Web Hosting Talk : Web Hosting Main Forums : Managed Hosting and Services : Can a managed hosting handle SYN flooding?

[mark0168]

We often meet SYN flooding or web ripper (download our site with Teleport alike software) problem with our website.

They often make our site down for CPU overloading and too many connections.

The only way we can do now is to restart the server and block the IPs.
Unfortunately, that doesn't work for most blocked IPs are dynamic.
After several days, they come back again for that most peole connect to internet by other dynamic IPs.

We can't monitor our server for 24 hours a day, 365 days a year.
Is there any good managed hosting can help us to resolve the problem?

Downtime hurts our bussiness very much. We never know when the web rippers will come. We can't find effect solution on Google right now.

Any suggestions?
Thanks

[ServerOrigin]

I am not sure of any companies that will monitor your server for you unless they host it themselves. My company would provide the service through our 24 hour monitoring team but in a case like this it is hard to know just how someone else's datacenter/firewall rules are setup. I would guess you will find it to be tough getting this kind of service.

Have you tried setting up apache evade and apache security modules?

[HostTitan]

What safeguards have you attempted until now? What type of firewall, apache modules, and sql setup do you have? Have you considered creating a php script that can tell if someone is accessing many pages fast and banning? That could be interesting though i'm not sure its the most efficient way to go about it.

[dkitchen]

Some providers with a good infrastrcuture will be able to filter this upstream before it reaches your server, and this is what you need. You may actually be better putting the server behind a reverse proxy or something of that nature.

Be upfront with the provider and let them know you have these problems, if they aren't aware before you sign up, they may not be able to help you.

What kind of budget do you have for this? Are the downloads suspicious or anything of that nature (i.e. is there a reason they might be doing this?).

Dan

[sprintserve]

If you invest in a hardware firewall (managed) syn flooding typically are possible to filter unless it huge and chews up the processor on the firewall as well. If it is the sort that you can simply block and they go away for a few days, chances are it's small enough for most hardware firewalls to handle such as a Cisco Pix.

As for Apache level attacks, they are harder to block. But web rippers are easy to block as they come from a single IP. What we have done for some clients is that we have written a custom script that blocks any IPs that exceed a certain set threshold of connections.

You may also want to hire managed services that do proactive / reactive monitoring. i.e. they will log in to check if the loads get too high etc , or if the services go down.

[steven-v]

I would suggest you to try professional server optimization - in some cases pro's can help you optimize your server in such a way, that you forget about this kind of headaches.

[mark0168]

In fact, we host our server on a very good reputation managed hosting. We can only afford their basic managed service, but bought a optional hardware firewall Cisco PIX and a extra ports watch service.

We have met three times down for SYN flooding or web rippers over the 3 days.
Our hosting supports said that they can do nothing about that for they can not moniter the speed of MySQL or Apache. What they can do is when some ports of our server down, they will check for me and resolve it if they can.

The question is that showing a blank page or showing error pages have the same meaning of downtime to our visitors or consumers. They don't care wether your server is still online. What they see is that our webstite blank or error.

About firewall, our hosting said that Cisco PIX can do nothing to SYN Flooding.
They suggested us to install mod_evasive yesterday.

However, I have searched WHT for mod_evasive. I start to worry about the disaster mod_evasive will give us. Some said that mode_evasive will block normal visitors as well especially when a site generates numerous image as .php filename by GD alike modules. Or it will easy to block consumers who are using IE as their browsers.

Anyway, while I am repling this thread. Our site is down for SYN flooding again.
I have to admire ourself for that we can attract so many rippers come. : ( Orz
I have no choice but ask my hosting to install mod_evasive now.

Is there a much better idea to stop the rippers? Any way I don't need to moniter our server all day long?

[reiteration]

Managed hosting should make sure your protected from SYN flooding.

If they don't its time to move.

[mark0168]

Quote:

Originally Posted by reiteration

Managed hosting should make sure your protected from SYN flooding.

If they don't its time to move.

Thanks.
However, we don't know which managed hosting can resolve the problem for us?
Anyone can recommend a managed hosting can handle that?
I really appreciate that if you can shared with me by PM or reply here.

By the way, I just wonder if mod_evasive will stop normal visitors. Will Yahoo or Goolge spider be blocked? If so, that's another disaster to us for that we have some good ranking on keyword pages.

Anyway, I hate rippers....Orz

[reiteration]

That depends on your budget and the location you want.

SYN flooding is quite easy to protect against, DOS too, DDOS is the worst.
Sure you can buy firewalls that claim to protect again DDOS but in reality when your being attacked by thousands of servers nothing will help you.

What OS are you running ?

[mark0168]

We have not ever faced DDos, only small SYN flooding..
So our server is not down but all our website are.
To our consumers, nothing different between Server or Website down.

We are using Redhat RL4 with Cisco PIX.
If Hardware firewall (CISCO PIX) can stop even small DDos, why our managed hosting said that they can do nothing about SYN flooding.
I don't know whether the budget more than 500USD a month budget can help us to stop SYN flooding.
We pay for our hosting more than 500USD monthly now.
My partner agree with you that perhaps our budget is too little so that our manged hosting don't want to pay much attention to us.

[reiteration]

You could be right that they consider you too small to help, or want you to spend more.

Check if SYN cookies are enabled:

cat /proc/sys/net/ipv4/tcp_syncookies

Should give 1 if its enabled.

[mark0168]

No, I have check the tcp_syncookies of my server.
It is "0". Does that mean our current hosting is not professional enough to be a managed hosting?

Should it be enabled? I googled it for a while but still not really understand it as Hardware Firewall function. Some people said that enable tcp_syncookies may delay the speed and may not take effect obviously .

Some articles said that we should try to adjust "time_wait2" alike stuff, but it seems to for FreeBSD, not Redhat.

One of the biggest question I have now is about Hardware Firewall, especially Cisco PIX. Since they can't stop SYN flooding, why some online shops said that it can against Dos on their webpages?

[reiteration]

If your having SYN attacks I would enable this :

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

And see how things go. you can always put it back with:

echo 0 > /proc/sys/net/ipv4/tcp_syncookies

Alot of sysctl variables can be tuned in Linux to help erradicate your problems, the question is if your managed service provider feels your worth spending the time on.

[warp2cris]

yes, your company should have this tcp_syncookies in place at least.

if the things get worst, try to see a specialized company for DOS/DDOS protection.