vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   Options to stop a DDOS attack (https://vborg.vbsupport.ru/showthread.php?t=209219)

kevcj 03-23-2009 05:43 PM
Options to stop a DDOS attack
 
My host has told me that my forum is coming under a DDOS attack. Once was on Friday March 20th and again today (monday march 23). Before those two, there are attacks almost every week, sometimes twice a week.

The host installed DoS-Deflate. It started blocking legitimate traffic and had to be removed.

The operating system is Linux CentOS, the forum software is VBulletin. The server is a VPS with 1 gig of memory.

Besides DoS-Deflate, what other options are out there?

TNCclubman 03-23-2009 05:46 PM
Your host should install hardware filters, they shouldnt be asking you to do anything, thats their job, the whole point of not hosting it yourself, tell them they need to take care of it or you're going elsewhere...

Brandon Sheley 03-23-2009 05:49 PM
What I use to do, was pass protect the URL
It's not great for search engines, but it helped keep the forum up

kevcj 03-23-2009 05:52 PM
Quote:
Originally Posted by TNCclubman (Post 1775198)
Your host should install hardware filters, they shouldnt be asking you to do anything,
Thank you for the reply.

They are not asking me to install dos-deflate, they are asking if its ok for them to install dos-deflate.

After exchanging emails, I told the support people to go ahead and reinstall dos-deflate. I think someone put the limit too low, and that is why people started getting blocked.

The other option that was suggested was to recompile apache for multithreaded architecture (MPM support), or upgrade to an entry level dedicated server.



Quote:
Originally Posted by Loco.M (Post 1775201)
What I use to do, was pass protect the URL
It's not great for search engines, but it helped keep the forum up

uhhhhh, search engines are our friends.

Dismounted 03-24-2009 05:05 AM
Do you know how they are DoSing? (i.e. are they going to a webpage/SSH/ICMP request/etc.?)

motowebmaster 03-29-2009 02:35 PM
The original version of the deflate script had a coding error in it, which does cause it to stop legitimate traffic. After the correction is made, it should work normally, but an all-out attack on a server is only diminished by the deflate script - it won't stop it without advanced tools.

As previously pointed out, some hosting providers have the means to move a particular server's traffic through a hardware filter (at least temporarily) until the attack subsides and the cause is determined.

Shazz 03-29-2009 02:53 PM
Who is your host? The popular hosts are not built for protection, I can recommend some good DDos hosts but they do get pricey.

insainz 03-31-2009 08:27 AM
Best thing you can do on a linux webserver to stop DDOs is 1stly install Litespeed Webserver ( instead of apache ) it is much faster and way more secure. Secondly install csf security and firewall.

I had over 10,000 attack every few seconds, so many attacks it stop the server responding. After taking the above steps I was able to filter out the ddos from the real trafic.

Marco van Herwaarden 03-31-2009 08:47 AM
We have one going on since yesterday at a site i help admin. Server overloaded even difficult to open a shell. Added an extra .htaccess login box (with username & password listed on the login prompt) and server load is back to normal. Only takes 10 seconds to (de)active and the result is immediate.

Alfa1 03-31-2009 09:27 AM
Quote:
Originally Posted by Marco van Herwaarden (Post 1780895)
We have one going on since yesterday at a site i help admin. Server overloaded even difficult to open a shell. Added an extra .htaccess login box (with username & password listed on the login prompt) and server load is back to normal. Only takes 10 seconds to (de)active and the result is immediate.
Could you please elaborate about this? How do you add a .htaccess login box?

Marco van Herwaarden 03-31-2009 09:53 AM
Just add password protection in the way you prefer (from cPanel??). Just make sure that you put the username/password also in the text of the login, so regular visitors (ie. humans) can read it and login. This will stop all bots.

testbot 03-31-2009 05:31 PM
just a note... that will also block good bots like google. :)

i like that idea though. good to add to my tool box.

Dismounted 04-01-2009 07:02 AM
It's not a permanent solution - just to stop a single attack.

Marco van Herwaarden 04-01-2009 07:41 AM
Yes this will stop all automated processes including SE-spiders, but that is a small price to pay. And like dismounted mentioned, this is a solution only usable for a short time but most attacks don't run longer then a few days.

The story from yesterday did get a strange twist. After deploying the extra login trick, we decided to also ask the host to place us behind an extra firewall to further help mitigating the attack. At the time the server was placed behind the firewall, the server (with extra login) was under a high load, but forums where usable. During the day the forums became less and less responsive until they where almost unreachable by the nd of the day. Server load however was still low. After long time of troubleshooting we decided to remove the firewall again to see what happens. Guess what, serverload stayed within reasonable limits, forums where accessible at a good speed again. So in this case the firewall actually did make things worse instead of solving it (although the host doesn't want to admit this).

testbot 04-01-2009 04:19 PM
the host never admits fault for ANYTHING. :lol:

i'm always amazed at the amount of attacks we get from random countries. it's always something.

good post. :)

motowebmaster 04-02-2009 11:21 PM
When I owned a much larger vb site, a dedicated Cisco ASA Firewall provided basic protection. When DDOS attacks would happen, my host would move my public network interface (before my firewall) to a special network segment that was equipped with DDOS mitigation technology and let it run there for 24-48 hours. It didn't happen often, but represented the "no additional charge" means of dealing with some mean attacks. At the time, my primary webserver was an Dual Quad Core machine and on some occasions it would be brought to a crawl until mitigation was activated.

There aren't that many service providers who do this, but the idea is catching on. Ask your service provider about it.


All times are GMT. The time now is 04:11 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01122 seconds
  • Memory Usage 1,748KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (16)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete