Sensor with a Black Hole

If you have more than a few servers in your administration area or do not want to integrate any additional software, you can get DDoS protection "off the web," which does not refer to another provider in the sense of as-a-service, but rather a monitor that detects unusually high traffic flows on switches and routers.

Routers count packets flowing through and report them in NetFlow format to a central NetFlow collector. The collector receives the statistical information from all routers and, by doing so, obtains a precise overall picture of the utilization of Internet links. This method works similarly with switches: They send a small percentage of the transported packets in sFlow format to the collector, which can then deduce the utilized bandwidth from the samples.

If the number of packets or the bytes transmitted per second exceeds a defined threshold value, then it looks like the start of a DDoS attack. Now is the time to act. The simplest case is an email alert. Automated systems use the NetFlow and sFlow data to identify the target system under attack and inform the customer router over Border Gateway Protocol (BGP). The customer router immediately forwards the information to the provider. The BGP routers now have a new host route that no longer routes the traffic to the target server but instead dumps it in the bit trash can. A black hole is created in the routing table for the attacked server. As soon as the onslaught subsides, the guard removes the host route and makes the server visible again. The idea behind this is known as remotely triggered black hole (RTBH) filtering.

If you want to familiarize yourself with this form of DDoS protection, I recommend the community version of FastNetMon [8]. For test purposes, FastNetMon also runs without BGP interaction and only triggers a Bash script in the event of a DDoS alarm. In this phase, you can monitor your network and set the threshold values. Once the false positives stop, the FastNetMon server can become a BGP neighbor in your autonomous system and send host routes.

Tools for Windows Servers

The tools presented so far are exclusively for Linux and Unix. If you want to make your Windows server accessible over the Internet, you can expand the Windows firewall by adding IPBan [9] or EvlWatcher [10] for DDoS protection. Both products work in exactly the same way as Fail2Ban. They monitor the login attempts and block the source address after a few failed attempts.

IPBan is particularly easy to set up: Download the ZIP archive from GitHub, unpack, and start the executable. In the open program window IPBan informs you what it is currently doing and which logins it has detected. IPBan forwards the request for blocking to the Windows firewall. Although the software does not make a Windows system secure, it does reduce the attack surface on open services such as Remote Desktop or virtual network computing (VNC).

Test with a DoS Attack

Of course, you will want to test all your defenses. If you do not currently have a botnet in your arsenal, you should at least unleash a single client on your now protected servers. You do not need to access the Darknet to pick up the necessary tools; instead, try GitHub or the Kali Linux distribution. The legal framework must be established before the first attack: The customer or employer must consent to a deliberate attack. It also makes sense not to launch the attacks from your network to avoid ending up on one of the blacklists mentioned above. A disposable virtual machine (VM) from a cloud provider is recommended, and because they are paid for by the minute, the financial outlay is very manageable.

To lay a simple siege, use the Siege HTTP load tester, which can be installed with the package manager on many distributions. The software expects the URL of the web server as an argument and immediately starts throwing GET requests at the server. Without DDoS protection, the results on the screen flash by at breakneck speed. If protection is activated, activity stops after a few HTTP access attempts. Siege then simply reports Resource temporarily unavailable .

If you want to carry out your own attack with a little more finesse, you might want to use MHDDoS [11], which comes with more than 50 attack vectors that trick various commercial DDoS defense systems, going far beyond a simple flood of GET and POST requests. Command-line arguments let you specify how many requests per second you want to throw at the server.