Using Syspeace against DDoS attacks for sysadmin
Essentially a DDoS attack is about overloading a server with massive traffic thus making it unreachable for the services the way it is supposed to be.
This can be accomplished in numerous ways.
If for instance 10 000 computers in a botnet are targeted at downloading a specific image or file from a public website without a login, Syspeace would not be the tool for you. Not at the moment anyway.
Syspeace is designed to monitor failed login attempts and handle them by custom rules to protect your Windows servers by completely blocking the attacking address in the local firewall. This will protect your server on all ports so if you other services running on it, they would also be blocked for the attacker.
DOS/DDoS-attacks and how Syspeace would react
The two different methods in the brute force/dictionary attack department would be the following:
Single login attempt method
If the same 10 000 computers try to login to your server (an Exchange web login, RDS/ Terminal Server, SharePoint, Citrix and so on ) with a brute force / dictionary attack the server would stop responding due to the overload on CPU/RAM and the network would also be filled.
If each and one of these 10 000 computers only tries once to login, Syspeace would not react since that would essentially mean that all logins (or IP addresses) would be blocked at the first thus disabling anyone to login.
If you’re a hosting provider or outsourcing provider and you have a number of customers at static IP addresses you could whitelist the customers IP addresses and set up a Syspeace rule to block at one failed login and in that manner have the attacks partially handled by Syspeace.
However, if you are a Cloud Service provider this will not work in reality since your customers could be coming from any IP address anywhere.
Multiple login attempt method
The second method would be to have each one of these 10 000 computers constantly trying to login multiple times and such an attack would be blocked by Syspeace.
Bear in mind though, this would not sort out the network being flooded but it would help you protect your server from crashing due to overloaded CPU/RAM usage and it would buy you time to contact your ISP and see if they can help you mitigate the attack (with specific tools or increasing your bandwidth for instance)
To a certain extent, the Syspeace Global Blacklist would probably also have you preemptively protected against some of the IP addresses attacking you already.
If you don’t have Syspeace at all it’s not unlikely, you’ll also be having a lot of user accounts locked out if you you’re trying to use lockout policies.