It is usual for Singapore hosts to disallow services like IRC. This is mainly to avoid DDOS attacks,
which will bring down the provider's network. These attacks can be over 200 Mbps, and will disrupt other
hosts within the same datacentre as well.
The attacker usually controls a large number of bots. These can be PC or servers which are hacked, and
bots are installed. Given the large number of webservers, running php applications, there are a large
number of sites which are vulnerable. Web hosting companies are especially vulnerable, since there are
hundreds of websites on each server, and a customer would just click and install an application, such
as phpBB, and leave it around for years without upgrading.
Such applications would be targeted, and they can be found easily through search engines. How? Just
search for phpbb site:.sg and you would get a large listing of sites. The attacker would use any
vulnerable site found, and install bots, which can be something as simple as a 30 line perl script,
which just listens on a port, and wait for the command to send out udp packets to flood the victim.
What happens to so called dedicated bandwidth then? If a provider gives you a dedicated 2 Mbps connection,
why should the provider be concerned whether or not you host IRC servers? If you get attacked, wouldn't it
be limited to the 2 Mbps? The answer is no. The provider uses a packet shaper or rate limit your connect
to 2 Mbps. However, your provider can not control the amount of traffic going into his connection that
he gets from his upstreams.
Therefore, if a server that has a "dedicated" 2 Mbps connection gets flooded with 200 Mbps of
UDP packets, your provider needs to have more than 200 Mbps to withstand the attack.
In a DDOS on bandwidth, the victim must have more resources than the attacker. As long as the
attacker can gather more bandwidth than the victim, the victim goes down. Since the victim needs
to pay for his bandwidth, it is essentially limited. The attacker can gather "free" bandwidth.
How about firewalls, and appliances which claim to prevent or mitigate DDOS? Installing a firewall
on your own link, which is 2 Mbps or 10 Mbps does not help at all. By the time the traffic reaches your
firewall, it is utilising your bandwidth; and if the traffic is 200 Mbps, your 10 Mbps link is congested.
A firewall at your upstream will help, if your upstream have 1 Gbps, and filters out all the DDOS
traffic, leaving you with your usual traffic. However, your upstream gets additional 200 Mbps of unwanted
traffic.
Essentially, it is a matter of resources. Your upstream can block the traffic, and make it look as
if the attack has stopped, but the upsteam must have resources that is greater than the attack, and must
be willing to do so.
What usually happens is that the Singapore datacentre gives up, and null routes the IP that is attacked;
wait out the attack, usually a few days, and unblock the IP thereafter. This can be disastrous for a
IP used for hundreds of sites, such as on a shared web server.
If you have comments, particularly if you use or represent a Singapore datacentre that can provide protection
against DDOS on bandwidth, please send your comments via the contact form.
|