Id have my IT guys and gals make sure my systems were updated with the latest and greatest network patches.
Id start building a list of every single IP address that actually makes a bet into the office.
Id make sure I could forward that list to my ISP when the attacks start and let them exclusively allow only those true-customer-ips to come into my network should worse come to worse.
Then Id tell the extortionists to get drilled.
-lab
Id start building a list of every single IP address that actually makes a bet into the office.
Id make sure I could forward that list to my ISP when the attacks start and let them exclusively allow only those true-customer-ips to come into my network should worse come to worse.
Then Id tell the extortionists to get drilled.
-lab
and of course Id get screwed because Id be blocking out all of the needed external services that push data into my network. So along with the list of customer ips, Id also have to have my IT folks research all external data services that push in data, and include those IPs so that I dont cut off services like horse racing data, funding services like netteller and any other essentials that keep business running for 90% of the players.
I guess I wouldnt see too many signups during the attacks, but the bread and butter of my biz would not even know an attack was under way.
-lab
I guess I wouldnt see too many signups during the attacks, but the bread and butter of my biz would not even know an attack was under way.
-lab
lifesabet,, it's good but,,,
since most of your customers
have Dynamic Ip Address, you cannot
ban evey ip, and then allow each single one..
in that case you have to allow one block...
since AOL. is the major provider, you can actually go to google and find out open socks proxyes binding the aol network, in other words, hackers could also use the same aol block... now,,, that solution will filter, and will dificult a little bit. keep working!
since most of your customers
have Dynamic Ip Address, you cannot
ban evey ip, and then allow each single one..
in that case you have to allow one block...
since AOL. is the major provider, you can actually go to google and find out open socks proxyes binding the aol network, in other words, hackers could also use the same aol block... now,,, that solution will filter, and will dificult a little bit. keep working!
For $150 a month, you can actually
can set up your own firewall, how,
vps2 of Verio, that a Virtual Unix Box,
that can allow you to install a reversal proxy,
the only thing that doesn't allow you to do,
is to recompile the kernel, but since Verio Has some of their techs as a Kernel Developers you dont have to worry about...
The reversal proxy works in this way...
you connect trough your domain, which will be hosted on verio. lets say, rx.com binding another port you can do a reversal proxy, that means, for example rx.com:81 the 81port will connect trough the 80port over your local server office, for betting porpuses, that will save alot of bandwith at the time of reading pages and downloading graphics, verio is connected to the primary backbone (washington), plus, every single graphic you have in your local server, will be uploaded in verio, so everytime a customer logs in, it will be login on AT&T at 100mpbs, the ip address you will show, will be from AT&T so nobody will determine your real Local Office ip Address,
you bind your web server port to only allow the AT&T connection, and reject by default the anothers, now, the mx record also have to be reversed, every single local ip you have doesnt have to be public, now if you are a pretty known book, just do the same and ask your isp to change your ip address,, plus your local firewall have to be gated to AT&T,
http://www.verio.net
can set up your own firewall, how,
vps2 of Verio, that a Virtual Unix Box,
that can allow you to install a reversal proxy,
the only thing that doesn't allow you to do,
is to recompile the kernel, but since Verio Has some of their techs as a Kernel Developers you dont have to worry about...
The reversal proxy works in this way...
you connect trough your domain, which will be hosted on verio. lets say, rx.com binding another port you can do a reversal proxy, that means, for example rx.com:81 the 81port will connect trough the 80port over your local server office, for betting porpuses, that will save alot of bandwith at the time of reading pages and downloading graphics, verio is connected to the primary backbone (washington), plus, every single graphic you have in your local server, will be uploaded in verio, so everytime a customer logs in, it will be login on AT&T at 100mpbs, the ip address you will show, will be from AT&T so nobody will determine your real Local Office ip Address,
you bind your web server port to only allow the AT&T connection, and reject by default the anothers, now, the mx record also have to be reversed, every single local ip you have doesnt have to be public, now if you are a pretty known book, just do the same and ask your isp to change your ip address,, plus your local firewall have to be gated to AT&T,
http://www.verio.net
True newbie, dynamic ips make it more difficult and you are innevitably going to lock out some of your real customers.
However, if your daemon avitar means anything, then you can check it out yourself. Go see how many ips come into your site day after day. Take 30 days of people who you know logged in, and then see how many of them dont arrive on one of the same IPs they've been on once before in the past 30 days. If you were to take a sample over the entire season, and then only look at players who have funds to play with, you'll see that most customers come in on a set of ips smaller than 10. A great number of players come in on a set less than 3 different ips. Thats a small list. If you want the entire class c range, your routers will thank you and you'll cover a huge range.
I dont know how it would be done, but some type of realtime monitor of connections that were opened yet never responded to acknowledgement could build a list when the hackers start, however if your network software is updated it most likely wont be using resources until its sure it has a real connection. The reflective acksyn attacks would have to be so brutal to make and effect. Combine that with your exclusively allowed class-c's and Id suspect the extortionists would move on to easier targets.
Who knows, just my thoughts,
-lab
However, if your daemon avitar means anything, then you can check it out yourself. Go see how many ips come into your site day after day. Take 30 days of people who you know logged in, and then see how many of them dont arrive on one of the same IPs they've been on once before in the past 30 days. If you were to take a sample over the entire season, and then only look at players who have funds to play with, you'll see that most customers come in on a set of ips smaller than 10. A great number of players come in on a set less than 3 different ips. Thats a small list. If you want the entire class c range, your routers will thank you and you'll cover a huge range.
I dont know how it would be done, but some type of realtime monitor of connections that were opened yet never responded to acknowledgement could build a list when the hackers start, however if your network software is updated it most likely wont be using resources until its sure it has a real connection. The reflective acksyn attacks would have to be so brutal to make and effect. Combine that with your exclusively allowed class-c's and Id suspect the extortionists would move on to easier targets.
Who knows, just my thoughts,
-lab
ok how about overseas customers...
those with a private boat,
how about if a customers goes to
an internet cafe, friends house, another country... etc..,, LEADS?...
your implementation could work only, if you allow a frontend where someone customer can came in, and log in, send that info to the server and the server allow that ip in that moment during 5 minutes, but,,, you're talking about giving your isp all the allowed ip Address, in that case they have to list every single ip, how many of them?..... how many memory that will consum?.. call your isp everytime you need to change your ACLS?...
how about ICE customers... or.. your Think Digital Solutions, will have a guy doing that every 5 minutes...
those with a private boat,
how about if a customers goes to
an internet cafe, friends house, another country... etc..,, LEADS?...
your implementation could work only, if you allow a frontend where someone customer can came in, and log in, send that info to the server and the server allow that ip in that moment during 5 minutes, but,,, you're talking about giving your isp all the allowed ip Address, in that case they have to list every single ip, how many of them?..... how many memory that will consum?.. call your isp everytime you need to change your ACLS?...
how about ICE customers... or.. your Think Digital Solutions, will have a guy doing that every 5 minutes...
Some thoughts however.
I like to know who the visitors are. With the proxy, your main server (the one you have local access to for analysis) wont know the difference between the ips. This means that your maintenance and analysis now extends past your server, onto the proxy. Just a bit more of a headache, and of course, the proxy does not limit the attack, it only moves your defense efforts outside of your network, onto verio's. Still, it would be easy to have multiple verio proxies, and you could round-robin your dns between them all to make it harder.
The real solution has nothing to do with you, thats the problem in itself, that no matter what you do, enough brute force and you can be taken down. The solution really is for isps to make sure that bogus packets never make it from their clients, onto their network. My isp knows what ip Im on, whether its dynamic or static. They in no way should ever allow a packet from me to them if the source address is not mine. Going a bit further, they ought to report the fact that I tried to pass a bogus packet to some type of enforcement agency that can take action against me.
The internet sure has some flaws, and too many ISPs have taken a brain-dead attitude that its not their problem if they allow attacks to be sourced through them.
-lab
I like to know who the visitors are. With the proxy, your main server (the one you have local access to for analysis) wont know the difference between the ips. This means that your maintenance and analysis now extends past your server, onto the proxy. Just a bit more of a headache, and of course, the proxy does not limit the attack, it only moves your defense efforts outside of your network, onto verio's. Still, it would be easy to have multiple verio proxies, and you could round-robin your dns between them all to make it harder.
The real solution has nothing to do with you, thats the problem in itself, that no matter what you do, enough brute force and you can be taken down. The solution really is for isps to make sure that bogus packets never make it from their clients, onto their network. My isp knows what ip Im on, whether its dynamic or static. They in no way should ever allow a packet from me to them if the source address is not mine. Going a bit further, they ought to report the fact that I tried to pass a bogus packet to some type of enforcement agency that can take action against me.
The internet sure has some flaws, and too many ISPs have taken a brain-dead attitude that its not their problem if they allow attacks to be sourced through them.
-lab
newbie, just so you know, Im not calling for a dual. I just want to get some ideas out there, and I appreciate your replies. Keep em coming. Nobody should have to put up with attacks.
Just wondering, could you also use something like portsentry to blackhole ack/syn that never finish? I bet you can, that would be a dynamic way of stopping the crap as it happens. I guess it depends on how many different bogus source ips will be reused during the attack. If you only see each bogus ip once, then all your server will be doing is creating its equivalent to a hosts.deny to no avail.
-lab
Just wondering, could you also use something like portsentry to blackhole ack/syn that never finish? I bet you can, that would be a dynamic way of stopping the crap as it happens. I guess it depends on how many different bogus source ips will be reused during the attack. If you only see each bogus ip once, then all your server will be doing is creating its equivalent to a hosts.deny to no avail.
-lab
yep in verio it will be limited,,,
if someone tries to send a DOS attack
they will be attacking AT&T,,,
and.. AT&T techs, who are them???...
since the core the Kernel, and patch everysingle
minute all the Ports Vulnerabilities, i don't have to worry about anything,,, the same reversal proxy could be edited on its pooling and ACLS configs, once they cannot attack any vulnerability on the software, they will try to do a DDOS, in that case im pretty sure, AT&T already know how to stop it,,,
if someone tries to send a DOS attack
they will be attacking AT&T,,,
and.. AT&T techs, who are them???...
since the core the Kernel, and patch everysingle
minute all the Ports Vulnerabilities, i don't have to worry about anything,,, the same reversal proxy could be edited on its pooling and ACLS configs, once they cannot attack any vulnerability on the software, they will try to do a DDOS, in that case im pretty sure, AT&T already know how to stop it,,,
since you have almost, lets say 2 megs..
a DDOS attack could easily hang u up with 50 machines doing a ping of death...
but in verio you have the main backbone...
since washington handle all america,, CANADA-to-Argentina.. conections, obviously a big conection, and AT&T almost have the 40%50% of that bandwith,,, how many machines
does the Russian Hackers need to bind a DDOS attack from Frankfurt(Main Backbone over Europe) to AT&T...
BTW.. Cingular wants to buy AT&T
a DDOS attack could easily hang u up with 50 machines doing a ping of death...
but in verio you have the main backbone...
since washington handle all america,, CANADA-to-Argentina.. conections, obviously a big conection, and AT&T almost have the 40%50% of that bandwith,,, how many machines
does the Russian Hackers need to bind a DDOS attack from Frankfurt(Main Backbone over Europe) to AT&T...
BTW.. Cingular wants to buy AT&T
Hi newbie, getting back to my earliest crude brute force solution which could be a quick fix for an attack.
The solution involves taking a list of ip addresses who have bet into an office over the web. Then passing this list onto a service provider and having them exclusively allow only these known ips, or class c ranges.
The problems with this solution is that not every customer will come into your shop from day to day on an ip address which he/she has used in the past. Using the class-c allow list, it also means that an attacker has a more likely chance of using a bogus ip from an allowed class-c network.
I did some analysis on my site, which gets very little traffic, I suspect that this sample is way too small to get real figures, but there is no reason why every shop owner cannot do their own analysis to see how this solution may benefit them, more importantly, to estimate how many of their normal existing clients would be allowed into their shop were they to choose this style of a solution during an attack.
I took my data from an httpd-access.log which included traffic from November 1st, 2003 through December 31st 2003.
I started by breaking it out into ip addresses which were tracked during the login sequence. A shop owner would be better off using ips that were used during successful credit card processing, or bet processing.
I had 2635 unique ip addresses in 1413 class c ranges who hit the site between Oct 1 and Nov 30. Of these, 404 ips logged in within 108 class c ranges.
Lets assume that starting December 1, I will be hit by an attack where bogus ips are created and traffic is sent into my network to either clog up memory with unfinished connections, or just gobble bandwidth. So I will take my list of ips or class c ranges that I know are my customers which login regularly, and did so between October1 and November30. I will ask my ISP to only allow traffic sourced from this list into my network, or I may just add this filter to my own router.
If I had used my unique ip allow list on the first day of December, I would have missed login connections from 6 ip addresses that had not hit my site in the previous 2 months. This 6 of 404 ips might represent that 1.48% of my existing customers will be pissed off the first day. Had I used the class-c range allow list, then on the first day of december, all customers who logged in had been seen on that network and would not have known that an attack was going on.
Lets assume that the attack does not last one day, instead it lasts 9 days, December 1 through December 9. Using the ip allow list, I would have missed login connections from 42 ip addresses that had not hit my site in the previous 2 months. This 42 of 404 might represent that 10.4% of my customers will be pissed off at least once within the first 9 days of december. Had I used the class-c range allow list, then logins from 9 new networks would have been missed because they hadn't been seen in the previous 2 months. This 9 of 108 classes represents a similar 8.3% of my existing known customers who will be pissed in the first 9 days of December.
Lets assume that the attacks go on for the entire month of December. By this time, Im about to cut my own throat however my customer service staff would have already done so. By now, more and more of my customers are being affected by my exclusive allow list, but I havent lost them all just yet. I have traffic from 140 ips that cannot login. Thats 34% of my existing customers who cannot login, 66% that can, thats a D in my book, and I can assume that Ive lost those customers by now, or converted them to phone players. Had I used the class-c allow list, Id have missed traffic from 32 new networks pissing off 29.6% of the customers that Id have had less the attacks.
So my solution, though it be quick and dirty, and something that any techy should be able to create and implement within the first 2 hours of an attack, is not perfect, and would not last forever. However, assuming that you are down, keeping 98% of your traffic happy the first day, and 90% of your traffic happy in the first 9 days, and 65% of your traffic happy during the first month, is much much better than missing 100% of your internet traffic.
So newbie and other techies, would you consider doing the same analysis on your sites, and sharing them here?
Just trying to help,
-lab
The solution involves taking a list of ip addresses who have bet into an office over the web. Then passing this list onto a service provider and having them exclusively allow only these known ips, or class c ranges.
The problems with this solution is that not every customer will come into your shop from day to day on an ip address which he/she has used in the past. Using the class-c allow list, it also means that an attacker has a more likely chance of using a bogus ip from an allowed class-c network.
I did some analysis on my site, which gets very little traffic, I suspect that this sample is way too small to get real figures, but there is no reason why every shop owner cannot do their own analysis to see how this solution may benefit them, more importantly, to estimate how many of their normal existing clients would be allowed into their shop were they to choose this style of a solution during an attack.
I took my data from an httpd-access.log which included traffic from November 1st, 2003 through December 31st 2003.
I started by breaking it out into ip addresses which were tracked during the login sequence. A shop owner would be better off using ips that were used during successful credit card processing, or bet processing.
I had 2635 unique ip addresses in 1413 class c ranges who hit the site between Oct 1 and Nov 30. Of these, 404 ips logged in within 108 class c ranges.
Lets assume that starting December 1, I will be hit by an attack where bogus ips are created and traffic is sent into my network to either clog up memory with unfinished connections, or just gobble bandwidth. So I will take my list of ips or class c ranges that I know are my customers which login regularly, and did so between October1 and November30. I will ask my ISP to only allow traffic sourced from this list into my network, or I may just add this filter to my own router.
If I had used my unique ip allow list on the first day of December, I would have missed login connections from 6 ip addresses that had not hit my site in the previous 2 months. This 6 of 404 ips might represent that 1.48% of my existing customers will be pissed off the first day. Had I used the class-c range allow list, then on the first day of december, all customers who logged in had been seen on that network and would not have known that an attack was going on.
Lets assume that the attack does not last one day, instead it lasts 9 days, December 1 through December 9. Using the ip allow list, I would have missed login connections from 42 ip addresses that had not hit my site in the previous 2 months. This 42 of 404 might represent that 10.4% of my customers will be pissed off at least once within the first 9 days of december. Had I used the class-c range allow list, then logins from 9 new networks would have been missed because they hadn't been seen in the previous 2 months. This 9 of 108 classes represents a similar 8.3% of my existing known customers who will be pissed in the first 9 days of December.
Lets assume that the attacks go on for the entire month of December. By this time, Im about to cut my own throat however my customer service staff would have already done so. By now, more and more of my customers are being affected by my exclusive allow list, but I havent lost them all just yet. I have traffic from 140 ips that cannot login. Thats 34% of my existing customers who cannot login, 66% that can, thats a D in my book, and I can assume that Ive lost those customers by now, or converted them to phone players. Had I used the class-c allow list, Id have missed traffic from 32 new networks pissing off 29.6% of the customers that Id have had less the attacks.
So my solution, though it be quick and dirty, and something that any techy should be able to create and implement within the first 2 hours of an attack, is not perfect, and would not last forever. However, assuming that you are down, keeping 98% of your traffic happy the first day, and 90% of your traffic happy in the first 9 days, and 65% of your traffic happy during the first month, is much much better than missing 100% of your internet traffic.
So newbie and other techies, would you consider doing the same analysis on your sites, and sharing them here?
Just trying to help,
-lab
