# DDOS on certain IP



## gkontos (Mar 12, 2015)

Hi all,

I recently got a client (Linux web server) who became a target to DDOS attacks. Actually, the IP address of his web server was getting huge amounts of traffic indicating that it is a torrent tracker.

I blocked China and some other countries but that worked for a while. We ended up using a CDN and blocked all incoming traffic except the CDN and now everything is calm.
If I allow all incoming traffic in the firewall then all hell breaks!

The question is how did this happen? How can an IP address become marked like that and what do you do? (changing the IP is a solution of course).


----------



## gkontos (Mar 13, 2015)

UPDATE.

The IP address of the server was also changed and the problem is gone.

The philosophical question still remains though, what might cause an IP address to become a target.


----------



## junovitch@ (Mar 14, 2015)

Apparently it's happened enough that someone wrote about it.  I found this a good read.  The article blames the interaction of Great Firewall of China and old trackers that are floating around.

http://blog.devops.co.il/post/108740168304/torrent-ddos-attack


----------



## gkontos (Mar 14, 2015)

This is exactly the same pattern!!! 

Excellent read


----------



## tingo (Mar 21, 2015)

I guess you already did, but for the benefit of others reading this thread: whenever a web server is attracting unwanted / unexpected traffic always check the web server and all the sites for security holes (the log files are good for this). If somebody managed to sneak content onto a web server it is usually spam in some form, and that can drive traffic.


----------



## gkontos (Mar 21, 2015)

tingo said:


> I guess you already did, but for the benefit of others reading this thread: whenever a web server is attracting unwanted / unexpected traffic always check the web server and all the sites for security holes (the log files are good for this). If somebody managed to sneak content onto a web server it is usually spam in some form, and that can drive traffic.



Yes, that was the first thing I did actually and I found many security issues which I immediately brought into his attention. This is something that I always do, I basically create a report with issues that need to be resolved. In this case, I told him that he might be ok for now, but it is a matter of weeks before he gets hacked.

From a clients perspective, I guess they prefer to take the risk instead of investing to fix those issues. In that particular case, there is a lot of bad coding. I also refused to help one of his developers who wanted to use a php script in order to SFTP as root from a different server.


----------



## tingo (Mar 21, 2015)

gkontos said:


> I also refused to help one of his developers who wanted to use a php script in order to SFTP as root from a different server.


Ouch!
Never ever let developers make design decisions for systems until they have proved that they understand security as a concept (and a few other key concepts, like "in production", "users" and "downtime" for example).


----------



## gkontos (Mar 21, 2015)

tingo said:


> Ouch!
> Never ever let developers make design decisions for systems until they have proved that they understand security as a concept (and a few other key concepts, like "in production", "users" and "downtime" for example).



Let me give you an example on how bad freelancing works. You have a client with a limited budget. He decides to hire freelance developers from India with a rate of $3/h.
(I am not being racist here, I just have a lot of experience in this area and I have seen a lot.)

After that, I come in asking $30/h to pretty much asses the damage. After a total of 4 hours or ~ $120 I can provide a report on what needs to be fixed and how it should have been designed in the first place.

The client realizes that he spent $$$ on cheap developers for nothing. So, the big decision comes... Shall we start over and do it properly? ( this means that $$$ are a waste) Or shall we continue on this path? They usually go with the second option because their ego does not allow them to accept that they wasted so much money for nothing.


----------

