Results 1 to 14 of 14
  1. #1

    Exclamation Server getting UDP DDoS attacked. Advice?

    I have a dedicated (cpanel) server used for web hosting and have recently been getting UDP flood attacked (DDoS). The attacks are following a trend of lasting pretty close to 1.5 hours per attack.

    The following is an example of what floods my 'messeges' log (* = censored):
    Oct 15 22:38:27 * kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=* SRC=121.96.59.110 DST=*.203 LEN=826 TOS=0x00 PREC=0x00 TTL=120 ID=16928 PROTO=UDP SPT=19 DPT=50593 LEN=1221

    The server has a 100Mb connection and the attacks use up all of it. (See this graph http://i.imgur.com/umAhPxC.png )

    I have multiple IPs on the server and all the firewall messages say the destination is only one of them. Are the attacks targeting a specific domain using that IP, or are they targeting the IP itself? If it's the IP could I just move all accounts on that IP to a different one (ex: *.204) then ask my provider to temporally remove the attacked IP from the server?

    Basically, what can I do to stop this attack from affecting my server?

  2. #2
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by FLCLFan View Post
    I have multiple IPs on the server and all the firewall messages say the destination is only one of them. Are the attacks targeting a specific domain using that IP, or are they targeting the IP itself? If it's the IP could I just move all accounts on that IP to a different one (ex: *.204) then ask my provider to temporally remove the attacked IP from the server?

    Basically, what can I do to stop this attack from affecting my server?
    Correct given it's saturating your uplink you cannot do anything server side about it. You can ask your provider to null route the IP that's being effected or see if they can ACL the attack (It's likely only coming from one or two sources).
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  3. #3
    Join Date
    Sep 2012
    Location
    Switzerland
    Posts
    156
    If you don't need UDP, ask your provider to drop all UDP packets targeting your IP. However, if attackers are determined, they'll change the type of attack once UDP flood has no effect, so a remote DDoS protected proxy is definitely a better solution.
    INCLOUDIBLY.NET
    DDoS protected dedicated servers and VPS in Zurich, Switzerland. Setup assistance, high privacy and mitigation guarantee.

  4. #4
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Get Apache status update from command line to see which domain is receiving maximum hits:



    lynx http://localhost/whm-server-status


    OR


    httpd fullstatus |more


    That will help you identify the target of attack
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  5. #5
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    4,845
    Quote Originally Posted by supportexpertz View Post
    Get Apache status update from command line to see which domain is receiving maximum hits:



    lynx http://localhost/whm-server-status


    OR


    httpd fullstatus |more


    That will help you identify the target of attack
    How does apache detect UDP floods?

    Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  6. #6
    Quote Originally Posted by FLCLFan View Post
    I have multiple IPs on the server and all the firewall messages say the destination is only one of them. Are the attacks targeting a specific domain using that IP, or are they targeting the IP itself? If it's the IP could I just move all accounts on that IP to a different one (ex: *.204) then ask my provider to temporally remove the attacked IP from the server?
    If you simply swap IPs, I'm sure the attacker will figure that out in no time.

    The server is used for web hosting - are you or one of your clients receiving the attack? If a client, you can suggest they host within a DDoS Protected network or employ a proxy solution.

    Quote Originally Posted by Scott.Mc View Post
    Correct given it's saturating your uplink you cannot do anything server side about it. You can ask your provider to null route the IP that's being effected or see if they can ACL the attack (It's likely only coming from one or two sources).
    Thumbs up. Try to work with your provider.

  7. #7
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Are you running anything on UDP/50593?

  8. #8
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    If the UDP flood is saturating your uplink, there isn't any other way than moving to a protected network, by either getting a server inside a DDoS protected datacenter or by looking for a remote DDoS protection. You can try the free CloudFlare plan, they should be able to block UDP floods. And as @Scott.Mc suggested, you should first ask your provider if he can disable UDP for your IP.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  9. #9
    Even if provider blocks UDP, there are plenty of other attack types. UDP is just the most bandwidth-eating one.
    Better go with a ddos protection provider.

  10. #10
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by Vex76 View Post
    Even if provider blocks UDP, there are plenty of other attack types. UDP is just the most bandwidth-eating one.
    Better go with a ddos protection provider.
    Agreed, as time goes on providers are going to have to start migrating these types of attacks. Especially these types as not only are they very simple to launch they are also very simple to detect and filter. Forcing your customers to leave to another network you are incapable of handling basic floods won't be the general line in a few years once providers start realizing lots and lots of their customers are having to leave, even your larger ones, all because of some very tiny attack.

    I think you will always have specialized DDoS migration providers but for the overwhelming majority all providers are eventually going to have to have tools and measures in place to deal with them. The current level of automation amongst most of them is auto null routing which most of the mid-sized places are likely firing out several nulls per day, all of which equal potential unhappy customers.

    For us we specifically customers only really come to us when they are having issues and they need them to go away, in the case of DDoS it irritates me when we are having to move entire customers environments simply because the provider is incapable of dealing with basic floods (key note: basic floods) and it puts a dim light on that particular provider to the extent we'd never consider them when specing locations for customers.

    Many of the providers thought process is they'd rather loose that ~5 server customer as it won't have much effect on them and as a side bit of irony, two of our largest customers that have going on 800 systems between them both came from tiny 1 hour ($100) jobs we done for individuals that then became staff at the new places and recommended (both of them are unrelated, don't know each other, too). Point being you just don't know what future business you are throwing away, all because they don't have the capacity to handle basic floods (from a handful of sources), again we are not talking about more complicated (if you can call them that) attacks.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  11. #11
    Quote Originally Posted by RobertJP View Post
    If you simply swap IPs, I'm sure the attacker will figure that out in no time.

    The server is used for web hosting - are you or one of your clients receiving the attack? If a client, you can suggest they host within a DDoS Protected network or employ a proxy solution.
    The logs I've looked at don't show any specific domain being targeted; just the main shared IP. But maybe I'm looking in the wrong places?

    Quote Originally Posted by infinitnet View Post
    If the UDP flood is saturating your uplink, there isn't any other way than moving to a protected network, by either getting a server inside a DDoS protected datacenter or by looking for a remote DDoS protection. You can try the free CloudFlare plan, they should be able to block UDP floods. And as @Scott.Mc suggested, you should first ask your provider if he can disable UDP for your IP.
    Can cloudflare protect against attacks directed at an IP? I thought they were only for domains.

    Also isn't UDP needed for things like DNS?

    Quote Originally Posted by IRCCo Jeff View Post
    Are you running anything on UDP/50593?
    Nope.

    Quote Originally Posted by Scott.Mc View Post
    Agreed, as time goes on providers are going to have to start migrating these types of attacks. Especially these types as not only are they very simple to launch they are also very simple to detect and filter. Forcing your customers to leave to another network you are incapable of handling basic floods won't be the general line in a few years once providers start realizing lots and lots of their customers are having to leave, even your larger ones, all because of some very tiny attack.

    I think you will always have specialized DDoS migration providers but for the overwhelming majority all providers are eventually going to have to have tools and measures in place to deal with them. The current level of automation amongst most of them is auto null routing which most of the mid-sized places are likely firing out several nulls per day, all of which equal potential unhappy customers.

    For us we specifically customers only really come to us when they are having issues and they need them to go away, in the case of DDoS it irritates me when we are having to move entire customers environments simply because the provider is incapable of dealing with basic floods (key note: basic floods) and it puts a dim light on that particular provider to the extent we'd never consider them when specing locations for customers.

    Many of the providers thought process is they'd rather loose that ~5 server customer as it won't have much effect on them and as a side bit of irony, two of our largest customers that have going on 800 systems between them both came from tiny 1 hour ($100) jobs we done for individuals that then became staff at the new places and recommended (both of them are unrelated, don't know each other, too). Point being you just don't know what future business you are throwing away, all because they don't have the capacity to handle basic floods (from a handful of sources), again we are not talking about more complicated (if you can call them that) attacks.
    I agree, but my provider (honelive) is a budget one, the servers are spec'ed pretty good and they're the cheapest I've seen for what you get. Their support is usually pretty slow and their usual policy is to disconnect servers if they are being hit with a ddos. I expect very little in terms of working with them on the issue and the solution to this problem is solely my own if I don't want the server unplugged.

    Moving to a better provider is also not a solution unless the other provider is comparable in price and server specs.

    My current plan of action, if the attacks continue, is to move all accounts from the affected IP to a different one, then have the IP null routed and see if that helps.

  12. #12
    Sounds like everyone here needs a provider that offers external BGP to customers, accepts smaller than /24 subnets (obviously), private AS and blackhole communities or even BGP flow specs.

  13. #13
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,154
    Quote Originally Posted by FLCLFan View Post
    Can cloudflare protect against attacks directed at an IP? I thought they were only for domains.

    Also isn't UDP needed for things like DNS?
    You're right, they only offer proxying and no tunneling, so you can only protect domains with them. There are other providers who offer tunneling for other services as well though.

    Also, it's normal that you can't find out which domain was the target in case of UDP flood, as it's a network layer flood. You won't know the target domain of the attack, until you separated all your domains from each other (each on a different IP I mean) and then wait until they attack. The other option would be to protect all of your domains or/and use a tunnel.
    Inbound Marketing & real SEO for web hosting providers
    ✎ Get in touch with me: co<at>infinitnet.de

  14. #14
    My current plan of action, if the attacks continue, is to move all accounts from the affected IP to a different one, then have the IP null routed and see if that helps.
    Basically the one who attacks you, will just snipe your domains' new IP address and will attack there. Changing IP is not an option when you are not DDoS protected.

Similar Threads

  1. I'm a little lost, dedicated server getting DDOS'd via UDP
    By flenstop in forum Dedicated Server
    Replies: 9
    Last Post: 04-29-2013, 07:42 AM
  2. Need dedicated server against 250Gbps UDP DDoS
    By DeathToKim in forum Dedicated Server
    Replies: 69
    Last Post: 09-06-2011, 02:35 AM
  3. server is being DDOS attacked
    By feliper in forum Hosting Security and Technology
    Replies: 9
    Last Post: 10-22-2007, 10:25 PM
  4. My Server is being DDOS ATTACKED!! HELP!
    By ebizcraftsman in forum Web Hosting
    Replies: 37
    Last Post: 12-16-2004, 03:49 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •