Page 1 of 2 12 LastLast
Results 1 to 40 of 43
  1. #1

    DDoS Attack - Please help with advise

    Hello

    I have been in online business for about 5 years, but only this morning found out what DDoS is. Shame on me.

    Our site was attacked this morning and the host (shared hosting) has switched off the dns connection so our site is currently down along with email. We are a small firm and we are absolutely getting killed by this right now.

    The tech support in this hosting company (icdsoft com) is absolutely phenomenal based on previous experiences and here is what they said throughout the day:

    "Your site gets approximately 60 hits/second. Unfortunately there isn't much that can be done in such situation. We already blocked the most active IP addresses in our firewall, but this does not help, as the attack comes from many sources "

    About an hour later they tried again and the following was said:

    "Unfortunately we do not know how long this attack will last. At the moment there are more than 1100 requests/second towards your site."

    about an hour after that the following was said:

    "The attack is still going on. Currently, the incoming rate is 8MBit/sec. We will enable your site, and we will notify you when the attack is over."


    My questions are the following and I will appreciate any advise as I am absolutely clueless about this:

    1. What should I do at this point? Should I move the site to a dedicated server and if so, will this solve the DDOS problem?

    2. Should I purchase anti DDoS package? They are extremely expensive it appears.

    3. If I move to a new dedicated host, which one should i choose? we are a small site, with about 10,000 uniques per month and do not have massive budget so cost is a big factor.

    4. How long will this current attack likely last? I know it's impossible to answer, but approximately how long do these things last and is it likely to repeat in the future if we leave things alone?

    Any knowledgable advice on this matter will be greatly appreciated as we are hurting badly due to this and even 1 day loss of income for us is extremely serious and hurtful.

    Thank you in advance

  2. #2
    Join Date
    Mar 2009
    Location
    Dallas, Texas
    Posts
    242
    I would find a host that offers Very good DDoS Protection, And maybe that runs litespeed webserver, What is your domain may i ask ?

  3. #3
    Do you have any recommendaitons for such host? Please keep in mind cost is very important.

    Domain is <<removed by request>>

    any advice is greatly appreciated.
    Last edited by bear; 09-02-2009 at 05:19 PM.

  4. #4
    Join Date
    Jul 2000
    Posts
    2,063
    DDoS protection is largely depended on how much you are willing to spend and how strong the attack is.

    "8MBit/sec" shouldn't be too hard to repel if you choose a dedicated provider who offers a dedicated solution for DDoS. I do advise you not to go for general purpose dedicated providers.
    I choose not to use my signature for advertising.

    It doesn't matter how much you claim how important your data is. If it's not backed up, it's not important.

  5. #5
    Join Date
    Jul 2009
    Posts
    639
    There isn't any average of how long a DDOS can last; too many factors involved. Also to answer your last question, it is also not 100% positive or negative that a repeate will occur. Though more then likely if someone is trying to attack you, then they will try and do it again.
    bihira.com | 10+ Years of Web Hosting Experience!
    Shared Hosting | Reseller Hosting | 30 Day Money Back Guarantee
    cPanel | CloudLinux | R1Soft | Softaculous
    Find us on facebook and follow us on twitter @bihira

  6. #6
    I suppose your web hosting company is the one who should take care of the attack. No one web hosting company can guarantee you they will not be attacked. So be aware of that. And get in touch with the company and ask them what is being done against it.

  7. #7
    Thanks. Can you guys give me a suggestion for a dedicated server with middle of the road DDoS protection for about mid range budget. Roughly $150-$300 per month? The host claims attack is still going on and I am ready to proceed with moving the site I think at this point. thanks!

  8. #8
    Join Date
    Apr 2009
    Posts
    643
    I assume you do not need such huge upgrade. If you now on the shared hosting I assume you'd better have VPS server not dedicated server
    ASPnix Web Hosting - ASP.NET, MS SQL, AJAX, Hyper-V
    Microsoft Hosting and Virtualization

  9. #9
    Join Date
    Apr 2007
    Posts
    3,513
    8MBit/sec
    DDOS thats luck, we have seen gigabit before!
    - Buying up websites, side-projects and companies - PM Me! -

  10. #10
    Join Date
    Jul 2000
    Posts
    2,063
    Quote Originally Posted by infinity99 View Post
    Thanks. Can you guys give me a suggestion for a dedicated server with middle of the road DDoS protection for about mid range budget. Roughly $150-$300 per month? The host claims attack is still going on and I am ready to proceed with moving the site I think at this point. thanks!
    8Mbits/sec is quite small, so you should be able to get a professional solution for that price range.

    But just to remind you "cheap" and "quality" do not get along.

    Just perform a search on the forum with the keyboard "DDoS" and go through threads. Spend some time, like an hour, looking for your answers. Don't blindly listen to recommendations, do your research on hosts before spending your hard-earned money.
    I choose not to use my signature for advertising.

    It doesn't matter how much you claim how important your data is. If it's not backed up, it's not important.

  11. #11
    Join Date
    Mar 2009
    Location
    Israel
    Posts
    1,204
    Ouch!, sorry to hear about this.
    have you been able to find a solution yet?
    keep us updated so we know how you solved this issue
    I recommend looking into a dedicated server with a hardware firewall.
    beast5.com - Managed Hosting Solutions 2004 - 2016

  12. #12
    Join Date
    Mar 2006
    Location
    Reston, VA
    Posts
    3,132
    Quote Originally Posted by ZanyHost View Post
    DDOS thats luck, we have seen gigabit before!
    i've seen 10G+ come in before. 60/req/s or 8M/s isn't squat

    More/less it seems that his host either A. doesn't know what they are doing or b. has a very short tolerance/attention span for work.

  13. #13
    I think better try to contacting them let them know about your problem. Hope they will assist you and also on safe side get a doss software protection installed. If you are lean to upgrade your hosting then I think the VPS would be fine for you make sure they offers doss protections.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  14. #14
    Join Date
    Oct 2002
    Location
    EU - east side
    Posts
    21,913
    Maybe instead of paying day in and day out for a dedicated server that you don't really need, you can find a proxy based DDoS protection service (e.g. blacklotus, gigenet) and put it into action when an attack is taking place. In any case, it's worth finding out if it can be a viable option, as it's also too early to say that your site will keep on facing attacks in the future.

  15. #15
    Join Date
    Mar 2009
    Location
    Dallas, Texas
    Posts
    242
    8 Mbits isnt really anything who is your host anyway ? if its downing the whole server they must not be but on a 10 Mbit port :|

  16. #16
    Join Date
    May 2008
    Location
    U.S.A.
    Posts
    77
    No matter what server you have, if it is Linux then csf/lfd is a MUST. You can configure it to automatically block IP addresses which send garbage traffic, or that sends traffic too fast from the same host, etc. It just sort of knows when it sees flooding or DDOS. It's free so I would say at least give it a try before you put money into a more robust solution. http://www.configserver.com/cp/csf.html

  17. #17
    Join Date
    Mar 2009
    Location
    Dallas, Texas
    Posts
    242

    *

    Quote Originally Posted by vectro View Post
    No matter what server you have, if it is Linux then csf/lfd is a MUST. You can configure it to automatically block IP addresses which send garbage traffic, or that sends traffic too fast from the same host, etc. It just sort of knows when it sees flooding or DDOS. It's free so I would say at least give it a try before you put money into a more robust solution. http://www.configserver.com/cp/csf.html
    He does not have a server hes on a shared host.

  18. #18
    Join Date
    May 2008
    Location
    U.S.A.
    Posts
    77
    Quote Originally Posted by hostingdispatch View Post
    He does not have a server hes on a shared host.
    Gotcha. Then I supposed my next suggestion is to host with a company that uses it. I can say from personal experience that csf makes all the difference.

  19. #19
    Hello,

    While I am certainly sorry to hear of the issue that you are experiencing, in the scheme of things an 8 Mbps attack really isn't even a blip on the radar.

    Some hosts will even have Shared Firewall services that should be able to handle your attack with pricing starting as low as $50/mo.

  20. #20
    Our current host was ICDsoft.com Honestly I thought they were absolutely wonderful, tech support is great and everything else is great too. Unfortunately, yesterday they notified us that because of the DDoS attack they will NOT any more host our website.

    I have purchased a dedicated linux server at hostgator which I hope will be enough to get our website back online as we are still down :-(

  21. #21
    I'm sorry to hear that. Sounds like a rubbish host to be honest considering the scale of the attack and the frequency. I could understand if it was a big constant attack and you were a liability to other customers' security but you only got attacked once.

    Good riddance eh?
    Roy's Toys - For all your Nintendo needs.
    Hosted by GeekSRV.

  22. #22
    For what it's wroth, the severity of the attack has increased they said along with our current programmer. So possibly it is more severe than what I mentioned in the beginning of this post.

    My programmer said that " The server load was over 200" right now when he looked at it moments ago.

  23. #23
    Did you draw the ire of anyone capable of doing this or to your knowledge is it a random attack?

    If it was a random attack I'd have issues about the host that dropped you. If it's someone who might be purposely targetting you, you should bear that in mind when looking for a new host.
    Roy's Toys - For all your Nintendo needs.
    Hosted by GeekSRV.

  24. #24
    Quote Originally Posted by doihaveto View Post
    Did you draw the ire of anyone capable of doing this or to your knowledge is it a random attack?

    If it was a random attack I'd have issues about the host that dropped you. If it's someone who might be purposely targetting you, you should bear that in mind when looking for a new host.
    This is most certainly not random. It is almost 100% guaranteed to be an attacked created or ordered by one of our competitors.

  25. #25
    Join Date
    Apr 2007
    Location
    Panama
    Posts
    206
    Your apache server just wont be able to manage synfloods as Apache is just bad at it no matter what tunning you do. I suggest you to find a DDoS mitigation service provider so that they can filter your synflood before reaching your webserver. Google DDoS mitigation
    CCIHosting.com - Anonymous Offshore Hosting Solutions with DDoS Protection
    99.9% Uptime and 24x7 Tech Support via Live Chat, Telephone and Tickets
    Skype ccipanama

  26. #26
    Join Date
    Jan 2006
    Location
    China
    Posts
    350
    Quote Originally Posted by CaroMark View Post
    Hello,

    While I am certainly sorry to hear of the issue that you are experiencing, in the scheme of things an 8 Mbps attack really isn't even a blip on the radar.

    Some hosts will even have Shared Firewall services that should be able to handle your attack with pricing starting as low as $50/mo.
    You obviously didn't read the part where he's using shared hosting. That's the whole problem. If you have a site that is capable of drawing the ire of someone capable of this on a common basis, your shared hosting provider might not want to deal with you also (just to consider). I drew the ire of a specific religious group once and let me tell you there may be no end to it as long as they know where to attack you (or what domain you have), but I had a dedicated server so my host took protective measures for me.

    What really matters is WHO and WHY they are attacking you. Often times, it's just a one-time deal, unless you piss off fanatics (as I once did) or some other dedicated group (dedicated to making your business fail or your life hell). Good luck. And if you're on shared hosting who could you possibly (afford to) have pissed off? What kind of business is this??


  27. #27
    We certainly are not in the business of anything of the sort you mention. We are a small real estate firm <<removed>>. However, it is a very competative business and I think in this part of the world there are many 'hungry' hackers who are likely easy to hire to execute these attacks.

    As mentioned, we switched already to dedicated server but thus far our expert has not gotten us online yet. Will wait until tomorrow to see what the next step will be.

    Thanks for all the feedback thus far.
    Last edited by bear; 09-20-2009 at 07:46 AM.

  28. #28
    Join Date
    Jan 2006
    Location
    China
    Posts
    350
    Quote Originally Posted by infinity99 View Post
    We certainly are not in the business of anything of the sort you mention. We are a small real estate firm <<removed>>. However, it is a very competative business and I think in this part of the world there are many 'hungry' hackers who are likely easy to hire to execute these attacks.

    As mentioned, we switched already to dedicated server but thus far our expert has not gotten us online yet. Will wait until tomorrow to see what the next step will be.

    Thanks for all the feedback thus far.
    That explains it 100%. There are a ton of eastern european (like Ukrainians) hackers. If it only costs him a few dollars to take a competitor out and make hundreds or thousands in profits from increased business, it's a simple decision for him. Good luck in dealing with it.
    Last edited by bear; 09-20-2009 at 07:46 AM.


  29. #29
    Join Date
    Apr 2009
    Location
    New Jersey
    Posts
    367
    Did you find a solution? If not I found this on WHT - I believe WHT uses them, maybe worth of looking into http://www.gigenet.com/ddos-protection.html

  30. #30
    With simple use of proper firewalls, that can be avoided, for newbies running a host they usually don't secure or firewall their servers correctly, if at all.

  31. #31
    Join Date
    Apr 2009
    Location
    New Jersey
    Posts
    367
    Quote Originally Posted by HostFeverDan View Post
    With simple use of proper firewalls, that can be avoided, for newbies running a host they usually don't secure or firewall their servers correctly, if at all.
    Software Firewalls can only do so much. Also GoDaddy, a multi-million dollar company is no "noob" For best protection you should look for a hardware firewall along with a mitigation system. I am 100% sure companies like The Planet provide this type of protection (DDOS Mitigation) for free when you purchase their dedicated servers. You cannot stop all DDOS attacks from a software firewall.

  32. #32
    Its seem this DDos really a bad bad thing.. i dont know about this, can anybody tell me what exactly it is and where it come from.. is it some sort of hacking tactics or what.. ??

  33. #33
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    The most economical option would be to find a dedicated server running Litespeed (http://www.litespeedtech.com ). It's a drop in replacement for Apache and the only caveat is that you have to rebuild PHP with LSAPI (but they include a GUI for that!)

  34. #34
    Join Date
    Mar 2009
    Location
    Dallas, Texas
    Posts
    242
    Quote Originally Posted by bradtech2009 View Post
    Its seem this DDos really a bad bad thing.. i dont know about this, can anybody tell me what exactly it is and where it come from.. is it some sort of hacking tactics or what.. ??
    TCP attacks:

    1. TCP SYN or TCP ACK Flood Attack
    2. TCP Sequence Number Attack
    3. TCP/IP Hijacking


    The following UDP attacks:

    1. ICMP Attacks
    2. Smurf Attacks
    3. ICMP Tunneling


    TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. The synchronization or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as the TCP SYN Flood attack. The process is also susceptible to access and modification attacks, which are briefly explained in the following sections.

    TCP SYN or TCP ACK Flood Attack - This attack is very common... The purpose of this attack is to deny service. The attack begins as a normal TCP connection: the client and the server exchange information in TCP packets. The TCP client continues to send ACK packets to the server, these ACK packets tells the server that a connection is requested. The server thus responds to the client with a ACK packet, the client is supposed to respond with another packet accepting the connection to establish the session. In this attack the client continually send and receives the ACK packets but it does not open the session. The server holds these sessions open, awaiting the final packet in the sequence. This cause the server to fill up the available connections and denies any requesting clients access.

    TCP Sequence Number Attack - This is when the attacker takes control of one end of a TCP session. The goal of this attack is to kick the attacked end of the network for the duration of the session. Only then will the attack be successful. Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system. The only defense of such an attack is to know that its occurring... There is little that can be done...

    TCP Hijacking - This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.

    UDP packets aren't connection oriented and don't require the synchronization process as with TCP. UDP packets, however, are susceptible to interception, thus it can be attacked. UDP, like TCP, doesn't check the validity of an IP address. The nature of this layer is to trust the layer above it (I'm referring to the IP layer). The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing UDP services on that host to shut down. It can also overload the network and cause a DoS situation to occur.

    ICMP Attacks - This occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate request (think of it as echoing). Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.

    Smurf Attacks - This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.

    ICMP Tunneling - ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.

  35. #35
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    ICMP != UDP . Also, it's been many years since i've seen an ICMP attack. Since it's not an obligatory protocol no one bothers using it in attacks.

  36. #36
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    You need to hire a ukrainian hacker to help you fight ddos.

    With dedicated server, and highly skilled local person to help you, you can handle this. Local person costs less to hire. Local hacker knows what address blocks are used in the area where your REAL site visitors come from.
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

  37. #37
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Quote Originally Posted by IRCCo Jeff View Post
    ICMP != UDP . Also, it's been many years since i've seen an ICMP attack. Since it's not an obligatory protocol no one bothers using it in attacks.
    Had one the other day so they still use them. It isn't quite effective as it used to be, of course.

    LiteSpeed: We've tested it over and over without any success. There seems to be more headache with the product as a whole than it buys you. It has several limitations, the configuration is a pain if you want to do any proxy work. Additionally, the support staff isn't very helpful from the times we spoke with them.

    The speed difference is little to none when comparing 2.2 with Litespeed. The "DDoS protection" it provides is very little considering it could be done at the OS firewall level (at least on FreeBSD). It will serve as a drop in to help with SYN floods so it may assist with this issue here but it's sold as some miraculous 'DDoS' alternative to Apache, which it isn't.

    Of course, individual results may vary Just stating opinion.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  38. #38
    Move to another host , they dont seem to be trying to stop it realy ...

  39. #39
    I agree with the guy above me, the host doesnt seem that good, not very reliable better changing.

  40. #40

    A response from ICDSoft

    The purpose of this post is to provide more information on what exactly happened on Aug 31, as it seems that there is some general misinterpretation of the issue.

    Everyone in the hosting business who had to deal with DoS/DDoS attacks knows that this can be one of the most difficult problems to cope with. In all DoS/DDoS issues we had so far on our servers, we believe that we have taken the most proper actions, and we dealt with these issues in the best possible way.

    In this particular case, the bandwidth was not an issue at all. The problem was the number of requests to the server.

    The attack started at 6:15 GMT (on Aug 31) just as HTTP flood to the domain of infinity99. The number of requests varied from 50 to 500 per second, trying to open "/" on the server. The matter was quickly resolved by our System administrators, by filtering some IPs, as well as increasing the limits of the web server. At this point, the number of Apache child processes on the server was a constant of 1000-1500, and this was not causing noticeable server problems.

    At 6:45 GMT, the pattern of the attack changed, and HTTP requests were targeted to the main server vhost as well. An hour after that, the number of requests reached 1500/second. At this point, we disabled the DNS service for the domain of infinity99, as the attack started to become a problem for the server, in terms of server load. A factor to consider here is the way the customer site is built.

    At 12:00 GMT, we re-enabled the DNS service for the attacked domain. At this time, there were about 50-60 HTTP requests per second. Minutes after enabling of the domain, the number of requests rose to 1100-1200/minute. We prepared a static page for the site of the attacked domain instead of the dynamic software used, and the server continued to operate normally.

    At 16:30 GMT, the pattern of the attack changed again, and this time it became a typical TCP SYN flood attack. The attack started with about 150000 packets per second but this value tripled in an hour. Our Sysadmins performed some kernel tuning and filtered thousands of IPs. Also, we worked with Savvis (our datacenter provider) on having the attack mitigated. This had some effect, but eventually, we decided to suspend the DNS service for the attacked domain again.

    In the next 12 hours, we restored the service for the domain several times, but every time this resulted in a rapid increase of the attack severity. Apparently, someone was very eager to bring the domain down.

    We understand that suspending the DNS service of the attacked domain is actually "helping" the attackers to reach their goal. However, in such situations there is no "winning" move. We have to choose between (1) a fight with a DDoS coming from tens of thousands IPs, thus risking the operation of all several hundred sites on the same server, and (2) disabling the attacked site, which can lead to a decrease of the attack severity.

    Infinity99 took the best action in the case, by moving the domain to a dedicated service. We greatly appreciate his cooperation and understanding while dealing with this matter.

Page 1 of 2 12 LastLast

Similar Threads

  1. under ddos attack
    By sundae in forum Dedicated Server
    Replies: 11
    Last Post: 01-07-2009, 07:24 PM
  2. Need help with DDoS attack
    By Abdo-sa in forum Web Hosting
    Replies: 4
    Last Post: 04-11-2006, 11:21 AM
  3. Ddos attack
    By sharkman in forum Employment / Job Offers
    Replies: 16
    Last Post: 11-01-2005, 09:18 AM
  4. ddos attack?
    By webwormx in forum Web Hosting
    Replies: 11
    Last Post: 03-03-2004, 03:52 PM
  5. What is a DDOS Attack exactly?
    By Scout in forum Web Hosting
    Replies: 6
    Last Post: 11-06-2003, 06:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •