Results 1 to 8 of 8
  1. #1
    Join Date
    Dec 2005
    Location
    Australia, Brisbane
    Posts
    147

    ddos attack still dropping my server

    Hey everyone, I have read so many posts, however I am still in need of help.

    I have been getting ddossed for the last month, my host has tried many things on my server that are commonly suggested around here, however we have over 40 000 connections hitting the server from this attack and it keeps rising.

    I am on LiteSpeed.
    I also have NetScreen 50 firewall which helped for a little while, however the server still keeps going down.

    I am spending $420 a month on my hosting for my dedicated server
    Now it is costing me an extra $400 a month to have Netscreen firewall running which is a waste of money as it can not effectively keep the server running and i'm not sure if I can even effectively afford that much money a month, however I might need to spend a little more if need to just get the server running finally.

    basically I need some options as to what I can do. I would like to stay with my host, they have been good to me, however if my options are better suited to changing then let me know. I just really need to get my server running great asap and to keep it running great when i'm away from the internet.

    Thanks.

  2. #2
    Join Date
    Jan 2008
    Posts
    34
    Use CSF firewall
    Download link http://www.configserver.com/cp/csf.html

  3. #3
    Join Date
    Dec 2005
    Location
    Australia, Brisbane
    Posts
    147
    yeah CSF is being used already to no avail which is why Netscreen-50 was tried (and LiteSpeed enterprise webserver), and still to no great success, which is why I am now hoping someone else might have a different suggestion that we have not thought of.

    Thanks.

  4. #4
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Things of that nature aren't going to stop it anyway if it's a decent sized attack (especially a software firewall). Is it your site or one that a client might have? If it's something you can do without, stop hosting the target site. If not, maybe move that site to its own virtual IP and introduce some software firewall rate limiting.

    The problem is, with 40K+ IPs, any software firewall that you block the sources from will exhaust your server's physical memory with the chains get too large. If you can find an attack signature in the packet header via hardware, or something on the server in the access log as an attack footprint, you can create a method to start blocking the IPs, but again, you will run out of memory if it's very large. Perhaps you could put in a rule to recheck the firewall for Ips that are already blocked in that /24 and if there's other 3 or 5, you can drop all of those and block only the same IP at the /24, and so on, which could save room in the chain.

    Also, maybe a timeout, where it drops an IP or /24 from the chain after 2 hours and if it happens again from the same IP or /24, you can reblock for double the time, and keep doubling it. Ultimately, a large enough DDoS can not be fought and if the target site is hosted on you and the attack is persistent, you'll have to reevaluate if you want to host that site, or what is provoking the attack (as much as that sucks to say). More suggestions could be offered, if we knew more about it.

  5. #5
    Join Date
    Dec 2005
    Location
    Australia, Brisbane
    Posts
    147
    yeah the site is mine which I am hosting, most likely an upset member who got banned or something deciding to get revenge, but this time there attack is actually bigger then normal.

    I am not just using software firewalls but also a hardware firewall - > Netscreen 50 hardware firewall - but as it seems, it does not seem to help enough.

    currently I have Jon from secureservertech looking at my server, and fingers crossed he will be able to get the server working great again.

  6. #6
    Join Date
    Oct 2004
    Posts
    294

    Arrow

    Keep us updated if they have find a solution for you!

  7. #7
    Quote Originally Posted by hornstar View Post
    I am not just using software firewalls but also a hardware firewall - > Netscreen 50 hardware firewall - but as it seems, it does not seem to help enough.
    Totally agree with Tim Greer that software solutions or conventional hardware firewalls (like NetScreen) are not going to help with DDoS.

    What you need is a Affordable DDoS mitigation solution.

    Off-the-shelf firewalls do not have the capability to figure out overages and distinguish between legitimate and DDoS traffic. At the most they may provide some SYN flood mitigation.

    I have seen most high-end non-DDoS firewalls suffer badly during the DDoS attacks due to flow-table overflows themselves. And these include high-end Check Point (Nokia) and Fortinet firewalls and in this case NetScreen. But when you buy a hardware DDoS mitigation equipment, you get a peace of mind, because it is designed just for this.

    I know many Litespeed users who use these solutions to avoid getting fried.

    Look for solutions that can monitor at least 1 million simultaneous sources, 1 million simultaneous connections, 1 million simultaneous destinations (for outbound floods - just in case you are hacked), etc. Conventional firewalls just don't have that kind of juice. All they can do is allow or deny IPs (which further affects their performance).

  8. #8
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    I'd never heard of a netscreen firewall being recommended to resolve a DoS attack.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •