How to prevent a LOIC (DDOS) attack? [duplicate]

The program LOIC (in the news a lot the last days) causes a lot of damage. What can I do on my server to prevent this kind of attacks? Auto-block ip when receive a strange connection? Because mostly it will be a single user.

Are there already solutions for this?


Solution 1:

Over at the ISC SANS Diary entry for this topic, there is a very strong clue in one of the comments.

By DarkFiber:

I used to work with an organization that came under constant attack from anonymous and their LOIC tool. It's very easy to mitigate these DoS attacks as they're not particularly bandwidth intensive. Simply limiting the connections per IP per interval at the firewall was enough to thwart the attack. I believe properly configured Checkpoints are able to detect and drop these attacks altogether. But listening in to their IRC channel is the best way to stay one step ahead of this group. It's not often attackers broadcast their targets and vectors before firing.

Solution 2:

To limit traffic by source IP, based on what @sysadmin1138 says, there's a great iptables module called "hashlimit". Here's an example set of rules:

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min \
    --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

What this does is allows up to 500 packets (not connections, because HTTP can do multiple transactions per connection you have to consider whether you want to do this on all packets or SYN packets only). If there are more than 500/min, it will then throttle it down to 50/min until the rate drops. Anything outside of these limits get the DROP.

Though usually you want to whitelist some IPs, so you probably want to create a table and jump to that if it's port 80, then have your whitelist rules in there, and a final drop. That way non-HTTP packets don't check those whitelist rules and you could have several services all call that whitelist ruleset.

Also, you probably want to enable SYN cookies, so that if the DoS is sending SYN packets it has very little impact on your system.

Solution 3:

I have worked with a couple of global banks and their ISPs to look at the effectiveness of DDoS mitigation techniques. It is very difficult to do by yourself, but what we saw working well was when the ISPs teamed up with DDoS mitigation partners. Your best bet is to look at the answers to this question on IT Security Stack Exchange as David's answer says it all.

Oh, and the reason it has become much harder to block LOIC is the initial ones were run from volunteer networks, which were fairly small. The more recent ones are also tapping into illegal botnets so they have scaled up by a significant factor, adding 30,000-odd machines per botnet.