Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185

    I'm getting smacked around by a DDOS attack!

    Man, my server has been getting KILLED all day long. Apparently it is one of my main domains getting slammed, so my server host "nulled" that IP address. Which brings back the rest of my server, but I'm going to be screwed if that other domain can't get back online. Basically they are telling me that there is nothing they can do at all but wait it out.

    Rich,

    We are working on this machine. I don't think you realize what is going on here. Someone decided to flood your server with http requests. This basically kills the box. There is nothing we can do short of nulling the IP which was done. The IP that was nulled was the .147 one since that's what was getting hit. The script we put in place could not hold it. The attack was subsiding but came back full force. There is nothing we can do aside from waiting it out. I am sorry.
    --
    Sincerely,
    Well, that's just ducky. That is my main bread and butter site, so I'm supposed to just twiddle my thumbs while I go out of business?

    How much do I have to pay to get someone to track down the cretin doing this and break all his fingers?

  2. #2
    Well I don't know much about breaking people's fingers, but I suppose you could get a serious hardware firewall from the company that provides you with your server, as a script in general won't do much good.

  3. #3
    Join Date
    Dec 2004
    Location
    Clemson
    Posts
    172
    http://www.gigenet.com and their proxy shield service is always an option if it is that important
    Brett Meadors

  4. #4
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    There are providers that specialize in ddos traffic. That might not be such a bad idea.

  5. #5
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185
    Honestly, if my server host cannot come up with a reasonable solution, then I need to find another server host. I am pursuing that option right at the moment. To have my current host tell me that there is nothing they can do, and tough luck on that, have a nice day, just blows my mind.

    But I would like to entertain the broken fingers option.... Is there any way to trace this garbage back to the originator? I think someone whom my moderators banned from my message board got pissed and I'd really like to know who it is.

  6. #6
    Join Date
    Dec 2004
    Location
    Clemson
    Posts
    172
    You might be able to find a security expert that could track somewhat, but if they are using proxies and such, you're kinda screwed. Most Hosts aren't overly prepared against a DDOS, especially of a large magnitude. You do get what you pay for a good amount of the time though. Who are you currently hosted with?
    Brett Meadors

  7. #7
    Join Date
    Feb 2006
    Posts
    76
    Quote Originally Posted by Rich Z View Post
    Man, my server has been getting KILLED all day long. Apparently it is one of my main domains getting slammed, so my server host "nulled" that IP address. Which brings back the rest of my server, but I'm going to be screwed if that other domain can't get back online. Basically they are telling me that there is nothing they can do at all but wait it out.



    Well, that's just ducky. That is my main bread and butter site, so I'm supposed to just twiddle my thumbs while I go out of business?

    How much do I have to pay to get someone to track down the cretin doing this and break all his fingers?
    I used to have this problem as well. But if you just getting http flood requests, go with LiteSpeed as your HTTP server. Apache sucks. That's how I got away with these http floods. Althought it's not cheap, ddos protection isnt cheap in the first place. That's why you should try the full trial version. If it solves the problem, bingo!

    www.litespeedtech.com

  8. #8
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185
    Quote Originally Posted by YMHBrett View Post
    http://www.gigenet.com and their proxy shield service is always an option if it is that important
    Sounds interesting, but no hints about what it costs on their website beyond "minimal financial outlay"..... Anyone got a ballpark figure?

  9. #9
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    the issue isnt dealing with the traffic like litespeed would deal with... the issue is ddos mitigation. There are several options for ddos mitigation. You can do upstream acls with some providers, or you can go with a known ddos mitigator

  10. #10
    Join Date
    Oct 2005
    Location
    Fleet Street
    Posts
    3,244
    Sounds interesting, but no hints about what it costs on their website beyond "minimal financial outlay"..... Anyone got a ballpark figure?
    Starts at $1k/month, higher depending on size of attack.

  11. #11
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    How large was the attack? Were they able to quantify it in mbps and pps?

  12. #12
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185
    Quote Originally Posted by avythe View Post
    Starts at $1k/month, higher depending on size of attack.
    Well that would just put me out of business. Kaput. I'm not making that kind of money off of this stuff.

    How can anyone run an internet based business with this hanging over their head every moment?

  13. #13
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    Rich, how large was the attack. Staminus, Awknet, GigE all do ddos mitigation stuff as well as blacklotus.net Might want to consider something like that.

  14. #14
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185
    Quote Originally Posted by darkfyre View Post
    Rich, how large was the attack. Staminus, Awknet, GigE all do ddos mitigation stuff as well as blacklotus.net Might want to consider something like that.
    I'm not sure. Bear in mind I'm a novice at this stuff, which is why I get managed servers..... I was quoted something like 28,000 page requests at one point.

    My current host is still sticking to the claim that there is nothing that can be done. I am going to go to LiquidWeb, as from what they are telling me, they are more proactive with handling this sort of thing.

