Hey everyone, I have read so many posts, however I am still in need of help.
I have been getting ddossed for the last month, my host has tried many things on my server that are commonly suggested around here, however we have over 40 000 connections hitting the server from this attack and it keeps rising.
I am on LiteSpeed.
I also have NetScreen 50 firewall which helped for a little while, however the server still keeps going down.
I am spending $420 a month on my hosting for my dedicated server
Now it is costing me an extra $400 a month to have Netscreen firewall running which is a waste of money as it can not effectively keep the server running and i'm not sure if I can even effectively afford that much money a month, however I might need to spend a little more if need to just get the server running finally.
basically I need some options as to what I can do. I would like to stay with my host, they have been good to me, however if my options are better suited to changing then let me know. I just really need to get my server running great asap and to keep it running great when i'm away from the internet.
yeah CSF is being used already to no avail which is why Netscreen-50 was tried (and LiteSpeed enterprise webserver), and still to no great success, which is why I am now hoping someone else might have a different suggestion that we have not thought of.
Things of that nature aren't going to stop it anyway if it's a decent sized attack (especially a software firewall). Is it your site or one that a client might have? If it's something you can do without, stop hosting the target site. If not, maybe move that site to its own virtual IP and introduce some software firewall rate limiting.
The problem is, with 40K+ IPs, any software firewall that you block the sources from will exhaust your server's physical memory with the chains get too large. If you can find an attack signature in the packet header via hardware, or something on the server in the access log as an attack footprint, you can create a method to start blocking the IPs, but again, you will run out of memory if it's very large. Perhaps you could put in a rule to recheck the firewall for Ips that are already blocked in that /24 and if there's other 3 or 5, you can drop all of those and block only the same IP at the /24, and so on, which could save room in the chain.
Also, maybe a timeout, where it drops an IP or /24 from the chain after 2 hours and if it happens again from the same IP or /24, you can reblock for double the time, and keep doubling it. Ultimately, a large enough DDoS can not be fought and if the target site is hosted on you and the attack is persistent, you'll have to reevaluate if you want to host that site, or what is provoking the attack (as much as that sucks to say). More suggestions could be offered, if we knew more about it.
Off-the-shelf firewalls do not have the capability to figure out overages and distinguish between legitimate and DDoS traffic. At the most they may provide some SYN flood mitigation.
I have seen most high-end non-DDoS firewalls suffer badly during the DDoS attacks due to flow-table overflows themselves. And these include high-end Check Point (Nokia) and Fortinet firewalls and in this case NetScreen. But when you buy a hardware DDoS mitigation equipment, you get a peace of mind, because it is designed just for this.
I know many Litespeed users who use these solutions to avoid getting fried.
Look for solutions that can monitor at least 1 million simultaneous sources, 1 million simultaneous connections, 1 million simultaneous destinations (for outbound floods - just in case you are hacked), etc. Conventional firewalls just don't have that kind of juice. All they can do is allow or deny IPs (which further affects their performance).
I'd never heard of a netscreen firewall being recommended to resolve a DoS attack.
-Mark Adams www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!