DDoS against firearms websites

[harrygunner]

www.handgunlaw.us was under a DDoS attack recently. Some people  think their dislike of firearms justifies illegal acts.

Looks like this is happening more often. After reading about the attack on handgunlaw, I crafted some rules to automatically minimize the load on the server. One would need to be running a Linux host and have 'root' access to implement the rules.

If they could be of any help, they are listed at:

http://www.thehighroad.org/showpost.php?p=9568322&postcount=10

There are some computer savvy people here. Any improvements or suggestions would help our community.  Gary Slider has asked several computer related questions over the years. Don't know the computer-fu level of the average gun website owner,  but figured a canned solution could be useful.

Here's my reasoning for these rules:

If the attacker is using hundreds of cracked computers in the DDoS attack, these rules should help. And if the attacker is using thousands of pwned computers, the ISP will be drowning and the problem is bigger than what any one server can resolve.

These 'iptables' rules reduce server resource usage, except for 'SYN flooding'.
   
'state' processing is impacted by 'SYN flooding'. The server's resources
are used determining the state before dropping packets. Same with SYN cookies,
resources can be exhausted.
   
The attacker may send packets where the source IP address is not the true source.  Spoofed SRC addresses are usually a selected set the attacker uses, knowing no server at those addresses will respond to SYN-ACKs. Those addresses are part of the attacker's tool kit. Blocking them won't be an issue and obviously help defend against the attack.

Immediate blocking is the way to go since dropping packets outright uses few resources. 'fail2ban' is a program that adds firewall rules dynamically based on patterns in specified flat text files. So, throwing that into the solution gives the automatic complete blocking of any kind of traffic (all protocols and all ports) from IP addresses involved in the attack.

[Gabbar Singh]

I am a network applications developer with 21 years experience with Linux. I have maintained as many as 1200 machines at one time.

Response from 10mm-firearms.com is very sluggish. I don't want to do any aggressive analysis without permission, but I *think* you are hosted as a virtual domain on a server owned by unifiedlayer.com which is racked at he.net. Rather than suffering from DDoS, I suspect that the server is oversubscribed. If that were the case, you would not see anything interesting in your Apache logs, except long times between responses, and no amount of filtering would make a significant impact.

In short, I'd be surprised if you were getting heavy traffic, DDoS or otherwise, but you are suffering from poor response time. Examining the server using top and strace might yield some clues.

I am largely guessing about that. If you think otherwise I could examine a sample of your Apache logs if you like, for free.

[Patriot]

Right now we are hosted on a cheap monthly plan at hostgator. It's a little slow but it's only $8.95 a month. Once we get bigger we will get a better, faster host. I haven't experienced any problems.

[ShadeTreeVTX]

This site is one of the best response sites I'm a member of and I have AT&T slow as shit and over priced DSL.

Doug

[Gabbar Singh]

I had very slow loading at the time I posted that. It was slow at my home, at work, and at remote work sites in Washington and Louisiana, that's why I reported it. The next day, everything was fine and fast, and it's been that way ever since.

[The_Shadow]

Louisiana like's things slower!  Except their 10mm and other ammo!