Page 1 of 3 123 LastLast
Results 1 to 25 of 55
  1. #1
    Join Date
    Jul 2002
    Posts
    54

    * Under heavy DDoS attack and my host can't help!

    Hi All,

    My website (Large Discussion Forums Site) is under a heavy DDoS attack since 3 weeks. My first host could not handle such an attack so I moved to another who claimed to have a firewall that can handle the attack, but still, the site is down.

    Anyone has a good suggestion to get the site up and handle the attack? Any particular hosts that can help me?

    (The Forum has its own server and does not use Apache).

    Thanks guys.

    VidER

  2. #2
    Join Date
    Oct 2007
    Location
    Las Vegas, NV
    Posts
    301
    Are you positive it's actually a DDoS attack and not simply heavy usage? Can you connect to the server where the site is hosted at all?
    BannerView.com - Energize your Business Online, powered by BannerOS, the platform that turns your website into a powerful business tool.
    Build your own website powered by BannerOS with our DIY service.

  3. #3
    Join Date
    May 2003
    Location
    Canada
    Posts
    671
    If its really DDOS attack i suggest looking at Proxyshield by gige or secureport from Staminus....
    Server4Sale
    Dirt CHEAP Servers coming soon

  4. #4
    Join Date
    Jul 2002
    Posts
    54
    Hi All.

    Yes it is definitely a DDoS attack.

    I have looked at ProxySheild but it costs $1500 a month, and I am not sure if I decide to go ahead with such an investment it would solve the problem!

    Isn't there a host that can help me out?

    VidER

  5. #5
    Are you currently using a hardware firewall?
    478east
    High Bandwidth Servers
    Custom Hosting Solutions

  6. #6
    Join Date
    Jul 2004
    Location
    Bharat
    Posts
    155
    How large is the attack? Is't in Gbps?

  7. #7
    Join Date
    Jul 2002
    Posts
    54
    Quote Originally Posted by cristibighea View Post
    Are you currently using a hardware firewall?
    the hosting company is using Cisco ASA 5500 Series Adaptive Security Appliances

    Quote Originally Posted by shashikant View Post
    How large is the attack? Is't in Gbps?
    yestreday we were getting 2.8Gbps of malicious traffic directed toward to our server

    VidER

  8. #8
    Well, you'll be paying quite a bit to get that kind of DDoS traffic handled. I think ProxyShield may come in useful here.
    478east
    High Bandwidth Servers
    Custom Hosting Solutions

  9. #9
    Join Date
    Jul 2002
    Posts
    54
    What is the process usually?

    Shouldn't the host trace the attacks and take legal action?

    VidER

  10. #10
    You can't trace the attacke if its a DDoS with home PCs
    If servers are ddossing you then you can write an abuse mail(Whois on the attackers host will give you the email address)

  11. #11
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    3,490
    Quote Originally Posted by VidER View Post
    What is the process usually?

    Shouldn't the host trace the attacks and take legal action?

    VidER
    There's really not a whole lot they can do. These attacks can't really be "traced". The attacks come from thousands of different sources (mostly innocent zombie machines infected with something). Usually you just have to grin and bear it, or funnel it through someone with more bandwidth than you (which I believe is what ProxyShield does).

  12. #12
    Join Date
    Jul 2002
    Posts
    54
    So I have no options other than paying $1500 a month for ProxySheild to get rid of the problem?

    VidER

  13. #13
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    Quote Originally Posted by VidER View Post
    Shouldn't the host trace the attacks and take legal action?
    You have better odds of knowing who is launching the attacks, because you have a personal stake in the forum. Odds are, it's one of the following:

    1) Someone who owns a competiting forum paid someone to ddos you to drive traffic away from your site, and towards theirs.
    2) A disgruntled user is ddosing you because you removed his post/thread/account
    3) A disgruntled user is ddosing you because you haven't removed the post/thread/account of someone who insulted their god.

    There are other anti-ddos methods, but i don't believe you're going to have a lot of luck. Try watching your access logs and see if you can spot a pattern.

    Where are most of the attacks originating from?

  14. #14
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    3,490
    Quote Originally Posted by ub3r View Post
    You have better odds of knowing who is launching the attacks, because you have a personal stake in the forum. Odds are, it's one of the following:

    1) Someone who owns a competiting forum paid someone to ddos you to drive traffic away from your site, and towards theirs.
    2) A disgruntled user is ddosing you because you removed his post/thread/account
    3) A disgruntled user is ddosing you because you haven't removed the post/thread/account of someone who insulted their god.

    There are other anti-ddos methods, but i don't believe you're going to have a lot of luck. Try watching your access logs and see if you can spot a pattern.

    Where are most of the attacks originating from?
    ub3r is actually probably correct. It reminds me of a game server I used to run, for fun. We had a disgruntled player who was mad that I wouldn't restore his stats after I changed over to a new stats method. Ten minutes later we had a huge DDoS attack that took my whole provider's network offline.

  15. #15
    Join Date
    Apr 2008
    Posts
    33
    Yeah there is unfortunately not a lot your host can do to legally stop the attacks. In most cases the attacks come from unaware ppl's computers who don't even realise that they are compromised. This is one of the reasons its difficult to mitigate as its so distributed accross a range of different IP's

    Are you running a software firewall at all...like APF etc??? if so you might be wise to have a really good look through the logs and see if you can spot some sort of pattern to the traffic or IP's and then add them to the ACL tables etc.

    Anyway, best of luck and if I remember prolexic are also pretty good at filtering attacks through their pipe...but yet again pretty expensive.

    Best of luck mate.

  16. #16
    Join Date
    Jul 2002
    Posts
    54
    Quote Originally Posted by ub3r View Post
    Where are most of the attacks originating from?
    Quote Originally Posted by jryan54 View Post
    Are you running a software firewall at all...like APF etc??? if so you might be wise to have a really good look through the logs and see if you can spot some sort of pattern to the traffic or IP's and then add them to the ACL tables etc.
    Lots of the attacks are coming from South America !

    we are running APF and blocked so many IP address ... but this doesnt help at all.

    VidER

  17. #17
    Join Date
    May 2006
    Posts
    1,426
    2.8 gbs filtering would cost a lot more then $1500 anywhere. If gige is saying they will filter 2.8gbs on proxyshield you better jump on that cause its sure as heck gonna cost $4k plus anywhere else.

    Unless you meant only 2.8 gbs of traffic in a day, in that case it can be handed at the server with some tcp tweaking and software like CSF.

    I wouldnt go around trying to kiss somones butt who you think may be attacking you. If no one has came up and said they are ddosing you then leave it at anonymous attack. Your best bet is to not even acknowledge it, do not post anything on your site about it and so on.

    Most of your issue sounds like management (if the attack really isnt 2.8gbs).

  18. #18
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,699
    If your attacks are 2.8Gbps, there won't be anything you can do yourself to mitigate the attack. In fact, your provider should be null routing IP's for their network integrity, as unless you have a 10gig port, the attack is going to exhaust your switch buffers which will also impact other customers.

    Is there a pattern to the attacks? i.e. TCP/UDP/source ports/destination ports? If the pattern is simple enough, you can ask your provider (or have them ask their upstream) to implement some ACL's to block out the attack traffic.

    If they're attacking legitimate protocol/port combinations, you'll need a real ddos mitigation device with deep packet inspection, the likes of which only a true DDoS mitigation provider can provide.
    ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
    AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  19. #19
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    Quote Originally Posted by felosi View Post
    2.8 gbs filtering would cost a lot more then $1500 anywhere. If gige is saying they will filter 2.8gbs on proxyshield you better jump on that cause its sure as heck gonna cost $4k plus anywhere else.

    Unless you meant only 2.8 gbs of traffic in a day, in that case it can be handed at the server with some tcp tweaking and software like CSF.

    I wouldnt go around trying to kiss somones butt who you think may be attacking you. If no one has came up and said they are ddosing you then leave it at anonymous attack. Your best bet is to not even acknowledge it, do not post anything on your site about it and so on.

    Most of your issue sounds like management (if the attack really isnt 2.8gbs).
    You're right for the most part, but he could maybe find a provider who puts their entire network behind an anti-ddos appliance, and include the cost of filtering in the price of the service. However, most any will null route if the attacks begin to affect carrier, or inter-network traffic.

    The attacks are mostly from south america, any kind of pattern in their http headers? Possibly a common string in the user-agent?

  20. #20
    Join Date
    May 2008
    Location
    USA
    Posts
    14
    First thing is first talk to your provider this or anything like this should be handled by the provider. They should be able to tell you want to do. If not get a different Host I had this problem about a year and a half ago it turns out my host was really not upgrading anything and just charging people. Whats your site or the host? Always have a backup plan and be sure its not your own host trying to get more money out of you.

  21. #21
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,105
    Quote Originally Posted by worlddomains View Post
    First thing is first talk to your provider this or anything like this should be handled by the provider. They should be able to tell you want to do. If not get a different Host I had this problem about a year and a half ago it turns out my host was really not upgrading anything and just charging people. Whats your site or the host? Always have a backup plan and be sure its not your own host trying to get more money out of you.
    He has already changed hosts and the DDOS is following him. Clearly it is real and is a result of something about his site. The OP is going to have it hard if it is sustained for days or weeks. Normally they subside after a days.
    CloudNexus Technology Services
    Managed Services

  22. #22
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,525
    Quote Originally Posted by felosi View Post
    2.8 gbs filtering would cost a lot more then $1500 anywhere. If gige is saying they will filter 2.8gbs on proxyshield you better jump on that cause its sure as heck gonna cost $4k plus anywhere else.

    Unless you meant only 2.8 gbs of traffic in a day, in that case it can be handed at the server with some tcp tweaking and software like CSF.

    I wouldnt go around trying to kiss somones butt who you think may be attacking you. If no one has came up and said they are ddosing you then leave it at anonymous attack. Your best bet is to not even acknowledge it, do not post anything on your site about it and so on.

    Most of your issue sounds like management (if the attack really isnt 2.8gbs).
    I'd advise AGAINST jumping on an offer like that. No way could someone afford to filter 2.8 Gbps sustained at $1500.00 . That aside, I thought ProxyShield was cheaper?

  23. #23
    Join Date
    Jul 2002
    Posts
    54
    Thanks for your replies guys.

    The attack is still continuous :-(

    Quote Originally Posted by hhw View Post
    If your attacks are 2.8Gbps, there won't be anything you can do yourself to mitigate the attack. In fact, your provider should be null routing IP's for their network integrity, as unless you have a 10gig port, the attack is going to exhaust your switch buffers which will also impact other customers.
    Yes that is exactly what is happening. The Host (The Planet) null routes the traffic whenever the attacks reach a load that affect their network.

    Quote Originally Posted by hhw View Post
    Is there a pattern to the attacks? i.e. TCP/UDP/source ports/destination ports? If the pattern is simple enough, you can ask your provider (or have them ask their upstream) to implement some ACL's to block out the attack traffic.

    If they're attacking legitimate protocol/port combinations, you'll need a real ddos mitigation device with deep packet inspection, the likes of which only a true DDoS mitigation provider can provide.
    Quote Originally Posted by ub3r View Post
    The attacks are mostly from south america, any kind of pattern in their http headers? Possibly a common string in the user-agent?
    The user-agent they use is this "Mozilla/4.0 (compatible)".

    they all access Port 80 of the server.

    VidER

  24. #24
    something is obviously triggering the attack; maybe pissed off someone?? anyway you probably have to pay alot of money for real ddos protection (physical firewalls).

  25. #25
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,699
    Quote Originally Posted by VidER View Post
    Thanks for your replies guys.

    The attack is still continuous :-(
    You should request from your provider that they provide you router cache flows so that you can examine the source IP's.

    You can then contact the source networks, and demand they stop. If they don't respond within a reasonable amount of time, contact their upstream providers as well, and inform them you will take legal action if they do not cease the attack.
    ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
    AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •