3

My services were attacked by what appears to be a botnet of quite a large number of computers. Since all my servers have additional IPs, and my hosting provider lets me null-route my IP addresses to mitigate a DDoS attack by a single click in the web control panel on their site, I need some heads up on what are the steps for me to ensure that while the primary IP of a server is nulled, the server can be accessed via the other IP? Those are ubuntu servers.

  • Where do I configure the the additional IPs in Ubuntu?

  • Do I need to setup the additional IPs as "A" records in the DNS?

  • Any downtime expected when null-routing and is there anything more I need to do?

Regards!

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
Albert
  • 31
  • 2
  • Why do you believe they'll leave the new IPs alone? – ceejayoz Jun 09 '13 at 12:12
  • I actually do not, and I understand this as well might become a cat and mouse game. However, since I can not afford to pay for professional DDoS protection due to the hundreds of terabytes of clean traffic that I will need, I believe that if the attacker is not monitoring the attack closely, it may help me stay online longer, with less hassle. – Albert Jun 09 '13 at 12:38
  • CloudFlare's professional DDoS protection is something like $20/month (because of their economies of scale) - have you considered them? – ceejayoz Jun 09 '13 at 13:54

1 Answers1

2

If you null route an IP, obviously any traffic to that IP will become unrouteable. However, that does not extend to any other IP. Therefore, yes, even if that IP is on the same interface as some other IPs, if you are actually null-routing it, only that IP will be affected. Essentially, the process just publishes a route like

192.0.2.14/32 via 0.0.0.0 metric 1

So, you need to ensure that your service can still be accessed without this IP.

DNS usually has an average convergence time of at least half the TTL set on your records. Consequently, if the TTL is long, caching nameservers and clients may remember and continue to use (or hand out, as the case may be) the null-routed IP. For this reason, you are likely to experience at least some downtime, but only respecting some hosts, and only if those hosts don't immediately try other IP addresses if the one chosen via RR doesn't get them connected to you.

Since it sounds like your other IP addresses aren't already in DNS for your hostname, yes, you do need to put them there (as A records), and yes, you will experience downtime as the change propagates.

Bear also in mind that, as mentioned in the comments to your question, the attacker will then trivially be able to discover your new address and attack that too (or instead).

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92