Results 1 to 27 of 27
  1. #1
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177

    I'm getting smacked around by a DDOS attack!

    Man, my server has been getting KILLED all day long. Apparently it is one of my main domains getting slammed, so my server host "nulled" that IP address. Which brings back the rest of my server, but I'm going to be screwed if that other domain can't get back online. Basically they are telling me that there is nothing they can do at all but wait it out.

    Rich,

    We are working on this machine. I don't think you realize what is going on here. Someone decided to flood your server with http requests. This basically kills the box. There is nothing we can do short of nulling the IP which was done. The IP that was nulled was the .147 one since that's what was getting hit. The script we put in place could not hold it. The attack was subsiding but came back full force. There is nothing we can do aside from waiting it out. I am sorry.
    --
    Sincerely,
    Well, that's just ducky. That is my main bread and butter site, so I'm supposed to just twiddle my thumbs while I go out of business?

    How much do I have to pay to get someone to track down the cretin doing this and break all his fingers?

  2. #2
    Well I don't know much about breaking people's fingers, but I suppose you could get a serious hardware firewall from the company that provides you with your server, as a script in general won't do much good.

  3. #3
    Join Date
    Dec 2004
    Location
    Clemson
    Posts
    172
    http://www.gigenet.com and their proxy shield service is always an option if it is that important
    Brett Meadors

  4. #4
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    There are providers that specialize in ddos traffic. That might not be such a bad idea.

  5. #5
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177
    Honestly, if my server host cannot come up with a reasonable solution, then I need to find another server host. I am pursuing that option right at the moment. To have my current host tell me that there is nothing they can do, and tough luck on that, have a nice day, just blows my mind.

    But I would like to entertain the broken fingers option.... Is there any way to trace this garbage back to the originator? I think someone whom my moderators banned from my message board got pissed and I'd really like to know who it is.

  6. #6
    Join Date
    Dec 2004
    Location
    Clemson
    Posts
    172
    You might be able to find a security expert that could track somewhat, but if they are using proxies and such, you're kinda screwed. Most Hosts aren't overly prepared against a DDOS, especially of a large magnitude. You do get what you pay for a good amount of the time though. Who are you currently hosted with?
    Brett Meadors

  7. #7
    Join Date
    Feb 2006
    Posts
    76
    Quote Originally Posted by Rich Z View Post
    Man, my server has been getting KILLED all day long. Apparently it is one of my main domains getting slammed, so my server host "nulled" that IP address. Which brings back the rest of my server, but I'm going to be screwed if that other domain can't get back online. Basically they are telling me that there is nothing they can do at all but wait it out.



    Well, that's just ducky. That is my main bread and butter site, so I'm supposed to just twiddle my thumbs while I go out of business?

    How much do I have to pay to get someone to track down the cretin doing this and break all his fingers?
    I used to have this problem as well. But if you just getting http flood requests, go with LiteSpeed as your HTTP server. Apache sucks. That's how I got away with these http floods. Althought it's not cheap, ddos protection isnt cheap in the first place. That's why you should try the full trial version. If it solves the problem, bingo!

    www.litespeedtech.com

  8. #8
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177
    Quote Originally Posted by YMHBrett View Post
    http://www.gigenet.com and their proxy shield service is always an option if it is that important
    Sounds interesting, but no hints about what it costs on their website beyond "minimal financial outlay"..... Anyone got a ballpark figure?

  9. #9
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    the issue isnt dealing with the traffic like litespeed would deal with... the issue is ddos mitigation. There are several options for ddos mitigation. You can do upstream acls with some providers, or you can go with a known ddos mitigator

  10. #10
    Join Date
    Oct 2005
    Location
    Fleet Street
    Posts
    3,243
    Sounds interesting, but no hints about what it costs on their website beyond "minimal financial outlay"..... Anyone got a ballpark figure?
    Starts at $1k/month, higher depending on size of attack.

  11. #11
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    How large was the attack? Were they able to quantify it in mbps and pps?

  12. #12
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177
    Quote Originally Posted by avythe View Post
    Starts at $1k/month, higher depending on size of attack.
    Well that would just put me out of business. Kaput. I'm not making that kind of money off of this stuff.

    How can anyone run an internet based business with this hanging over their head every moment?

  13. #13
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    Rich, how large was the attack. Staminus, Awknet, GigE all do ddos mitigation stuff as well as blacklotus.net Might want to consider something like that.

  14. #14
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177
    Quote Originally Posted by darkfyre View Post
    Rich, how large was the attack. Staminus, Awknet, GigE all do ddos mitigation stuff as well as blacklotus.net Might want to consider something like that.
    I'm not sure. Bear in mind I'm a novice at this stuff, which is why I get managed servers..... I was quoted something like 28,000 page requests at one point.

    My current host is still sticking to the claim that there is nothing that can be done. I am going to go to LiquidWeb, as from what they are telling me, they are more proactive with handling this sort of thing.

  15. #15
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    Ah, good deal. Good luck!

  16. #16
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    376
    while all the providers previously mentioned can help you if you wish to buy a dedicated server and fully protect it, it seems like you need a smaller solution for one site (atleast for now).
    I suggest taking a look at secureservertech, they provide solutions to the type of problems you are having.
    you can search around the forums here, they saved a few people in the past from situations like you're in.

  17. #17
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177
    Quote Originally Posted by Noam View Post
    while all the providers previously mentioned can help you if you wish to buy a dedicated server and fully protect it, it seems like you need a smaller solution for one site (atleast for now).
    I suggest taking a look at secureservertech, they provide solutions to the type of problems you are having.
    you can search around the forums here, they saved a few people in the past from situations like you're in.
    Thanks! I've dropped them a line. LiquidWeb has begun the migration already as they are cognizant of the situation I am in.

  18. #18
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    203
    For future reference, it would be easier to request pps/bps (or http requests/sec) of the attack from your provider in order for members to give you the appropriate solution
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

  19. #19
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    Quote Originally Posted by Rich Z View Post
    Honestly, if my server host cannot come up with a reasonable solution, then I need to find another server host. I am pursuing that option right at the moment. To have my current host tell me that there is nothing they can do, and tough luck on that, have a nice day, just blows my mind.

    But I would like to entertain the broken fingers option.... Is there any way to trace this garbage back to the originator? I think someone whom my moderators banned from my message board got pissed and I'd really like to know who it is.
    With all due respect, what do you expect them to do? Do you have a package with them that includes DOS mitigation? If not, then it is your responsibility to manage this type of risk.



    Regards,

  20. #20
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    Quote Originally Posted by Rich Z View Post
    Well that would just put me out of business. Kaput. I'm not making that kind of money off of this stuff.

    How can anyone run an internet based business with this hanging over their head every moment?
    You asked a good question. The answer is it is the cost of doing business online. If you're not making enough from the site to pay for hosting, management, uptime, etc. then your site is not cash-flow positive and is a liability.(i.e. more money is going out then is coming in)

    Again, just like backups, servers, software updates, etc., DOS risk-management is another cost.



    Kind Regards,

  21. #21
    Join Date
    Nov 2005
    Posts
    346
    Most of the bigger providers offer some sort of DDoS mitigation that may be able to help you. Maybe you're only dealing with some amateurish attacks that are relatively easy to stop.

    If you're being hit by a real attack, then you have no recourse but to host with the specialized providers (gigenet, staminus, etc). If even a software-based solution will help, then you're dealing with a very very minimal attack.

  22. #22
    Hi,
    Did You tried CSF firewall from configserver.com ?
    You can install it for free and there are some option to slow or even defend completly ddos attacks.
    Or ask Jonathan/Chirpy to help You.
    Theres also an mod for apache - mod_evasive (if I correctly remember its name) which help protect Your server more against this type of attack

    Best regards,
    Piotr

  23. #23
    Join Date
    Jul 2003
    Posts
    527
    right now am using csf firewall to stop a bot attack on a server.
    its getting hit with around 400 to 700 connection ips plus syn flood

  24. #24
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    177

    Thumbs up

    Contact Jon Felosi at http://www.SecureServerTech.com.

    LiquidWeb had already pretty much given up on my server and had it null routed when I contacted Jon and gave him the keys to the server. No lie, in no time flat, he had the server back online and my domain humming along like nothing had even happened. LiquidWeb, of course, seemed a bit put out by his running circles around them and doing what needed to be done.

    Quite frankly, I am EXTREMELY impressed with this guy.

  25. #25
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    No firewall, software or hardware, is going to be of any use if your IP is null-routed by your provider.

    RichZ, how large are these attacks you're getting? (in BPS and PPS). What type of attack is it? (protocol, # of sources, etc...)

    If the attack isn't large enough to saturate your provider's upstream connections, but are simply affecting other customers on the same switch fabric, they should be able to implement an ACL on their routers, provided the attack is fairly straightforward.

    Alternatively, if there is a single ingress point into your network for most of the attack, a local null-route or acl can put an effective stop to the attack, while still allowing your IP to be reachable by (hopefully) most of your clients/visitors.

    For a large number of sources with no specific criteria to match against (i.e. similar ports, or unusual protocol), you will need a provider with real DDoS mitigation capabilities.

    Unfortunately, it's very difficult to track down the real pepetrators in DoS attacks. Even if you have, it's very difficult to take action against them directly, and the best you can really do is contact the source networks one by one to have them put a stop to the attack.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  26. #26
    Join Date
    May 2006
    Posts
    1,398
    they had shut down httpd because it was overwhelming them in the server. The attack was around 10-20 mbit pure http flood/GET Attack which is fairly difficult to block when you are using apache but it can be done.

    What I thought was wrong though about the way liquiweb handled this is, As you see Rich started this thread having problems with a server that at that time was not hosted by liquiweb. So he was pretty much looking for a place to host it. I dont know the full story here so correct me if I'm wrong Rich - but he had contacted liquiweb.

    The salesperson told him like "Oh yeah, ddos attacks=no problem" "buy this server here with our full management plan and we will get you running again" So they talked him into buying a Dual Quad Core Xeon with 4 gb ram. Its a monster, all this for one decently busy forum, around 100-200 users online at once.

    So anyway, I had went in and they had APF and dos deflate installed which aren't really bad scripts but you kinda have to sit with it until you get them all banned. This wasn't a super huge ddos, it was small hence the http/get flood. Most smaller botnets use these as they are able to take down sites easier this way then with bandwidth floods, especially php/mysql sites. But besides the apf and dos deflate that was all they had installed.

    I had went in the box and started doing my thing, and then the tech that was in there rebooted the box like it was gonna help anything. So I kept on trying to login until the box came back, made sure I was first one in there and I changed the pass and locked them out because he was just getting in my way and the box reboot pretty much showed me these guys didnt know what they was doing.

    SO I done my thing, removed all their stuff and had the site up fully about 30 minutes later. And from the sounds of it liquiweb didnt like it too good. I think there is another issue now where they are cutting off his managed support where he hired me to stop the attack.

    Ole Rich had a hard time and everywhere he turned he was getting sales pitches and promises. He had emailed a company who tracks down botnets and had a sales conference with him, they had told him the person doing it was a serious professional and he needed to hire them for $6k to track him down and shut down the net and all this.

    I can say with 100% confidence that the attacker was no professional, this was clearly a disgruntled forum member or competitor, most likely a revenge attack for some reason or another. But I am glad I could help him out and I appreciate your kind words of recommendation Rich.

    IN my description of the events Im not putting down liquiweb or saying their techs are stupid, not all networks and technicians deal with ddos that much. But they should have never pitched him that sale if they didnt have the means to stop the attack. Also to my knowledge liquiweb has no ddos mitigation appliances. I had even contacted them a few months ago about servers and they told me they did not.
    Last edited by jon-f; 01-27-2008 at 11:15 AM.

  27. #27
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    You do not need to buy protection, i'm sorry I cannot elaborate on this. My recommendation would be to re-post this question elsewhere if you want a more honest explanation.
    Last edited by ddosguru; 01-28-2008 at 04:30 AM. Reason: Ask me if you care

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •