Results 1 to 25 of 55
-
05-04-2008, 01:07 AM #1Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
Under heavy DDoS attack and my host can't help!
Hi All,
My website (Large Discussion Forums Site) is under a heavy DDoS attack since 3 weeks. My first host could not handle such an attack so I moved to another who claimed to have a firewall that can handle the attack, but still, the site is down.
Anyone has a good suggestion to get the site up and handle the attack? Any particular hosts that can help me?
(The Forum has its own server and does not use Apache).
Thanks guys.
VidER
-
05-04-2008, 01:18 AM #2Web Hosting Guru
- Join Date
- Oct 2007
- Location
- Las Vegas, NV
- Posts
- 301
Are you positive it's actually a DDoS attack and not simply heavy usage? Can you connect to the server where the site is hosted at all?
BannerView.com - Energize your Business Online, powered by BannerOS, the platform that turns your website into a powerful business tool.
Build your own website powered by BannerOS with our DIY service.
-
05-04-2008, 01:27 AM #3Web Hosting Master
- Join Date
- May 2003
- Location
- Canada
- Posts
- 671
If its really DDOS attack i suggest looking at Proxyshield by gige or secureport from Staminus....
Server4Sale
Dirt CHEAP Servers coming soon
-
05-04-2008, 02:57 AM #4Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
Hi All.
Yes it is definitely a DDoS attack.
I have looked at ProxySheild but it costs $1500 a month, and I am not sure if I decide to go ahead with such an investment it would solve the problem!
Isn't there a host that can help me out?
VidER
-
05-04-2008, 03:02 AM #5Custom Hosting Master
- Join Date
- Jan 2007
- Posts
- 2,602
Are you currently using a hardware firewall?
-
05-04-2008, 03:14 AM #6WHT Addict
- Join Date
- Jul 2004
- Location
- Bharat
- Posts
- 155
How large is the attack? Is't in Gbps?
-
05-04-2008, 03:46 AM #7Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
-
05-04-2008, 04:07 AM #8Custom Hosting Master
- Join Date
- Jan 2007
- Posts
- 2,602
Well, you'll be paying quite a bit to get that kind of DDoS traffic handled. I think ProxyShield may come in useful here.
-
05-04-2008, 06:37 AM #9Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
What is the process usually?
Shouldn't the host trace the attacks and take legal action?
VidER
-
05-04-2008, 06:48 AM #10Newbie
- Join Date
- Mar 2008
- Posts
- 28
You can't trace the attacke if its a DDoS with home PCs
If servers are ddossing you then you can write an abuse mail(Whois on the attackers host will give you the email address)
-
05-04-2008, 06:49 AM #11Retired Moderator
- Join Date
- Aug 2003
- Location
- Pittsburgh
- Posts
- 3,490
There's really not a whole lot they can do. These attacks can't really be "traced". The attacks come from thousands of different sources (mostly innocent zombie machines infected with something). Usually you just have to grin and bear it, or funnel it through someone with more bandwidth than you (which I believe is what ProxyShield does).
-
05-04-2008, 07:15 AM #12Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
So I have no options other than paying $1500 a month for ProxySheild to get rid of the problem?
VidER
-
05-04-2008, 07:22 AM #13Disabled
- Join Date
- Dec 2002
- Location
- chica go go
- Posts
- 11,876
You have better odds of knowing who is launching the attacks, because you have a personal stake in the forum. Odds are, it's one of the following:
1) Someone who owns a competiting forum paid someone to ddos you to drive traffic away from your site, and towards theirs.
2) A disgruntled user is ddosing you because you removed his post/thread/account
3) A disgruntled user is ddosing you because you haven't removed the post/thread/account of someone who insulted their god.
There are other anti-ddos methods, but i don't believe you're going to have a lot of luck. Try watching your access logs and see if you can spot a pattern.
Where are most of the attacks originating from?
-
05-04-2008, 07:38 AM #14Retired Moderator
- Join Date
- Aug 2003
- Location
- Pittsburgh
- Posts
- 3,490
ub3r is actually probably correct. It reminds me of a game server I used to run, for fun. We had a disgruntled player who was mad that I wouldn't restore his stats after I changed over to a new stats method. Ten minutes later we had a huge DDoS attack that took my whole provider's network offline.
-
05-04-2008, 07:44 AM #15Junior Guru Wannabe
- Join Date
- Apr 2008
- Posts
- 33
Yeah there is unfortunately not a lot your host can do to legally stop the attacks. In most cases the attacks come from unaware ppl's computers who don't even realise that they are compromised. This is one of the reasons its difficult to mitigate as its so distributed accross a range of different IP's
Are you running a software firewall at all...like APF etc??? if so you might be wise to have a really good look through the logs and see if you can spot some sort of pattern to the traffic or IP's and then add them to the ACL tables etc.
Anyway, best of luck and if I remember prolexic are also pretty good at filtering attacks through their pipe...but yet again pretty expensive.
Best of luck mate.
-
05-04-2008, 08:16 AM #16Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
-
05-04-2008, 09:00 AM #17Disabled
- Join Date
- May 2006
- Posts
- 1,426
2.8 gbs filtering would cost a lot more then $1500 anywhere. If gige is saying they will filter 2.8gbs on proxyshield you better jump on that cause its sure as heck gonna cost $4k plus anywhere else.
Unless you meant only 2.8 gbs of traffic in a day, in that case it can be handed at the server with some tcp tweaking and software like CSF.
I wouldnt go around trying to kiss somones butt who you think may be attacking you. If no one has came up and said they are ddosing you then leave it at anonymous attack. Your best bet is to not even acknowledge it, do not post anything on your site about it and so on.
Most of your issue sounds like management (if the attack really isnt 2.8gbs).
-
05-04-2008, 09:45 AM #18Web Hosting Master
- Join Date
- Oct 2002
- Location
- Vancouver, B.C.
- Posts
- 2,699
If your attacks are 2.8Gbps, there won't be anything you can do yourself to mitigate the attack. In fact, your provider should be null routing IP's for their network integrity, as unless you have a 10gig port, the attack is going to exhaust your switch buffers which will also impact other customers.
Is there a pattern to the attacks? i.e. TCP/UDP/source ports/destination ports? If the pattern is simple enough, you can ask your provider (or have them ask their upstream) to implement some ACL's to block out the attack traffic.
If they're attacking legitimate protocol/port combinations, you'll need a real ddos mitigation device with deep packet inspection, the likes of which only a true DDoS mitigation provider can provide.ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami
-
05-04-2008, 09:47 AM #19Disabled
- Join Date
- Dec 2002
- Location
- chica go go
- Posts
- 11,876
You're right for the most part, but he could maybe find a provider who puts their entire network behind an anti-ddos appliance, and include the cost of filtering in the price of the service. However, most any will null route if the attacks begin to affect carrier, or inter-network traffic.
The attacks are mostly from south america, any kind of pattern in their http headers? Possibly a common string in the user-agent?
-
05-04-2008, 10:12 AM #20Newbie
- Join Date
- May 2008
- Location
- USA
- Posts
- 14
First thing is first talk to your provider this or anything like this should be handled by the provider. They should be able to tell you want to do. If not get a different Host I had this problem about a year and a half ago it turns out my host was really not upgrading anything and just charging people. Whats your site or the host? Always have a backup plan and be sure its not your own host trying to get more money out of you.
-
05-04-2008, 12:25 PM #21Retired Moderator
- Join Date
- May 2004
- Location
- Toronto, Canada
- Posts
- 5,105
CloudNexus Technology Services
Managed Services
-
05-04-2008, 03:46 PM #22CISSP-ISSMP, CISA
- Join Date
- Aug 2002
- Location
- Seattle
- Posts
- 5,525
-
05-05-2008, 12:28 AM #23Junior Guru Wannabe
- Join Date
- Jul 2002
- Posts
- 54
Thanks for your replies guys.
The attack is still continuous :-(
Yes that is exactly what is happening. The Host (The Planet) null routes the traffic whenever the attacks reach a load that affect their network.
The user-agent they use is this "Mozilla/4.0 (compatible)".
they all access Port 80 of the server.
VidER
-
05-05-2008, 05:19 AM #24Newbie
- Join Date
- May 2008
- Posts
- 5
something is obviously triggering the attack; maybe pissed off someone?? anyway you probably have to pay alot of money for real ddos protection (physical firewalls).
-
05-05-2008, 07:33 AM #25Web Hosting Master
- Join Date
- Oct 2002
- Location
- Vancouver, B.C.
- Posts
- 2,699
You should request from your provider that they provide you router cache flows so that you can examine the source IP's.
You can then contact the source networks, and demand they stop. If they don't respond within a reasonable amount of time, contact their upstream providers as well, and inform them you will take legal action if they do not cease the attack.ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami