Denying DDoS on Web Servers! How?

Salaams all of you guys out there...
The concern today is, many of Pakistani Official Web site had been hacked down using a variant of 'Yaha' on 29 april. It was DDoS attack.
Now the point is, how one should guard his web servers against such DDoS attacks. I am not some official, but my network's security is my concern.
I ask for complete working methodology of such attacks and counter measures. Does IP spoofing supports? I don't think so. Firewalls protects? To some extent, I should admit!
What's the real solution?
Strike back guys...

well the best protection is good firewalling. iptables on a linux box would be ideal. limit icmp packets, block portscans. another big thing would to not give out lots of important information. for example
Server: Apache/1.3.26 (Unix) (Technologue/Linux) mod_ssl/2.8.9 OpenSSL/0.9.6 mod_layout/3.2
that is way to much information. a better solution would to be make the server just give out
Server: Apache
this is simple to do and only requires a small look into the apache configuration file. but why do this? simple.....some dos attacks are because of buffer overflows in the programs that require them to crash. giving out less information will stop attackers from gathering the required information to carry out this type of dos attack.

I cant comment much on this topic but I would like to mention, The Web Server software I use called KeyFocus Web Server www.keyfocus.net has a new feature called sin bin where if a client makes malisious type requests to the server, and reaches a threshold limit, they will be entered into a sin bin where he/she will no longer be able to visit my site.

Aditionaly it has a built in feature that will detect brute force atacks on passwords, where if the user fails to enter the password 5 times, they will be locked out for 1 hour. As well it limits the amount of simultanious conections a visitor may make at a time. And the amount of special characters that can be entered in a get request.

So though this does not realy answer your question of how to protect against DDoS atacks, your server software may have built in features. You may want to check it out.,

The point of concern is, I am talking about zombies, not that buffer overflows in the programs. I'll definitely check out Key focus web server - thanks for that

The attack on the Paki servers was launched from zombies. It was spreaded by mail, capable to mail itself by picking the contacts from the address book and messenger lists of the infected system. When executed it launched the attacked on predefined paki web sites. This is second time in a row - launched

You got the idea? How would you differ from a legitimate user and a fake one? configuring firewalls on an ISP's setup can quite cumbersome keeping into account their services...

How one can detect such attacks and counter them?
thanks

Hi,
What OS do you have?
FreeBSD/*nix have anti-ddos utilities to avoid ddos attack you can install ..like tripwire,aide or yafic.
To detect and scan ddos, FreeBSD have tools call : dds, find_ddos and Zombiezapper (to clean it).

But well..that's all I know at the moment :)

Cheerss

What I've learnt from your replies (thanks, they helped!), some certain questions in my mind...

1. doesn't IDS - intrusion detection systems can be used to stop DDoS?
2. Does sniffers help in any way?
3. Solutions for other OS(es) other than FreeBSD, including windows 2000
4. Not just detect, how to guard against them?
5. Firewalls? which ones? any kerberoes?

I think guarding a system asks for 24 dedication from your side. Doesn't it?

Well, in order to prevent the most common DDoS attacks (SYN flood), I see some ways. Here are some of them:

* If you are under Windows 200, you can enable/create a registry key related to this problem in \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
If you give the value "0" to the key: it will be disabled.
"1". a basic protection is enabled: time to SYN/ACK replies will be quicker than by default and an entry in the route cache will be created only after the three handshake had been totally done.
"2". the basic protection is enabled, and moreover informations about the connections will be send to WinSock drivers only after the three handshake had been totally done.

This key is disabled or even doesn't exist by default.

* If you are under Linux, you can enable SYN cookies with a recompilation of your Kernel.

* Some firewalls (AppSafe, NetScreen...) can act like proxies during the begining of the connection in order to reduce problems linked to DDoS attacks. But it can only help to solve the problem and it make connections longer.

* Some IDS can detect flooding and send RST to the target in order to limit the number of half-open connections which are generally what make the servers slow down during such an attack.

I hope it will help you.

KC

and if he wanted to even survive a ddos he wouldnt be using windows in the first place....windows is more prone to dos attacks than other oses

An abstract on DDoS survival for web servers that I think you might find helpful. :)

Okay, got the point on SYN flooding...
what are the measures for other attacks? like ICMP floods/IGMP floods etc...
- leaving a platform is not a solution. how one can be a geek without learning one the most widely used servers around. what would you do if you have to work to with win2k?

also check out this...
http://pakiblues.proboards9.com/inde...num=1052066001