Results 1 to 25 of 27
-
01-22-2008, 02:07 AM #1Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
I'm getting smacked around by a DDOS attack!
Man, my server has been getting KILLED all day long. Apparently it is one of my main domains getting slammed, so my server host "nulled" that IP address. Which brings back the rest of my server, but I'm going to be screwed if that other domain can't get back online. Basically they are telling me that there is nothing they can do at all but wait it out.
Rich,
We are working on this machine. I don't think you realize what is going on here. Someone decided to flood your server with http requests. This basically kills the box. There is nothing we can do short of nulling the IP which was done. The IP that was nulled was the .147 one since that's what was getting hit. The script we put in place could not hold it. The attack was subsiding but came back full force. There is nothing we can do aside from waiting it out. I am sorry.
--
Sincerely,
How much do I have to pay to get someone to track down the cretin doing this and break all his fingers?
-
01-22-2008, 02:16 AM #2Custom Hosting Master
- Join Date
- Jan 2007
- Posts
- 2,602
Well I don't know much about breaking people's fingers, but I suppose you could get a serious hardware firewall from the company that provides you with your server, as a script in general won't do much good.
-
01-22-2008, 02:21 AM #3WHT Addict
- Join Date
- Dec 2004
- Location
- Clemson
- Posts
- 172
http://www.gigenet.com and their proxy shield service is always an option if it is that important
Brett Meadors
-
01-22-2008, 02:22 AM #4WHT Addict
- Join Date
- Aug 2006
- Location
- Los Angeles
- Posts
- 166
There are providers that specialize in ddos traffic. That might not be such a bad idea.
-
01-22-2008, 02:25 AM #5Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
Honestly, if my server host cannot come up with a reasonable solution, then I need to find another server host. I am pursuing that option right at the moment. To have my current host tell me that there is nothing they can do, and tough luck on that, have a nice day, just blows my mind.
But I would like to entertain the broken fingers option.... Is there any way to trace this garbage back to the originator? I think someone whom my moderators banned from my message board got pissed and I'd really like to know who it is.
-
01-22-2008, 02:27 AM #6WHT Addict
- Join Date
- Dec 2004
- Location
- Clemson
- Posts
- 172
You might be able to find a security expert that could track somewhat, but if they are using proxies and such, you're kinda screwed. Most Hosts aren't overly prepared against a DDOS, especially of a large magnitude. You do get what you pay for a good amount of the time though. Who are you currently hosted with?
Brett Meadors
-
01-22-2008, 02:29 AM #7Junior Guru Wannabe
- Join Date
- Feb 2006
- Posts
- 76
I used to have this problem as well. But if you just getting http flood requests, go with LiteSpeed as your HTTP server. Apache sucks. That's how I got away with these http floods. Althought it's not cheap, ddos protection isnt cheap in the first place. That's why you should try the full trial version. If it solves the problem, bingo!
www.litespeedtech.com
-
01-22-2008, 02:31 AM #8Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
-
01-22-2008, 02:32 AM #9WHT Addict
- Join Date
- Aug 2006
- Location
- Los Angeles
- Posts
- 166
the issue isnt dealing with the traffic like litespeed would deal with... the issue is ddos mitigation. There are several options for ddos mitigation. You can do upstream acls with some providers, or you can go with a known ddos mitigator
-
01-22-2008, 02:33 AM #10antitheistic atheist
- Join Date
- Oct 2005
- Location
- Fleet Street
- Posts
- 3,244
Sounds interesting, but no hints about what it costs on their website beyond "minimal financial outlay"..... Anyone got a ballpark figure?
-
01-22-2008, 02:36 AM #11WHT Addict
- Join Date
- Aug 2006
- Location
- Los Angeles
- Posts
- 166
How large was the attack? Were they able to quantify it in mbps and pps?
-
01-22-2008, 03:12 AM #12Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
-
01-22-2008, 03:16 AM #13WHT Addict
- Join Date
- Aug 2006
- Location
- Los Angeles
- Posts
- 166
Rich, how large was the attack. Staminus, Awknet, GigE all do ddos mitigation stuff as well as blacklotus.net Might want to consider something like that.
-
01-22-2008, 03:29 AM #14Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
I'm not sure. Bear in mind I'm a novice at this stuff, which is why I get managed servers..... I was quoted something like 28,000 page requests at one point.
My current host is still sticking to the claim that there is nothing that can be done. I am going to go to LiquidWeb, as from what they are telling me, they are more proactive with handling this sort of thing.
-
01-22-2008, 03:33 AM #15WHT Addict
- Join Date
- Aug 2006
- Location
- Los Angeles
- Posts
- 166
Ah, good deal. Good luck!
-
01-22-2008, 04:06 AM #16Aspiring Evangelist
- Join Date
- Jun 2003
- Location
- Israel
- Posts
- 376
while all the providers previously mentioned can help you if you wish to buy a dedicated server and fully protect it, it seems like you need a smaller solution for one site (atleast for now).
I suggest taking a look at secureservertech, they provide solutions to the type of problems you are having.
you can search around the forums here, they saved a few people in the past from situations like you're in.
-
01-22-2008, 04:22 AM #17Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
-
01-22-2008, 10:06 AM #18Junior Guru
- Join Date
- Jul 2004
- Location
- Athens, Greece
- Posts
- 209
For future reference, it would be easier to request pps/bps (or http requests/sec) of the attack from your provider in order for members to give you the appropriate solution
SharkTECH Internet Services
http://www.sharktech.net
DDOS Firewalled Dedicated Servers
Managed Services / IRC Allowed
-
01-22-2008, 11:05 AM #19Disabled
- Join Date
- Jul 2006
- Location
- Detroit, MI
- Posts
- 1,962
-
01-22-2008, 11:07 AM #20Disabled
- Join Date
- Jul 2006
- Location
- Detroit, MI
- Posts
- 1,962
You asked a good question. The answer is it is the cost of doing business online. If you're not making enough from the site to pay for hosting, management, uptime, etc. then your site is not cash-flow positive and is a liability.(i.e. more money is going out then is coming in)
Again, just like backups, servers, software updates, etc., DOS risk-management is another cost.
Kind Regards,
-
01-22-2008, 11:37 AM #21Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 346
Most of the bigger providers offer some sort of DDoS mitigation that may be able to help you. Maybe you're only dealing with some amateurish attacks that are relatively easy to stop.
If you're being hit by a real attack, then you have no recourse but to host with the specialized providers (gigenet, staminus, etc). If even a software-based solution will help, then you're dealing with a very very minimal attack.
-
01-22-2008, 03:01 PM #22Newbie
- Join Date
- Jan 2008
- Location
- Warsaw, Poland
- Posts
- 10
Hi,
Did You tried CSF firewall from configserver.com ?
You can install it for free and there are some option to slow or even defend completly ddos attacks.
Or ask Jonathan/Chirpy to help You.
Theres also an mod for apache - mod_evasive (if I correctly remember its name) which help protect Your server more against this type of attack
Best regards,
Piotr
-
01-27-2008, 03:10 AM #23Web Hosting Evangelist
- Join Date
- Jul 2003
- Posts
- 533
right now am using csf firewall to stop a bot attack on a server.
its getting hit with around 400 to 700 connection ips plus syn flood
-
01-27-2008, 03:18 AM #24Junior Guru
- Join Date
- Nov 2002
- Location
- Tallahassee, FL
- Posts
- 185
Contact Jon Felosi at http://www.SecureServerTech.com.
LiquidWeb had already pretty much given up on my server and had it null routed when I contacted Jon and gave him the keys to the server. No lie, in no time flat, he had the server back online and my domain humming along like nothing had even happened. LiquidWeb, of course, seemed a bit put out by his running circles around them and doing what needed to be done.
Quite frankly, I am EXTREMELY impressed with this guy.
-
01-27-2008, 05:05 AM #25Web Hosting Master
- Join Date
- Oct 2002
- Location
- Vancouver, B.C.
- Posts
- 2,699
No firewall, software or hardware, is going to be of any use if your IP is null-routed by your provider.
RichZ, how large are these attacks you're getting? (in BPS and PPS). What type of attack is it? (protocol, # of sources, etc...)
If the attack isn't large enough to saturate your provider's upstream connections, but are simply affecting other customers on the same switch fabric, they should be able to implement an ACL on their routers, provided the attack is fairly straightforward.
Alternatively, if there is a single ingress point into your network for most of the attack, a local null-route or acl can put an effective stop to the attack, while still allowing your IP to be reachable by (hopefully) most of your clients/visitors.
For a large number of sources with no specific criteria to match against (i.e. similar ports, or unusual protocol), you will need a provider with real DDoS mitigation capabilities.
Unfortunately, it's very difficult to track down the real pepetrators in DoS attacks. Even if you have, it's very difficult to take action against them directly, and the best you can really do is contact the source networks one by one to have them put a stop to the attack.ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami