done, common files are saved on their server meaning less is being transferred from our server. Plus we have all our static files (images, java, css) stored on cloud servers and when you load those files they come from the cloud server closest to you. This actually speeds things up a bit overall.

In addition the server load has dropped. Our average server load is around 0.80 however since flipping over to the Firewall our server load is down to 0.25. This load drop is because of the fact that a lot of the resources are not coming off our server they are coming from the firewall cache and cloud servers and also all the bots and scanners trying to get in and find a weakness in our site are not being blocked and not using those resources. In addition stuff served from their cache is also being compressed to speed up the transfer to you.

As I said I am very happy with it so far.

 

[Hall]

Look at the picture I posted last night it shows what the attacks were that it blocked.

Ahhh, got it.

Just curious, what does "IP address not whitelisted" mean ?

And the site is blocked from certain countries ? Is that by you or by some gov't requirement (like visitors from Iran, N Korea, etc) ?

 

[Hall]

I'm surprised SG is still fast

The webserver can actually do less work now (Scott explained it in much more detail above already).

 

[Scott Greczkowski]

IP Address not whitelisted means something is trying to access a secure part of the website, such as the admin control panel, the database manager and moderator control panel. Those areas are now blocked if the ip address of the user (aka staff) is not listed in the whitelist.

Blocked countries are countries that we are getting a lot of attacks from, currently China and Hungary are blocked.

 

[Hall]

Blocked countries are countries that we are getting a lot of attacks from, currently China and Hungary are blocked.

Would be neat if - and it may already - the firewall has a "if more than 'x' attacks within 'y' seconds occur, block that country" option

 

[Scott Greczkowski]

Would be neat if - and it may already - the firewall has a "if more than 'x' attacks within 'y' seconds occur, block that country" option

It does do that.

 

[TheKrell]

It's not immediately obvious to me why your outbound stuff needs to go through their proxy as well. I'm pretty sure the SG web server already caches.

Edited to add: If I may be so bold, how much does this service cost?

 

[Scott Greczkowski]

It's not immediately obvious to me why your outbound stuff needs to go through their proxy as well. I'm pretty sure the SG web server already caches.

Edited to add: If I may be so bold, how much does this service cost?

The outbound stuff is scanned to make sure it has nothing bad in it as well.

Actually the service isn't bad for costs its an addition $10 a month on top of the other costs from them.

 

[Hall]

The outbound stuff is scanned to make sure it has nothing bad in it as well

This is only out of curiosity, but how would something "bad" get on the server ? The same rules/filters are used on inbound and outbound or no ? The other possibility is something bad got on days, weeks, or months ago and is waiting (?).

 

[Scott Greczkowski]

It only covers one site on the server... so if we had more than one website hosted here... like mynameishall.com there is a chance that mynameishall.com might get infected with something which could corrupt other directories and could harm visitors to SatelliteGuys.US even though all the damage was done at mynameishall.com. As an example a simple mysql injection that redirects you to myfiledownload.com... (Remember that?)