My host has told me that my forum is coming under a DDOS attack. Once was on Friday March 20th and again today (monday march 23). Before those two, there are attacks almost every week, sometimes twice a week.

The host installed DoS-Deflate. It started blocking legitimate traffic and had to be removed.

The operating system is Linux CentOS, the forum software is VBulletin. The server is a VPS with 1 gig of memory.

Besides DoS-Deflate, what other options are out there?

Your host should install hardware filters, they shouldnt be asking you to do anything, thats their job, the whole point of not hosting it yourself, tell them they need to take care of it or you're going elsewhere...

What I use to do, was pass protect the URL
It's not great for search engines, but it helped keep the forum up

Your host should install hardware filters, they shouldnt be asking you to do anything,

Thank you for the reply.

They are not asking me to install dos-deflate, they are asking if its ok for them to install dos-deflate.

After exchanging emails, I told the support people to go ahead and reinstall dos-deflate. I think someone put the limit too low, and that is why people started getting blocked.

The other option that was suggested was to recompile apache for multithreaded architecture (MPM support), or upgrade to an entry level dedicated server.



What I use to do, was pass protect the URL
It's not great for search engines, but it helped keep the forum up


uhhhhh, search engines are our friends.

Do you know how they are DoSing? (i.e. are they going to a webpage/SSH/ICMP request/etc.?)

The original version of the deflate script had a coding error in it, which does cause it to stop legitimate traffic. After the correction is made, it should work normally, but an all-out attack on a server is only diminished by the deflate script - it won't stop it without advanced tools.

As previously pointed out, some hosting providers have the means to move a particular server's traffic through a hardware filter (at least temporarily) until the attack subsides and the cause is determined.

Who is your host? The popular hosts are not built for protection, I can recommend some good DDos hosts but they do get pricey.

Best thing you can do on a linux webserver to stop DDOs is 1stly install Litespeed Webserver ( instead of apache ) it is much faster and way more secure. Secondly install csf security and firewall.

I had over 10,000 attack every few seconds, so many attacks it stop the server responding. After taking the above steps I was able to filter out the ddos from the real trafic.

We have one going on since yesterday at a site i help admin. Server overloaded even difficult to open a shell. Added an extra .htaccess login box (with username & password listed on the login prompt) and server load is back to normal. Only takes 10 seconds to (de)active and the result is immediate.

We have one going on since yesterday at a site i help admin. Server overloaded even difficult to open a shell. Added an extra .htaccess login box (with username & password listed on the login prompt) and server load is back to normal. Only takes 10 seconds to (de)active and the result is immediate.
Could you please elaborate about this? How do you add a .htaccess login box?

Just add password protection in the way you prefer (from cPanel??). Just make sure that you put the username/password also in the text of the login, so regular visitors (ie. humans) can read it and login. This will stop all bots.

just a note... that will also block good bots like google. :)

i like that idea though. good to add to my tool box.

It's not a permanent solution - just to stop a single attack.

Yes this will stop all automated processes including SE-spiders, but that is a small price to pay. And like dismounted mentioned, this is a solution only usable for a short time but most attacks don't run longer then a few days.

The story from yesterday did get a strange twist. After deploying the extra login trick, we decided to also ask the host to place us behind an extra firewall to further help mitigating the attack. At the time the server was placed behind the firewall, the server (with extra login) was under a high load, but forums where usable. During the day the forums became less and less responsive until they where almost unreachable by the nd of the day. Server load however was still low. After long time of troubleshooting we decided to remove the firewall again to see what happens. Guess what, serverload stayed within reasonable limits, forums where accessible at a good speed again. So in this case the firewall actually did make things worse instead of solving it (although the host doesn't want to admit this).

the host never admits fault for ANYTHING. :lol:

i'm always amazed at the amount of attacks we get from random countries. it's always something.

good post. :)

When I owned a much larger vb site, a dedicated Cisco ASA Firewall provided basic protection. When DDOS attacks would happen, my host would move my public network interface (before my firewall) to a special network segment that was equipped with DDOS mitigation technology and let it run there for 24-48 hours. It didn't happen often, but represented the "no additional charge" means of dealing with some mean attacks. At the time, my primary webserver was an Dual Quad Core machine and on some occasions it would be brought to a crawl until mitigation was activated.

There aren't that many service providers who do this, but the idea is catching on. Ask your service provider about it.