Results 1 to 24 of 24
  1. #1
    Join Date
    Feb 2013
    Posts
    82

    i got ddos to server,what i can do ? ddos size big ?

    hi friends , today my dedicated server got ddoss and server is located server4you.com and this is second attack in 2 weeks

    IP 188.138.111.84:53 > 8.2.120.120:43045 UDP, length 134217728, packets 32768

    what i can do for it and how i can block this ip address ?

  2. #2
    Join Date
    Aug 2010
    Location
    Belgium
    Posts
    654
    http://www.cyberciti.biz/faq/linux-iptables-drop/

    That should help you out, however, you can also send an abuse ticket regarding this. Is it saturating your port?
    AssetGateway
    █ Skype da_arco

  3. #3
    Join Date
    Feb 2013
    Posts
    82
    sorry but this page for linux servers , my server is windows server ?

  4. #4
    Join Date
    Feb 2013
    Posts
    82
    sorry my english mistake )) my server is windows server

  5. #5
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    You could enable a rule in the windows firewall to drop that traffic but it still has to be processed. I would open a ticket with your provider.

  6. #6
    Hi. I'm actually the one that sent you the abuse email in the first place, so I can tell you what's happening here.

    Your machine (188.138.111.84) is hosting an open DNS server. Someone else is abusing this to conduct DDOS attacks against our machine (8.2.120.120).

    You are not the subject of the DDOS attack, and fixing this issue is pretty easy.

    All you need to do is disable recursive DNS on your server. The abuse email you received gives you information about this:

    Code:
    To disable recursive DNS:
    * Open 'Server Manager'
    * Expand Roles -> DNS Server -> DNS -> (Your Server's Name)
    *Right click on your server name, choose Properties
    * On the 'Advanced' tab, select 'Disable recursion (also disables forwarders)'
    *Click OK
    Alternatively, you can block inbound queries to UDP port 53, except from your upstream DNS servers. Please see http://openresolverproject.org/ and http://blog.cloudflare.com/the-ddos-...offline-and-ho for more information on what's occurring.

  7. #7
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    Looks like great advice from the host, good luck.

  8. #8
    Join Date
    Jun 2013
    Location
    Los Angeles
    Posts
    327
    Quote Originally Posted by dave - just199 View Post
    Looks like great advice from the host, good luck.
    I could be mistaken, but I believe devicenull is saying that he's the one who actually reported the DDoS, not the OP's host. And as he said, it's actually the OP's server performing the attack...

    We get similar abuse reports every so often with clients hosting open resolvers on their servers, but we do our best to take care of them as soon as we spot them.

  9. #9
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    Oh my bad, carry on

  10. #10
    Quote Originally Posted by JGoldman View Post
    I could be mistaken, but I believe devicenull is saying that he's the one who actually reported the DDoS, not the OP's host. And as he said, it's actually the OP's server performing the attack...

    We get similar abuse reports every so often with clients hosting open resolvers on their servers, but we do our best to take care of them as soon as we spot them.

    Yep, you are correct. He's attacking us. We occasionally get people very confused like this and think it's the other way around. I'm not entirely sure why that is, perhaps the language barrier.

  11. #11
    Join Date
    Jun 2013
    Location
    Los Angeles
    Posts
    327
    Quote Originally Posted by devicenull View Post
    Yep, you are correct. He's attacking us. We occasionally get people very confused like this and think it's the other way around. I'm not entirely sure why that is, perhaps the language barrier.
    In all fairness, it's an odd sort of attack vector from the perspective of someone with only a basic understanding of networking/sysadmining/how denial of service attacks work. Also, bandwidth graphs often have reversed inbound/outbound from how people might normally think of it (inbound -to- a distro router can also be outbound -from- a server, etc.) It does seem pretty clear from the log he pasted that the traffic is outbound from his server though

    To the OP: You can follow the instructions devicenull pasted, but I'd also recommend hiring a systems administration company if you need help managing your server.

  12. #12
    Looks like you are getting a DNS-amplificaiton attack.
    What do you host on this windows server ?

  13. #13
    Quote Originally Posted by Vex76 View Post
    Looks like you are getting a DNS-amplificaiton attack.
    What do you host on this windows server ?
    Correction: He's the *source* of a DNS-amplification attack.

  14. #14
    This is unfortunately a very frequent problem for many hosting providers and people who host their own DNS. A number of authoritative DNS server enable recursion by default despite how easily it can be abused. Fortunately, it is fairly simple to fix, and the instructions above will resolve the issue.

    The few people who have a need to run a publicly accessible DNS resolver can use rate limiting to prevent their servers from being used in this form of attack, but the average person setting up a DNS server doesn't know what to do with that particular checkbox or config file option, so they leave it alone. Sucks (for anyone not wanting to do DDoS attacks), but true.

  15. #15
    Join Date
    Jun 2013
    Location
    Los Angeles
    Posts
    327
    Quote Originally Posted by Cristal_Ice View Post
    The few people who have a need to run a publicly accessible DNS resolver can use rate limiting to prevent their servers from being used in this form of attack, but the average person setting up a DNS server doesn't know what to do with that particular checkbox or config file option, so they leave it alone. Sucks (for anyone not wanting to do DDoS attacks), but true.
    Rate limiting is a good start, but if you're running resolvers, you'll most likely want to restrict recursion to IPs within your network. There are no good reasons to run public resolvers as far as I'm aware (short of providing a community service, which, if you're doing that, you should already have the technical expertise required for such a project).

  16. #16
    Quote Originally Posted by JGoldman View Post
    Rate limiting is a good start, but if you're running resolvers, you'll most likely want to restrict recursion to IPs within your network. There are no good reasons to run public resolvers as far as I'm aware (short of providing a community service, which, if you're doing that, you should already have the technical expertise required for such a project).
    Community service is exactly the type of circumstance I was referring to. If you're running 4.2.2.2 or 8.8.8.8 (for example), you already know what you're doing and are doing rate limiting. Hosting providers frequently provide resolvers to their customers, but those can be limited to the providers IP ranges.

    Aside from those limited circumstances, there is really no reason for the average person to need to provide publicly accessible recursive DNS that I'm aware of either.

  17. #17
    Join Date
    Nov 2005
    Location
    Australia
    Posts
    641
    use cloudflare?

  18. #18
    Quote Originally Posted by hitmeback View Post
    use cloudflare?
    So I'm guessing you didn't read any of the thread.

  19. #19
    Join Date
    Feb 2013
    Posts
    82
    i read all , we have 4 dedicated IP but we use only 2 of them for our live websites but this IP which make ddoss is not under use now and we cancelled it already to not use more but i will try to use bloacklotus company for my live sites.

  20. #20
    Join Date
    Jul 2013
    Posts
    296
    You should know there is no different if your port is open or close because the attack reach your server and consume bandwidth and if attack size rise a bit, your datacneter will null route your IPs. the best way is to block it at network level before it reach your server.

  21. #21
    Quote Originally Posted by Genius Guard View Post
    You should know there is no different if your port is open or close because the attack reach your server and consume bandwidth and if attack size rise a bit, your datacneter will null route your IPs. the best way is to block it at network level before it reach your server.
    Did you read any of the thread? He's the source of the attack, not the recipient.

  22. #22
    Join Date
    Feb 2013
    Posts
    82
    Did you read any of the thread? He's the source of the attack, not the recipient.
    yes you are right , im the source from attack because some program or some extarnal system use my dedicated server IP to make attack for another person but we cancelled this ip address from our system because ip was which we dont use now

  23. #23
    Quote Originally Posted by pixeltech View Post
    yes you are right , im the source from attack because some program or some extarnal system use my dedicated server IP to make attack for another person but we cancelled this ip address from our system because ip was which we dont use now

    Did you actually fix the issue? Just removing the IP address does not correct the underlying vulnerability.

  24. #24
    Join Date
    Feb 2013
    Posts
    82
    i will work with ddoss block company because i dont know how to fix this isue, all internet has information articles only for linux servers but my server is windows server and i dont know how to block it because i dont know which ip use my server for ddos attacks and any software on internet also.

Similar Threads

  1. Replies: 5
    Last Post: 07-15-2013, 07:28 PM
  2. Replies: 0
    Last Post: 06-17-2013, 10:53 PM
  3. 2500USD for 500Gbps DDoS Protected Server - STOP ANY KIND OF DDoS Today!
    By WizzSupport in forum Managed Service Provider Offers
    Replies: 3
    Last Post: 06-14-2013, 03:18 AM
  4. Replies: 0
    Last Post: 05-14-2013, 01:46 PM
  5. Replies: 0
    Last Post: 04-16-2013, 07:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •