Well, for the past going on 2 days now I have a received a massive DDos attack on my server from an unclaimed source. This is my first DDos attack ever, and hopefully my last. My server company ( URLJet ) has been great to try and help me, but they have given up hope as they have worked for the past day and the attack still persists. Do any of you guys have any suggestions to help me out? No idea why this is happening, considering this is our first ever attack..especially on this scale.


Thanks,
Curt

Moved out of the Community Lounge.

We've gone through these and just had to basically wait it out (onec for four or so days). My server guy did write me a script which I turn on when we go through this and it will ban an ip when it pounds the server too much. Our iptables get filled, and the site will be slow, but at least the users can get on and see my message about us being under attack.

Moved out of the Community Lounge.


We've gone through these and just had to basically wait it out (onec for four or so days). My server guy did write me a script which I turn on when we go through this and it will ban an ip when it pounds the server too much. Our iptables get filled, and the site will be slow, but at least the users can get on and see my message about us being under attack.

That must be a nice thing to have. So far, we have banned like 20 IP's..and they keep coming. I wish there was just some way I could get a message out to everyone saying we are under attack..but the site doesn't even come up :(.

Banning an IP won't stop it from executing a DDOS attack. Are you running your own server, or a shared host?

It is a VPS plan with URLJet.

Depending on what they are pounding, you can try placing basic HTTP authentication in .htaccess (with user/pass displayed in the description). This is somewhat effective if they are attacking HTTP.

Depending on what they are pounding, you can try placing basic HTTP authentication in .htaccess (with user/pass displayed in the description). This is somewhat effective if they are attacking HTTP.

I am fairly sure the host has already tried that. I figured out that this is a "100mps UDP Attack". They are also using stolen EU dedicated servers to do it.

If your with a decent host, they should be able to help you out
I know when I've been under attack, my host has added some lines to the htaccess to help with the attacks

A good host can redirect these attacking IP addresses at the primary router level where the bandwidth is in the hundreds of gigabytes per second and not let them into their own network where it will cause problems for all their customers as the bottlenecks get smaller and smaller. With a DDOS, once the IP addresses have gotten to the server level, you've pretty much lost. Especially when the attacking addresses number in the thousands.

When vBulletin.com was DDOSed once we had to block of entire continents worth of IP addresses and then slowly open them up later.

No company has hundreds of gigabytes per second, maybe gigabits, and you can't simply redirect an attack by flipping a switch. The company will need to work with their upstream providers to resolve the issue most of the time, it's either that or absorbing the attack.

What about googling the IP, figuring out what ISP it is and calling them to report it?

My host URLJet, has been nothing but helpful. However, they cannot find anything else to do. Not sure what they have tried or anything like that, I just know they have been working on it for going on 3 days now.

I have been tracing the IP's, and trying to figure out who hosts the servers..but it is not that easy because they are EU serves and some are in different languages ( French being one )..and some are not giving me correct links or anything..ugh..so confusing lol.

Install any translator you can or open up a page & copy/paste... now is the time to try anything to stop this...

Sorry this is happening :(

Hmm... could they not trun off your site i.e. do a full backup and of the DB then place one of their messages saying "this site temporarily Hosted by so&so" or the usual "they have not paid their bill message" for a few hours to see if the person is trolling the site then they see it down, it might trick them for a day or so... I dunno but this make me mad & sorry again :(.

Mike

Eh, no sense in being sorry it is not your fault..I appreciate the sympathy though. It aggravates me, but I am not one to give up because some kids have no life :P.

Eh, no sense in being sorry it is not your fault..I appreciate the sympathy though. It aggravates me, but I am not one to give up because some kids have no life :P.

And there you have it ;)

Still nothing :(. Site is still down, still being attacked at 78mbps.

No company has hundreds of gigabytes per second, maybe gigabits, and you can't simply redirect an attack by flipping a switch. The company will need to work with their upstream providers to resolve the issue most of the time, it's either that or absorbing the attack.
Sorry meant gigabits actually. That is what I get for posting before the proper amount of caffeine is in my blood.

Maybe its not kids who are trying to bring down your website.
What is your forum about ?

Mostly gaming, and anything related to games. Our actual main theme is a forum for users to trade game keys for their games. Not generated keys, real, purchased game keys.

and great site is :) doenfew trades there myself was wonderning what was going on :)

Get a firewall script.
They can be expensive.. but they work.

Be happy they didn't simply deface your site.

There's a script rolling around that empties your database without authentication.
I've had it happen twice.

My forum is just about the same theme.. Gaming.
"Game Hacking".
But its been defaced twice.
500 server error if you do anything with any database through the same server.
Its pretty nasty.

I think a firewall script will help you the most.. look into it <3.
I hope they stop DoSing you.. I know how it feels /wrists for you man.

Some network service providers do offer DDOS Mitigation Services, for an additional fee that can exceed the monthly cost of the respective backbone connection. Customers of most Tier 1 CoLo or Managed Hosting Facilities also have this option available to them. It's a premium-priced service.

One can Google "DDOS Mitigation Service" and find solutions that can help at the URL Level, but to be honest I've always been attacked at the Network Interface Level.

My service provider has the means to mitigate DDOS day-to-day, but they also maintain infrastructure used in temporary situations when a customer's server is getting hit with something serious.

You're in a tough situation.

If they are only attacking from servers in a specific region (as you mentioned), your host may be able to block this set of IPs at the router.

What you can do is ether put up a .htaccess and in the .htaccess say the user and password (works) or you can do what lynne suggested and get a custom mod.

What you can do is ether put up a .htaccess and in the .htaccess say the user and password (works) or you can do what lynne suggested and get a custom mod.


Host has already tried that. The IP's are in a very big range as well. They are all EU but they are very weird ranges. Host has tried DoS-Deflate, all that :(. Site still down.

1. Your host should be blocking this ddos attack at the router, NOT at your server.

2. If your host cant block a ddos attack, i'd suggest a new host.

3. Did you even check the logs to see what type of attack it actually is or netstat the current connections on the server?

It's time to take drastic measures. Have you considered putting up a temporary site elsewhere?

Unfortunately with the nature of Keyhunt being a buy/sell/trade forum, a lot of banned members and scammers feel the need to attack the site in some way because they have been caught out. Unfortunately I have not had much experience with DDoS attacks within the last few years (in which time I have actually come to understand a lot) so I cannot give you current and relevant advice. The only thing I can mention is that I have had good experiences with blocking entire continents, using professional firewalls and implementing a simple username/password scheme. Of course, each is useful at different stages and the time when I used the username and password trick I was only being attacked by a few little script kiddies using a little program.

I'd have to agree with Snakes1100 though, if your host cannot mitigate the attack at all or at least offer some sort of protection, a new host may be in order. I know that with some of my previous hosts, they were experienced and smart enough to block the attack at the hardware level preventing almost all of the negative affects altogether. You'd be best off going with a provider that has been through the ordeal many times, because it seems like these URL Jet guys don't really have that experience.

well having server from softlayer.com a friend of mine purchased a firewall that cost 100 usd per month and sucessfully blocked all kind of ddos attacks. Can try with softlayer

well having server from softlayer.com a friend of mine purchased a firewall that cost 100 usd per month and sucessfully blocked all kind of ddos attacks. Can try with softlayer

There are plenty of nice & free firewalls that would suffice in stopping the attack, no need to buy anything.

His main issue is a host that can't stop a ddos attack at the router lvl, by no means should a true ddos be attempted to be stopped at the server lvl.

Most likely it is a simple flooding of ports anyways by a bunch of kiddie hackers with to much free time & port flooding programs they dl'd from the net.

1. Your host should be blocking this ddos attack at the router, NOT at your server.

2. If your host cant block a ddos attack, i'd suggest a new host.

3. Did you even check the logs to see what type of attack it actually is or netstat the current connections on the server?

Exactly. If the host is unwilling or unable to modify the router tables, it's definitely time for a new host.

The only exception to this would be if the host is running a dedicated firewall. At that point, you modify the firewall rules to block the offending IP blocks.

Theres a program out there (for the server level) that will automatically forward IP's that hammer you to any other url you want. Kind of like an automatic deflector shield. I'll try looking for it for you on google.

The host should not be running any type of firewall on a production server. In a data center environment, dedicated boxes are needed for firewall applications. If a host is attempting to have a production server do anything other than what it's to be used for, it's DEFINITELY time to find a new host.

Theres a program out there (for the server level) that will automatically forward IP's that hammer you to any other url you want. Kind of like an automatic deflector shield. I'll try looking for it for you on google.

So, seeing as the flooder is requesting responses on port 80 or whatever port, which right now the server is being flooded and now not responding, it would be wise to answer his requests and then forward his requests to a new address?

So how exactly would that solve the flood issue coming from the ip?

I didn't setup this thread to bash my host, as they have been nothing but great to me and I believe have done a ton to help me. So, everyone please do not turn it into that. Thanks everyone for their help so far! Still down though :(.

Theres a program out there (for the server level) that will automatically forward IP's that hammer you to any other url you want. Kind of like an automatic deflector shield. I'll try looking for it for you on google.

It doesn't work like that. If you have no networking experience don't post stuff you've heard from a friend of a friend.

We suffer from DDoS every 2 or 3 months, dont ask me why because I dont know.

The best solution for me was to deploy IPTables, a good firewall and just in case, have a load balancer with mirrored data on diff servers.

U're on a VPS, so there isn't much u can do, just ask your hosting provider, since you cant "touch" hardware nor software.

We suffer from DDoS every 2 or 3 months, dont ask me why because I dont know.

The best solution for me was to deploy IPTables, a good firewall and just in case, have a load balancer with mirrored data on diff servers.

U're on a VPS, so there isn't much u can do, just ask your hosting provider, since you cant "touch" hardware nor software.

Can't touch "software" on a VPS, since when? VPS's come with root access, you can touch anything you want software wise.

Read your PM

Checked.

Well, just to give everyone an update. I was contacted by the attackers, who are still attacking...and basically they are trying to blackmail me to get them to stop. Yes, I am not kidding. My site isn't down at the moment, as my host has been a ton of help in helping to mitigate everything. However, I am sure it isn't over.

Well, just to give everyone an update. I was contacted by the attackers, who are still attacking...and basically they are trying to blackmail me to get them to stop. Yes, I am not kidding. My site isn't down at the moment, as my host has been a ton of help in helping to mitigate everything. However, I am sure it isn't over.
I had something similar happen to me recently. They hacked my godaddy account and stole the two main domains for my site and tried to blackmail me to get them back. They thought I would care about google rankings and all that when they pointed my domains to a stupid web search page. However, I could care less about that and just went through the proper channels with godaddy and the new domain registrar and got the domains back after three weeks. In the meantime, I simply used one of our other domains for the site. Sure, it was a pain in the *** (my editing), but I wasn't about to give them the money they wanted.

Well, just to give everyone an update. I was contacted by the attackers, who are still attacking...and basically they are trying to blackmail me to get them to stop. Yes, I am not kidding. My site isn't down at the moment, as my host has been a ton of help in helping to mitigate everything. However, I am sure it isn't over.

Have you forwarded this correspondence to any other organization, such as local law enforcement?

Well, just to give everyone an update. I was contacted by the attackers, who are still attacking...and basically they are trying to blackmail me to get them to stop. Yes, I am not kidding. My site isn't down at the moment, as my host has been a ton of help in helping to mitigate everything. However, I am sure it isn't over.

It's considered hacking (obviously), and is a violation of international law. Contact a law enforcement agency. If the DDoS is coming from the US, contact the people listed below. Seriously. Since it's hacking of a computer (technically), contact these groups.


FBI local office (http://www.fbi.gov/contact/fo/fo.htm)
U.S. Secret Service (http://www.treas.gov/usss/index.shtml)
Internet Crime Complaint Center (http://www.ic3.gov/)Source: http://www.usdoj.gov/criminal/cybercrime/reporting.htm

If you live in another nation, find out how to contact them.

Can't touch "software" on a VPS, since when? VPS's come with root access, you can touch anything you want software wise.
I was talking about core software, not your "partition" VPS Like installed software.

Everyone knows that on a VPS you cant fully control your server since it's a virtual server (thus the VPS) and other VPS share the same hardware rack or cpu. You only have access to your own VPS and not the Rack software.

Well, the attack is back folks. Like I said before, I was contacted by users from a website basically wanting me to advertise their site and they will stop the attack. Well, my host installed some very nice hardware to prevent the attack and it was working well for the past 2 weeks or so. Well, it's back and has hit almost 2.0Gbit/sec...boy oh boy. I know the attackers will be reading this, so feel free to contact me when you do.

Have you done anything like contact their ISPs? Do you know who the actual 'attackers' are?

I do. However, I cannot contact any ISP until I know their IP. Which, I am sure they have hidden in every way possible.

But you've their website name - don't you ? Maybe do a whois lookup and then contact the provider / hoster of the website forwarding the mails / messages they sent you and ask them to do steps against such form of aggressive marketing.

Good idea, except it won't help my website. It will just piss them off. If they have access to enough boxes to attack me with such a huge amount of bandwidth I am sure they have access to their own private box.

check your server logs... get the ip address and add a deny rule to the .htaccess in you root folder...

I'm guessing by DDOS you mean over port 80... if so just deny access for that address.

Except if they are exceeding the bandwidth you have, you're screwed anyway. Think that there is a pipe to your server. If that pipe is blocked all the way to it - nothing you do at the server level can help.

According to my host, they exceeded my bandwith of 2TB within an hour because the attack was so large at times. Now, my site has been down for a while because we are caught in a limbo as to if they are attacking.

Curtis, it is obvious you upset some badass because of a previous action you performed... orelse you would not be in this situation. And I'm sure you know exactly why they are attacking you. An attack of this magnitude is not ran by a kiddie.

Have you done anything like contact their ISPs? Do you know who the actual 'attackers' are?
Even if he knows everything, he cannot do anything about it. Those attacks are not ran by amateurs. It is obvious they use many zombies combined with a ton of Windows computers from the daily armada of unprotected online users. You realize the attackers are pumping 512MB/sec worth of data to his pipe, right?

Read your PM

Checked.

Well, just to give everyone an update. I was contacted by the attackers, who are still attacking...and basically they are trying to blackmail me to get them to stop. Yes, I am not kidding. My site isn't down at the moment, as my host has been a ton of help in helping to mitigate everything. However, I am sure it isn't over.Hmm.

Something seems a bit fishy here.

Just wondering, by any chance is the person first quote who is blackmailing you?

Try this..
http://nix101.com/2007/07/21/syn-deflate/
it actually works

Just because you didn't want to advertise their site? What? I don't even know why people do this. These attackers should just let people run their site peacefully. Take the time to improve their own site and make it more marketable rather than waste their time and to hurt somebody else. If they do that, people will advertise them without their need to even ask! Just look at Google! Practically every person sources them for no reason at all!

My site I am sure makes plenty of enemies because we are constantly banning people who scam users. Just like any other trading site. However, as far as I know the attacks have nothing to do with that. If they do, no one has claimed that at least. Now my main problem is my host can't open my account back up because I am too high risk. Anyone have any advice for a high-risk hosting plans?

Cleaned thread from all replies that where advertising a hosting service. Hosting discussions should take place on vB.com.

My site I am sure makes plenty of enemies because we are constantly banning people who scam users. Just like any other trading site. However, as far as I know the attacks have nothing to do with that. If they do, no one has claimed that at least. Now my main problem is my host can't open my account back up because I am too high risk. Anyone have any advice for a high-risk hosting plans?

Amazon AWS with EC2/EBS/S3/CloudFront

OBTW, this is a pretty good article about defending against DOS/DDOS attacks:

Protecting against DDOS attacks (http://ancientgeeks.wordpress.com/2008/01/25/protecting-against-ddos-attacks/)

The author recommends you keep a current backup on AWS EC2/EBS (for example) and run it when you are a victim of an attack.

The reason is that it is too expensive to run full time on EC2 against a massive attack, but you can run it there to frustrate the attacker (and keep your customers happy), and maybe they will go away (and you can return to your cheaper configuration).

Cheers.

I find it difficult to take an article serious if the author thinks an ISP is the same as a host.

I find it difficult to take an article serious if the author thinks an ISP is the same as a host.

Well, good for you :-)

I think the article is well written and provides sound advice, and I have considerable experience in the security field.

In addition, I don't think the author thinks an "ISP is the same as a host" (as you said), he just did not choose his words carefully.

Obviously, the author is smarter than that.

--------------- Added 1249655031 at 1249655031 ---------------

Anyway, where in the article did the author say "An ISP is the same as a host"... I did not read that into anything written, and did a search, and did not read it either directly or indirectly :-)

When i posted my comment i had only read part of the article. The total article is usefull and does provide some tips on how to handle, or prepair for, a DDOS.

He nevers say "host = ISP", but he uses the terms in the document as indentical. 1 example:

My server is currently hosted by [ISP name removed]. That’s one ISP that I can vouch for;He is clearly talking about his host providing the server, not about the provider of the internet connection.

When i posted my comment i had only read part of the article. The total article is usefull and does provide some tips on how to handle, or prepair for, a DDOS.

He nevers say "host = ISP", but he uses the terms in the document as indentical. 1 example:

He is clearly talking about his host providing the server, not about the provider of the internet connection.

Listen to some of the lil wayne songs, he has some weird, confusing lyerics.

Like " I got old money, it could have been a dinosaur"

HAHA

Hello
In stupid people terms, can someone briefly explain to me what all this attack stuff means? Is this something I have to worry about on my forums? I have tech support obviuosly but don't want to run into any overage problems which will cost me time and money.

Thanks

Gabby

DDos attacks are made my others who have nothing better to do than target a random site and harass it to the end, i have been targeted several timed due to the nature of my forum. anyway i use lunarpages hosting company and their servers are top notch, i have to be careful with my ftp clients or i get denied myself...lol . some hosts that are resellers can't do much, while others that have their own server farms can handle situations much better.

Basically i am saying if you become a victim of continued attacks, move your site to a very good host.

Hello
In stupid people terms, can someone briefly explain to me what all this attack stuff means? Is this something I have to worry about on my forums? I have tech support obviuosly but don't want to run into any overage problems which will cost me time and money.

Thanks

Gabby
Are you on twitter? Yesterday twitter was brought down due to a ddos attack. Basically, several computers all try to hit the site at the same time and it stops 'real' users from trying to access the site.

Are you on twitter? Yesterday twitter was brought down due to a ddos attack. Basically, several computers all try to hit the site at the same time and it stops 'real' users from trying to access the site.

lol.. i was about to mentioned that twitter was getting pounded. But they refused to say it, till later. facebook was also ddos a while back.There was a inside joke about myspace was doing the ddos...lol but here is the report

http://news.cnet.com/8301-13577_3-10304633-36.html?tag=newsLeadStoriesArea.1

Ok everyone. Thank you so much for explaining this. I normally have about 50-70 posts a day so if I start to see very large numbers of people trying to post, this is a DDOS attack? DO people have to be logged into your forum to do this or do they just bring up your forum all at the same time?

Ok everyone. Thank you so much for explaining this. I normally have about 50-70 posts a day so if I start to see very large numbers of people trying to post, this is a DDOS attack? DO people have to be logged into your forum to do this or do they just bring up your forum all at the same time?
Usually you won't see a thing on the site since they don't necessarily try to hit a vbulletin file, they just pound the server, not the site itself, with requests. I know that the few times I've been dosed (how to you spell that?), I have not seen any increase in the number of users (well, the number of users goes down cuz no one can access the site!).

Thank you Lynn. So DDOS attacks are usually from an individual with problems or is this something an organization would employ to quell competition? Sorry to ask so many questions. I did have something like this not to long ago but my host took care of it pretty quickly. I have no idea what they did to solve this problem. LOL Now I wish I did. All I knew what that I had run out of bandwidth like two days after the first of the month and my site was taken offline by the host for excessive bandwidth. Is this a DDOS attack?

You might want to read this about them - http://en.wikipedia.org/wiki/Denial-of-service_attack Sometimes, like with twitter, there are a group of users doing it specifically because of something (in that case, they were targeting a particular user but didn't seem to care that they brought down the whole site), but sometimes they just do it for fun (like hacking sites is often done for fun).

Ah ok. Lyne Thank you . Just read the Wiki artile. Too bad there aren't has stringent laws for hackers.

Cash Money Records is a known group of individuals that DDOS (and I am not talking about the recording company)

Lots of people DDOS. It's pretty common to see it done. And there are lots of ways for people to DDOS.

If you find out who is DDOSing you just put a redirect on your domain to their site. So it will attack their site everytime they attack yours.

Lots of people DDOS. It's pretty common to see it done. And there are lots of ways for people to DDOS.

If you find out who is DDOSing you just put a redirect on your domain to their site. So it will attack their site everytime they attack yours.

Will that actually work?

Someone may have already said to contact the upstream to get them to filter the attack, case should be resolved at that point.