The web is now so fast that it’s impossible to block all the threats in real time manually. Your business needs fast intelligence and swift response from a parasite DDoS attack. That’s why you need to block them with a grey list.

A parasite leeching all the vital bandwidth from a man
A parasite leeching all the vital bandwidth from a man

Grey list parasites opening http connections too fast

IIS and Nginx both offer good rate-limiting features that are well documented. These features lack a way to temporarily ban parasites participating in a DDoS attack. This is where grey listing comes handy.

What is grey listing?

This list will update itself automatically and will look for DDoS anomalies. Once an ip address is found suspicious it will be temporarily ban for 15 minutes.

Without grey listing

We can observe that the DDoS parasite quickly abused the victim bandwidth at 600 Mbps. If no one notice it will consume 195 Tbytes of bandwidth during the month.

Graph showing result of parasite DDoS attack leeching all the bandwidth

With grey listing

We can observe that the server quickly block the Parasite DDoS attack in less than 5 seconds.

Graph showing results of server blocking the parasite DDoS attack

Grey listing advantage

The main advantage is the automatic ban of the DDoS parasites. There is no need for human to interact with the systems once the configuration is done. You can also catch crazy script polling your website too fast.

Grey listing disadvantage

The biggest issue is to configure it!

How to configure it?

There are many ways to achieve this task and we will describe a common way with linux.

  1. You create an ipset list call greylist with a timeout of 15 minutes.
  2. You insert a new rule on top of your firewall ruleset which will block all traffic coming from the greylist.
  3. You then bind a set of firewall rules on port 80 and 443 with a thresholds of 100 new connections per second.

If an ip address goes faster than 100 new connections per second, then this ip will be added to the greylist. The greylist will drop all communications coming from the ip addresses and it will expire the parasites after 15 minutes. We include a template script fw-greylist.sh to help you get started in the world of grey listing.

Need help to implement a grey list?

It’s important to have your grey list ready before the attack. You need to prepare your business now to survive against DDoS attacks. We can help you implement grey lists in case you need it. Please write to us for the details info@ddostest.me.

How to protect your business against parasite DDoS attack