While I was gone last Friday one of my Linux boxes was DDoS’ed. I’m not sure that the proper response was “oh, cool!” though. Heh, I’ve had nearly every continent scan and attack me but never any DDoS lovin’, and that’s fairly exciting to me. I’m actually a bit annoyed that I missed it. It was all small UDP packets hitting all possible ports, beginning *exactly* at 01:00 CDT and ending *exactly* at 09:00 CDT. Props to the DDoS’ers — they’ve mastered cron. 🙂 My network colleagues tell me it hit 300,000 flows per hour. Interestingly enough, the Linux box — a single-CPU Dell PowerEdge 2650 running Red Hat Enterprise Linux AS 3 — didn’t seem to notice much, beyond the Gigabit network interface being a little busy.
I’ve been doing some reading on DDoS attacks this evening. Dave Dittrich has some good information over at his web site, and Rob Thomas, though his stuff seems to have gone offline, still has a few presentations out there:
- Rob Thomas’ “Life, Love, and War in the Underground” (PDF)
- Rob Thomas’ “Router Security — Just Add Peers” (PDF)
- Rob Thomas’ presentation on “What Not to Do During an Attack” (PPT) — read the notes
- Dave Dittrich’s web site with lots of links
If I’ve read this right, one of the worst things you can do during a DDoS is freak out and take the host offline. I understand why, but that’s counterintuitive to most people, and I wouldn’t have thought about it during the event itself.