ESS can't protect me from DOS attacks

Discussion in 'other security issues & news' started by Koza, Mar 30, 2012.

Thread Status:
Not open for further replies.
  1. Koza

    Koza Registered Member

    Joined:
    Mar 30, 2012
    Posts:
    4
    Hello WSF, I hope I would get some help for my problem.

    I'm making my home PC a small server and hosting on it my website. But I'm suffering from DOS attacks on my port 80 and ESS is not doing anything, it is unlimited TCP floods on port 80 which makes the website goes down, is there a way for ESET firewall to block this kind of attacks? Is there some settings I should change?
    Btw the attacker is using basic DOS attacks from a program named Low Orbit.

    Thank you
     
    Last edited: Mar 30, 2012
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. Koza

    Koza Registered Member

    Joined:
    Mar 30, 2012
    Posts:
    4
    That's mean no Firewall can protect me from that?
    Also it is not normal behavior when you get 100 TCP flood in same second from same IP, should the firewall detect that a "bad ip" and block it?

    I tried to add that IP on ESS rules to Deny on port 80 but he can still send his packets.
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    That's pretty much what that means. There is no way to stop someone from hammering your connection unless you can take them offline, which you cannot do. Even if it is stopped at your firewall, it will still hammer the firewall. That's pretty much the principle of a DOS attack. To suck out all of your bandwidth by making your machine fight with the attack. :(
     
  5. Koza

    Koza Registered Member

    Joined:
    Mar 30, 2012
    Posts:
    4
    So all I can do is watching him attacking my connection? :(
     
  6. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    as this is not support issue moved for more exposure.

    Are you able to change ip address or host it elsewhere?
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You can try to set up IDS to detect "bad" IPs but you'll probably end up with false positives (some user refreshing the page a few times with pipelining etc.)

    I assume you've already blocked the IP and they're just switching to another?
     
  8. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Report the Denial Of Service (DOS) attacts to your Internet Provider.

    If your Network is behind an Router:
    Enable the Option in the Router to Block WAN Requests or Block Anonymous Internet Requests from the Outside.
    It may be Disabled by Default, and you should Keep this setting Enabled, because it Hides your IP Address and is
    designed to prevent intruders from attacking through the Internet. When Block WAN Requests or Block Anonymous
    Internet Requests is Enabled in the Router, the Router will Drop Both the Unaccepted TCP Requests and ICMP Packets
    coming from the Internet. The intruders Will Not be able to find your Router by Pinging the Internet IP Address.


    And Welcome to Wilders Security Forums Koza


    EDIT: completeness


    HKEY1952
     
    Last edited: Apr 1, 2012
  9. BrandiCandi

    BrandiCandi Guest

    What you're describing is fail2ban, which is a tool for the Linux platform. As far as I can tell there's no equal counterpart for Windows. You didn't say what server or software you're using, I'm sure if you google it with "denial of service protection" you'll find a bunch of solutions specific to your situation.
     
  10. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    100x times this. Unless you have the infrastructure of Google you will not be able to throttle and mitigate a large scale attack on your end. Working with your ISP and allowing them to mitigate the attack before it reaches you is the best play in this case.

    I am not sure what type of server you are running though if it is under constant barrage of attacks you may want to consider switching to a host that can support the extra strain on their bandwidth. This move also makes sense in the event the attacker owns or has access to a botnet and starts hammering your connection with thousands perhaps millions of computers all around the world.
     
  11. Koza

    Koza Registered Member

    Joined:
    Mar 30, 2012
    Posts:
    4
    Sorry I didn't notice there is new replies in the thread.

    My server is behind a router, it is a Netgear DGN 1000, the router logs the DOS attacks but it can't block them, and already in the router settings the Port Scan and DOS Protection is enabled but it just show the attacks in logs and nothing is blocked... I'm using AppServ apache to host my server. Also I'm hosting a game server and this guy is trying to take advantage in the game so he is doing that so I give him what he wants!
    I'm sure the attacker is using basic tools, it is 1 IP which keep send packets and max my connection bandwidth, if I block it, he makes new IP.
    Do you think if I get a better router, can help?

    Thanks for the help!
     
  12. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Follow HKEY1952's advice and contact your ISP, explain the situation and they can null-route the offending traffic.
     
Loading...
Thread Status:
Not open for further replies.