5ubliminal@twitter

WTF Has DDos Attacks Got To Do With .htaccess Redirects? : 5ubliminal's TellinYa

<a href="http://www.tellinya.com/art2/327/">WTF Has DDos Attacks Got To Do With .htaccess Redirects? : 5ubliminal's TellinYa</a>
5ubliminal's YAMS
DDos defeated by .htaccess redirects? Is ELI HI?

I just bumped into this thread and the more I read the more my jaw dropped. And finally I went like … WTF … these dudes are clueless on what DDos means.

ELI from bluehatseo.com seems to have pissed someone off and got a DDos hit smack in the face. And, while the admirers are drooling all over the place, he tells them he redirected the attack to WhiteHouse.gov (so the FBI'n'shit will track it down) … with a .htaccess redirect! OMFG.

WTF are they talking about? Let's rewind!
What is a DDos attack?

To understand the below we need to know what a DDos Attack actually is and what the 1st D actually stands for: Distributed Denial Of Service. In Scraping At The Speed Of Light I mentioned that a connection has several states before it actually gets established. It's the 3-way handshake that eventually leads to the success or failure of the connection attempt:

  1. So you, as client, notify the host you want to connect to by senting a SYN request.
  2. The server replies with a SYN-ACK.
  3. And then you send the ACK back to server.
  4. … and the connection is established! I love TCP/IP.

A DDos attack involves a large number of hosts (zombies - usually remote controlled innocent users) creating a lot of half-open connections. These connections are stopped at Step#2. So you never send the last ACK back to server which will make the server wait for you for a short while. This is where the magic happens! By creating a lot of half-open connections you can lock down the server and disable its capacity to accept new clients by keeping busy all the client slots available on the server!

It's all a game of numbers. The more zombies you have to attack the more damage you will do and the more you will keep the host offline.

Lame explanation of half-open connections:

If you were in an apartment building and wanted to visit someone you would knock on the door, be asked who you are and then the door would either stay closed or open. This is exactly how it works for connections. But what if you started to knock on every door of the apartment building, said who you are, got the door opened but you would never go in. This is how half-open connections work. They knock on every door, are asked in but never enter. The door stays open for a while so noone else can knock during that time:)

DDos Version#2 is for the beginners!

Version#2 works differently and is a bit more resource intensive for the attacker too! You no longer play with half-open connections but you actually establish them. So you open a lot of requests and keep them hanging as much as you can … by not sending HTTP GET requests for example (but DDos can attack any open PORT / IP). Simple!

HTTP is very susceptible to this second method of attack as the server waits for you to say the first thing. And you can hang it for a decent period of time!
Are there other forms of DDos?

There are! Like massive pinging with large packets. I've done this once and it was actually fun. Kept a dialup provider down half-a-day with only 50 zombies. There are others but this is enough for now.

Why you can't slap a DDos with a .htaccess redirect?

A .htaccess redirect needs a client to be connected to the server to send it a 301 or 302 HTTP code to reroute it. You can't redirect internally in .htaccess (without 301/302) as the client will no longer be the one asking for the page but your server who reroutes will appear as asking for webpage.

Either way you look at this you can't fight a DDos with a .htaccess redirect as a real DDos does not need the connection to be established or have anything to do with the HTTP protocol.

In case you get a Method#2 DDos attack a .htaccess redirect will never work! Because following the 301/302 redirect is a voluntary action in HTTP protocol. So you send the redirect and new address but … will the zombies follow it? I don't think so!

I'd say 90% of those on thread are clueless:

I've noticed 1 or 2 members on the thread seem to be aware of what a DDos attack actually is. Everyone else was starstruck that ELI redirected all his traffic to WhiteHouse.gov … for what? To reroute real traffic?:)

Can you fight a DDos attack?

Not really. It's all done hardware and you will only drop the connection attempts if they exceed a limit per second / per IP sometimes. This is it. Or you can go offline! Some say a DNS change to point your domain name elsewhere will help but those who do DDos as it's supposed to use IP addresses and not domain names. So … It's not gonna work and it could get you into legal trouble as it will show intention to harm other sites.

When you're DDos attacked you can only hope your hosting company has defence setup and they treat you nicely.

PS: Looking forward to your feedback!

18 Comments Posted By Readers :

Add your comment
#1 Domen Lombergar from Slovenia web
Posted on Tuesday, 18 March, 2008
Interesting read. I actually didn't know the one about open connections.

I've been to the thread earlier today after they managed to whack-a-mole squirt as well. Pity noone needs to fill a CAPTCHA while DDoS-ing, huh :)?

My hosts have to this day claimed three times that I've been under "heavy DDOS attack" and 3 times out of three the "bad bad hacker" was one of the three major spiders. One host even went so far as to block the whole ip range of google (effectively getting me deindexed on those domains).

PS: Still haven't implemented your trackback solution :)

Cheers,
Domen
#2 5ubliminal web
Posted on Tuesday, 18 March, 2008
You were right to use the " for the "heavy DDOS attack". If your hosting can claim spiders hit it too hard than they do have a problem :)
Blocking IP ranges on DDOS without investigation (at least a WHOIS query) is plain stupid but … how many real specialists do you think work for hosting companies?:) Blocking is the easy way out.

If you have 'technical difficulties' on implementing the Pingback solution let me know. If you need anything cleared out or such…

Regards.
#3 Action Jackson from Germany
Posted on Tuesday, 18 March, 2008
haha! that thread is hillarious! what a bunch of fucking retards ...

that "i'm redirecting the ddos to the whitehouse"-bullshit by eli is funny - but the applause by the rest of those retards ... that's shooting the sit! :)
#4 5ubliminal web
Posted on Tuesday, 18 March, 2008
@AJ: I'm rather afraid that ELI also believes in his theory of .htaccess redirecting DDos attacks as he even 'called his lawyer' about it (LMAO)
Or maybe he's just making fun of them … who knows? Either way … that mob scares me.
#5 Domen Lombergar from Slovenia web
Posted on Tuesday, 18 March, 2008
Nah, basically i want to do it in a semi-automated system - so basically some javascript that would take out the urls automatically and stick it into the "to be pinged" list. Then have it sorted out that it wouldnt be pinging if a non-admin submits a page - so something to go over and work with manual and autoaproval.
#6 phrench from European Union
Posted on Wednesday, 19 March, 2008
When I first discovered the thread at Wickedfire I thought the redirect was useless because the attacking zombies use all the bandwith to Eli's site anyway. I didn't think of the half-open connections or so.
But in the meantime I think it may be a link bait of Eli. Maybe there never was a ddos? Just:
- make a redirect to fbi.gov
- tell about ddos
- rumors start taking place, kiddies think you're so cool
- post something in the IRC and make it find by somebody: http://www.darkseoprogramming.com/2008/03/15/bluehatseo-goes-down/
- call in kinda contest: http://www.bluehatseo.com/captchas-captchas-captchas/
- again, same blog which "found" the IRC chat is first to take part at the contest: http://www.darkseoprogramming.com/2008/03/18/separating-characters-manually/

... link bait? Maybe... at least well done, if so! Eli's great in thinking outside the box anyway ;-)
#7 DM from Great Britain
Posted on Wednesday, 19 March, 2008
The whole bluehatseo marketing philisophy is about gaining attention then upselling... this is another example. Anyone noticed any vaguely interesting posts since the release of the subscription scheme? It's likely to be attention whoring, and the fanboys are lapping it up lol.
#8 Alex from European Union
Posted on Wednesday, 19 March, 2008
For simple and small ddos attack which tries to get content on port 80, you could use mod_dosevasive which will deliver a plain 404 html site (small and no cpu power used like on php sites) if you got for example 3 hits within a second from one ip _for a given time period_. You could also use fail2ban to watch your apache (and even nearly all other services) and drop the attackers ip for a given time period. ia a temp entry in iptables (DROP packets from this ip). But if there is a large attack, you will have to nullroute the target ip by your (backbone-)provider or at least ask them to setup the border routers correctly to handle this attack. It may also depend how "easy" the solution can be on the kind of attack and on the variations of the attack.
#9 ed from United States web
Posted on Wednesday, 19 March, 2008
I started that thread over at WickedFire. Totally missed the stuff about .htaccess further in the thread. I'd assumed he just changed the nameservers or had a redirect done at the registrar.
#10 5ubliminal web
Posted on Wednesday, 19 March, 2008
@ED: Even DNS changes can't help as attacks going for IP addresses have nothing to do with DNS which handles the domain names and the IP those names point to.

@Alex: The 404 method is at least and option and will lower resources consumption. But a serious attack has to be handled hardware. I don't think software will block it. Software blocks in the computer and will still kill the resources even if the delay before connections are closed is smaller.

@DM: True! I don't care about what he's selling … I ain't buying anyway but it scares me that so many people talk about something they have no idea of and are starstruck at any stupidity someone says. I don't usually read wickedfire but found a link to this thread on a blog. And I was speechless.

@phrench: You might be right! I don't have a 'lie for linkbait' mentality. I'm just 'for real' … that's why my PageRank sucks so badly:)
I also disabled the links to them;)
#11 busin3ss from United States web
Posted on Wednesday, 19 March, 2008
Hello! The attack was against the domain, so changing the DNS would have worked... Anyways, good post... It was an interesting read.
#12 5ubliminal web
Posted on Wednesday, 19 March, 2008
@busin3ss:
Given the way the internet and web servers work, attacking a domain is stupid! Why? Because when you establish a sockets connection you have two options:
- Connect with a domain name and get a delay (noticeable) while DNS resolves the host.
- Connect with the IPv4 (4bytes numerical address) that will not change easily. (The IPv4 is discovered with just one initial resolving of the host)

A 'real' DDos attack (I don't know how those kids carried it out) is done like this:
- Get the IP with an initial DNS query.
- Store it!
- HIT! HIT! HIT! ... hours on end ...
- After a while you can try to update the IP address with a new DNS query but I would keep banging the initial host as they might have changed the DNS to protect themselves.

You can't hit a domain. You can hit a host that hosts that domain and maybe others. You will put all of them out of service during the attack not just the target domain no matter how you do it, using method #1 or #2.
DDos takes a server down not a domain. Of course you can hit DNS servers and take down a lot more then one host ... but this is not meant to be talked about.

And with a HTTP attack it's all in the protocol. You can connect with an IP or host name but when you request the page you specify the domain supposed to deliver it. So you don't care about DNS changes as when the hostname points elsewhere you can use IP to connect and issue the same request.

Regards.
#13 busin3ss from United States web
Posted on Wednesday, 19 March, 2008
Here's a direct quote from the attacker:

i see that he has forwarded his domain to whitehouse.gov once again. the ddos that is currently running, does not go to the new IP(s) if he changes the dns. we've learned from our last mistake. no harm was intended for the whitehouse.gov website. now it has the ability to stay within one IP such as 66.66.66.66, or stay within a range of IPs such as 66.66.66.0/24.

He did DDoS whitehouse.gov until he realized about what he was doing. It's not my fault the attacker is a n00b :)
#14 5ubliminal web
Posted on Wednesday, 19 March, 2008
@busin3ss: I think this is all fraud but bear with me. There are few methods to redirect in .htaccess:
- 301/302 - Whish issues a HTTP Redirect code to send visitor away. (Visitor will follow only if he wants to!) and will be vsiting the remote host with its own IP.
- Internal Redirect - Traffic is rerouted but, to the remote server (whitehouse) the visitor appears to be bluhatseo.com, not the attacker. The .htaccess redirected domain becomes a tunnel.

None of the two versions stick to a DDos attack. A DDos attack tool will NEVER follow redirects unless it uses IE's IWebBrowser2 to hit the page which … not even a retard would do as it would mean using the IE browser to visit pages which will never generate a DDos attack.
ELI said he did not make a DNS redirect as that would have been a legal issue so a .htaccess would NEVER redirect. NEVER!

I'm not bashing you here or anything, just don't go defending people who have no idea what they are talking about. It's not the best way to go. I've been coding TCP/IP for over 7 years now, I have a good idea on how it works and how DDos is done. (I don't say I've ever done it ;))

If you ask me, ELI lies, it's all linkbait and the 'attacker' is a stooge. OVER!
PS: I think they saw the Hackers series and came up with a linkbaity story. Pathetic and insulting for those who know that, in order to break a password, you don't type OVERRIDE like in movies.
#15 Eli from United States web
Posted on Thursday, 20 March, 2008
You're all wrong. The initial requests were standard TCP GET requests not packet requests. That way they can pull all the pages on the site (crawl style). The attack was forwarding when i forwarded the dns. However when i reported it i changed it to a standard 302 redirect. The attacks weren't actually returning the content just requesting it. So while the dns forward worked while they were attacking the domain and specific pages of the site any redirects wouldn't work because they weren't actually returning any headers of the pages. I posted saying the 302 was working to find out how much the attackers knew about their own attack to determine if it was a leased attack or they were producing it themselves. They thought the 302 was working to redirect the attack so now I know it was a hired attack rather than them doing it themselves. Gotta know what your target is before you can attack anyone. :)

But thanks for the load of confidence, I hope you never get attacked. You may know whats happening but you're going to be clueless on how to catch them.
#16 5ubliminal web
Posted on Thursday, 20 March, 2008
I'd have to say linkbait floats everywhere … so who knows … but those who 'might' have done it are major noobs. Script kiddies!

Protecting against a page request flood attack is easy and can be done in the source code of the site should one care.
Keep the visiting IPs in the database and then compute the number of times each (C-Class) has hit you in the past … minute.
And the offenders can get a 500 directly. This will not stop them but will keep your damage to a minimum.

I guess I'll have to write a real DDos tutorial here because actually visiting pages to create a DDos attack is a brute force noobish method which I assume was coded by some VB:) scripters. Half-open connections or hanging connections are a sign of finesse, but can only be used by those who master the protocols.

PS: You haven't added anything to your site in quite a while. I'd say DM's comment on upselling is not wrong at all and this entire thing would make great linkbait;)
#17 Eli from United States web
Posted on Thursday, 20 March, 2008
I'm sure it would make great linkbait but I openly swore on the blog over a year ago that I will never do linkbait. Cynicism for motives will never quit. It's just a blog, nothing more. No one should ever take it any more seriously than I do.
#18 5ubliminal web
Posted on Thursday, 20 March, 2008
@ELI: I get what you mean but I'm somehow good with words and:
"No one should ever take it (bluehatseo.com blog) any more seriously than I do."
Is not really nice, reassuring or encouraging in anyway. I bet you have many subscribers to your blog's feed that do take it seriously and should be treated accordingly.

Regards.
5ubliminal's TellinYa.com SEM & SEO Blog © 2007 - All rights reserved unless mentioned otherwise .
Rendered On : [Friday, 12 March, 2010 - 01:20:56 GMT]   No Ajax / Flash Used Here
" WTF Has DDos Attacks Got To Do With .htaccess Redirects? : 5ubliminal's TellinYa "
Close
Tellinya.com is relocating to blog.5ubliminal.com. This blog is no longer maintained and comments are no longer accepted / answered.