-2

N00b question

But say I had a dedicated server with two IP addresses, and the software (We'll just use Apache as an example) was using both IP address to serve content, in the event of a DoS attack on one of the IP addresses, could I just use something like IP Tables to null route/drop all incoming connections on one of the two IP addresses, effectively rendering the attack useless and still serving the users?

Tom Gaben Newil Gibbs
  • 1
  • Depends. Your idea is correct, however - you need to tell client machines to use second IP address. If nothing else, you are exposing it and attacker can DoS it too.

    Second thing. If the DoS is strong and suppose Apache can withstand it, your computing power will be consumed by serving mainly the malicious requests and not the legitimate ones. Strong DoS can also clutter up your internet connection bandwidth and basically no (or only a little) data can pass through to legit clients.

     – Fiisch Jul 22 '15 at 16:54
  • Well of course, I'd add all the IP addresses to the DNS servers – Tom Gaben Newil Gibbs Jul 22 '15 at 17:03

3 Answers3

1

The attacker could then just start attacking the other IP as well if they weren't already doing so. You might block some unsophisticated attacks, but not anyone who's even moderately determined.

If your goal is to prevent DoS and not DDoS, you can look in to using mod_qos or iptables to limit total concurrent connections from a single IP. You can also check out mod_evasive, which offers a degree of DDoS protection.

sa289
  • 1,338
  • Yeah, of course, but these days so many attacks are sent by little kids form Hack Forums who pay for an hour long attack just to annoy people. Say I had 256 IPs though, they'd have to attack all of them - and on top of that, I'd have redundant servers as well. 1000+ IP addresses supporting a website (overkill I know) I'd assume would prevent most of these attacks. As of yet, I don't get attacked at all, but I'm soon to be launching a website that will likely get attacked daily, so I'm preparing c; Thanks for the suggestions though, I'll be sure to check them out! :) – Tom Gaben Newil Gibbs Jul 22 '15 at 17:07
  • @TomGabenNewilGibbs Np. If it's a standard DoS attack too, you can simply block the IP of the attacker's machine rather than null routing the site's IP. DDoS is more complicated of course. – sa289 Jul 22 '15 at 17:35
  • Yes, of course. I understand how both types of attacks work and the differences between layer 4 and layer 7 attacks, and it's all just about implementing solutions for each type of attack I guess – Tom Gaben Newil Gibbs Jul 22 '15 at 18:51
0

This is my fiorst post, so bear with me,

Depending on the severity of the attack and determination of the attacker you can slow them down but never think of "stopping" them, an attack can be slowed down but not stopped.

IPtables is a good solution, depending on the source traffic to your website I always use country restrictions if I'm not willing to deal with unwanted traffic from problematic countries. I do that on all network equipment depending of the country and target audience.

HTH

EEAA
  • 109,904
Kalashnikov
  • 9
  • I like the idea of country restrictions, although a lot of attacks spoof the source IP, rendering a lot of IP blocking solutions, especially country blocks, useless :( – Tom Gaben Newil Gibbs Jul 22 '15 at 18:53
  • 3
    iptables is a poor solution to DDOS attacks. For it to act the packets have to reach your system, thus your connection still gets saturated and your site is disrupted. – user9517 Jul 22 '15 at 22:16
0

No, you cannot prevent a DDoS attack that way.

By the time the packets reach your server they have already consumed capacity on the saturated link. Dropping a packet with iptables is not going to give you back the link-time which has already been used.

In order for a measure against a DDoS attack to be effective it has to block packets before they enter the saturated link.

The different IP addresses could (depending on provider) help you in a different way. The router sending packets down the saturated link might be configured to share capacity evenly among destination IP addresses. If that is the case a DDoS attack against one IP address will only have minor impact on the other.

But if an attacker knows both IP addresses, the attacker can easily share the attack traffic evenly across those two IP addresses.

kasperd
  • 30,696