Breakdown of DDOS Attack Prevention

[Iarkey]

Slowloris / GET flood (Http flood) = Site level (needs a response from the HTTPD)
Syn flood = server level (needs server to accept syn and send a Syn-ACK
UDP / Pingflood = Router level (Connectionless Spams router without need for a reply from server).

Am i close?

and all of them would be router level with a big enough botnet?

[Omniscient]

Slowloris is more complicated than simple get commands. It opens the HTTP connection but doesn't ever close it. What you describe is simple httpd flood which is easily blocked mostly.

Syn floods are normally easy to stop too if you have a capable sys admin. 99% of attacks I have seen had a pattern that was recognizable enough for me to block them at server level.

UDP/Ping are funny since these are services you can normally just turn off or reroute. You can just do DNS mirrors or round-robin DNS to avoid large botnet attacks. DNS service can easily be moved to a host offering good DDOS protection at a fairly reasonable price too.

Ping flood is just a complete waste of everyones time.

Everything can be stopped at router level but the risk of false positives grows. Best to use all 3 protection layers appropriately.

[Iarkey]

Slowloris is more complicated than simple get commands. It opens the HTTP connection but doesn't ever close it. What you describe is simple httpd flood which is easily blocked mostly.

Syn floods are normally easy to stop too if you have a capable sys admin. 99% of attacks I have seen had a pattern that was recognizable enough for me to block them at server level.

UDP/Ping are funny since these are services you can normally just turn off or reroute. You can just do DNS mirrors or round-robin DNS to avoid large botnet attacks. DNS service can easily be moved to a host offering good DDOS protection at a fairly reasonable price too.

Ping flood is a just. Complete waste of everyones time.

Everything can be stopped at router level but the risk of false positives grows. Best to use all 3 protection layers appropriately.

Yeah, a few datacenters have Cisco's and other HWFW routers You have to pay loads but i did once and it was worth having the access ^^.

my site mainly gets hit by Get floods on heavier pages. (the occasional slowloris) httpflood i just block with a php script to add "spamming" Ip's to the htaccess block list. Slowloris i haven't figured yet, buy instead of spamming it holding connections i can't find a rule to detect it. Surprised apache haven't done something about it yet.

[Dragon Hawk]

Thanks for this info but I really wanted to know more about this

[Josheywhat]

Is there any way to prevent DDoS attacks from say, XBL? (People trying to host boot)

[!!* Alone Vampire *!!]

Thanks for the information, my knowledge enriched.

[!!* Alone Vampire *!!]

Can you please if there is any anti-ddoser code.

[Fragma]

This is very helpful information. I'm not very knowledgeable when it comes to DDoS attacks and I've always wondered, why is it that some websites are harder to DDoS than others? Government websites for example.. Is it just that they know how to deal with them better & quicker than most people?

Sorry if it sounds a dumb question...

[Corrupt]

this was very useful and helpful for me

Omni is GoD

[`P R O D I G Y™]

This is greatly broken down, actually. I always figured it wouldn't be as simply said as Omni has shown so.
I use round robin for my servers, although I don't recieve attacks like omni does, It does just fine.