Forum Discussion

Connect_Admin_1's avatar
Connect_Admin_1
Icon for Nimbostratus rankNimbostratus
Jul 24, 2011

DDOS Attack and our LTM 6400

Our website is under a pretty heavy DDOS attack. Ive been through the startup process, and we are able to limit the open connections, however what we are finding is that it's still limiting legitimate connections as well.

 

 

It was recommended that I come here and bring this up with the pro's. We are looking for a way to scan and stop the obvious offending inbound traffic based threshold level of connections.

 

 

 

Currently the webserver is on an inside interface of a sonicwall UTM with the 6400 on an outside interface between the sonicwall, and our carriers adtran.

 

 

 

Any input is appreciated, and suggestions welcome.

 

 

 

 

 

security

2 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 24, 2011
    OK.

     

     

    Have you grid moving the page that the offending traffic is visiting with a simple redirect to a new location? Generally automated DDOS attacks won't follow the redirect... Of course when they do, you'll need to do something else (A small static page with a meta refresh to a new location perhaps?).

     

     

    Also severely cutback the amount of idle time that open connections can stay connected. Browsers won't care, although it will probably increase your connection rate...

     

     

    H
  • David_Holmes_9's avatar
    David_Holmes_9
    Historic F5 Account
    Jul 26, 2011

    Hi,

     

     

    Are you still under attack?

     

    Are you able to classify the attack traffic?

     

    Is it all layer 7 (HTTP), or are you receiving layer 4 attacks (syn-floods, etc) as well?

     

     

    I ask for two reasons:

     

     

    1. The nature of the attacks will determine the response and

     

    2. I'm collecting data about DDOS attacks for future defenses.

     

     

    Thanks