  15. #15
    Join Date
    Aug 2006
    Location
    Los Angeles
    Posts
    166
    Ah, good deal. Good luck!

  16. #16
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    376
    while all the providers previously mentioned can help you if you wish to buy a dedicated server and fully protect it, it seems like you need a smaller solution for one site (atleast for now).
    I suggest taking a look at secureservertech, they provide solutions to the type of problems you are having.
    you can search around the forums here, they saved a few people in the past from situations like you're in.

  17. #17
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185
    Quote Originally Posted by Noam View Post
    while all the providers previously mentioned can help you if you wish to buy a dedicated server and fully protect it, it seems like you need a smaller solution for one site (atleast for now).
    I suggest taking a look at secureservertech, they provide solutions to the type of problems you are having.
    you can search around the forums here, they saved a few people in the past from situations like you're in.
    Thanks! I've dropped them a line. LiquidWeb has begun the migration already as they are cognizant of the situation I am in.

  18. #18
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    209
    For future reference, it would be easier to request pps/bps (or http requests/sec) of the attack from your provider in order for members to give you the appropriate solution
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

  19. #19
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,962
    Quote Originally Posted by Rich Z View Post
    Honestly, if my server host cannot come up with a reasonable solution, then I need to find another server host. I am pursuing that option right at the moment. To have my current host tell me that there is nothing they can do, and tough luck on that, have a nice day, just blows my mind.

    But I would like to entertain the broken fingers option.... Is there any way to trace this garbage back to the originator? I think someone whom my moderators banned from my message board got pissed and I'd really like to know who it is.
    With all due respect, what do you expect them to do? Do you have a package with them that includes DOS mitigation? If not, then it is your responsibility to manage this type of risk.



    Regards,

  20. #20
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,962
    Quote Originally Posted by Rich Z View Post
    Well that would just put me out of business. Kaput. I'm not making that kind of money off of this stuff.

    How can anyone run an internet based business with this hanging over their head every moment?
    You asked a good question. The answer is it is the cost of doing business online. If you're not making enough from the site to pay for hosting, management, uptime, etc. then your site is not cash-flow positive and is a liability.(i.e. more money is going out then is coming in)

    Again, just like backups, servers, software updates, etc., DOS risk-management is another cost.



    Kind Regards,

  21. #21
    Join Date
    Nov 2005
    Posts
    346
    Most of the bigger providers offer some sort of DDoS mitigation that may be able to help you. Maybe you're only dealing with some amateurish attacks that are relatively easy to stop.

    If you're being hit by a real attack, then you have no recourse but to host with the specialized providers (gigenet, staminus, etc). If even a software-based solution will help, then you're dealing with a very very minimal attack.

  22. #22
    Join Date
    Jan 2008
    Location
    Warsaw, Poland
    Posts
    10
    Hi,
    Did You tried CSF firewall from configserver.com ?
    You can install it for free and there are some option to slow or even defend completly ddos attacks.
    Or ask Jonathan/Chirpy to help You.
    Theres also an mod for apache - mod_evasive (if I correctly remember its name) which help protect Your server more against this type of attack

    Best regards,
    Piotr

  23. #23
    Join Date
    Jul 2003
    Posts
    533
    right now am using csf firewall to stop a bot attack on a server.
    its getting hit with around 400 to 700 connection ips plus syn flood

  24. #24
    Join Date
    Nov 2002
    Location
    Tallahassee, FL
    Posts
    185

    Thumbs up

    Contact Jon Felosi at http://www.SecureServerTech.com.

    LiquidWeb had already pretty much given up on my server and had it null routed when I contacted Jon and gave him the keys to the server. No lie, in no time flat, he had the server back online and my domain humming along like nothing had even happened. LiquidWeb, of course, seemed a bit put out by his running circles around them and doing what needed to be done.

    Quite frankly, I am EXTREMELY impressed with this guy.

  25. #25
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,699
    No firewall, software or hardware, is going to be of any use if your IP is null-routed by your provider.

    RichZ, how large are these attacks you're getting? (in BPS and PPS). What type of attack is it? (protocol, # of sources, etc...)

    If the attack isn't large enough to saturate your provider's upstream connections, but are simply affecting other customers on the same switch fabric, they should be able to implement an ACL on their routers, provided the attack is fairly straightforward.

    Alternatively, if there is a single ingress point into your network for most of the attack, a local null-route or acl can put an effective stop to the attack, while still allowing your IP to be reachable by (hopefully) most of your clients/visitors.

    For a large number of sources with no specific criteria to match against (i.e. similar ports, or unusual protocol), you will need a provider with real DDoS mitigation capabilities.

    Unfortunately, it's very difficult to track down the real pepetrators in DoS attacks. Even if you have, it's very difficult to take action against them directly, and the best you can really do is contact the source networks one by one to have them put a stop to the attack.
    ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
    AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •