Massive DDos Attack.
 

Well, for the past going on 2 days now I have a received a massive DDos attack on my server from an unclaimed source. This is my first DDos attack ever, and hopefully my last. My server company ( URLJet ) has been great to try and help me, but they have given up hope as they have worked for the past day and the attack still persists. Do any of you guys have any suggestions to help me out? No idea why this is happening, considering this is our first ever attack..especially on this scale.


Thanks,
Curt

Moved out of the Community Lounge.

We've gone through these and just had to basically wait it out (onec for four or so days). My server guy did write me a script which I turn on when we go through this and it will ban an ip when it pounds the server too much. Our iptables get filled, and the site will be slow, but at least the users can get on and see my message about us being under attack.

That must be a nice thing to have. So far, we have banned like 20 IP's..and they keep coming. I wish there was just some way I could get a message out to everyone saying we are under attack..but the site doesn't even come up :(.

Banning an IP won't stop it from executing a DDOS attack. Are you running your own server, or a shared host?

It is a VPS plan with URLJet.

Depending on what they are pounding, you can try placing basic HTTP authentication in .htaccess (with user/pass displayed in the description). This is somewhat effective if they are attacking HTTP.

I am fairly sure the host has already tried that. I figured out that this is a "100mps UDP Attack". They are also using stolen EU dedicated servers to do it.

If your with a decent host, they should be able to help you out
I know when I've been under attack, my host has added some lines to the htaccess to help with the attacks

A good host can redirect these attacking IP addresses at the primary router level where the bandwidth is in the hundreds of gigabytes per second and not let them into their own network where it will cause problems for all their customers as the bottlenecks get smaller and smaller. With a DDOS, once the IP addresses have gotten to the server level, you've pretty much lost. Especially when the attacking addresses number in the thousands.

When vBulletin.com was DDOSed once we had to block of entire continents worth of IP addresses and then slowly open them up later.

No company has hundreds of gigabytes per second, maybe gigabits, and you can't simply redirect an attack by flipping a switch. The company will need to work with their upstream providers to resolve the issue most of the time, it's either that or absorbing the attack.

What about googling the IP, figuring out what ISP it is and calling them to report it?

My host URLJet, has been nothing but helpful. However, they cannot find anything else to do. Not sure what they have tried or anything like that, I just know they have been working on it for going on 3 days now.

I have been tracing the IP's, and trying to figure out who hosts the servers..but it is not that easy because they are EU serves and some are in different languages ( French being one )..and some are not giving me correct links or anything..ugh..so confusing lol.

Install any translator you can or open up a page & copy/paste... now is the time to try anything to stop this...

Sorry this is happening :(

Hmm... could they not trun off your site i.e. do a full backup and of the DB then place one of their messages saying "this site temporarily Hosted by so&so" or the usual "they have not paid their bill message" for a few hours to see if the person is trolling the site then they see it down, it might trick them for a day or so... I dunno but this make me mad & sorry again :(.

Mike

Eh, no sense in being sorry it is not your fault..I appreciate the sympathy though. It aggravates me, but I am not one to give up because some kids have no life :P.

And there you have it ;)

Still nothing :(. Site is still down, still being attacked at 78mbps.

Sorry meant gigabits actually. That is what I get for posting before the proper amount of caffeine is in my blood.

Maybe its not kids who are trying to bring down your website.
What is your forum about ?

Mostly gaming, and anything related to games. Our actual main theme is a forum for users to trade game keys for their games. Not generated keys, real, purchased game keys.

and great site is :) doenfew trades there myself was wonderning what was going on :)

Get a firewall script.
They can be expensive.. but they work.

Be happy they didn't simply deface your site.

There's a script rolling around that empties your database without authentication.
I've had it happen twice.

My forum is just about the same theme.. Gaming.
"Game Hacking".
But its been defaced twice.
500 server error if you do anything with any database through the same server.
Its pretty nasty.

I think a firewall script will help you the most.. look into it <3.
I hope they stop DoSing you.. I know how it feels /wrists for you man.

Some network service providers do offer DDOS Mitigation Services, for an additional fee that can exceed the monthly cost of the respective backbone connection. Customers of most Tier 1 CoLo or Managed Hosting Facilities also have this option available to them. It's a premium-priced service.

One can Google "DDOS Mitigation Service" and find solutions that can help at the URL Level, but to be honest I've always been attacked at the Network Interface Level.

My service provider has the means to mitigate DDOS day-to-day, but they also maintain infrastructure used in temporary situations when a customer's server is getting hit with something serious.

You're in a tough situation.

If they are only attacking from servers in a specific region (as you mentioned), your host may be able to block this set of IPs at the router.

What you can do is ether put up a .htaccess and in the .htaccess say the user and password (works) or you can do what lynne suggested and get a custom mod.

Host has already tried that. The IP's are in a very big range as well. They are all EU but they are very weird ranges. Host has tried DoS-Deflate, all that :(. Site still down.

1. Your host should be blocking this ddos attack at the router, NOT at your server.

2. If your host cant block a ddos attack, i'd suggest a new host.

3. Did you even check the logs to see what type of attack it actually is or netstat the current connections on the server?

It's time to take drastic measures. Have you considered putting up a temporary site elsewhere?

Unfortunately with the nature of Keyhunt being a buy/sell/trade forum, a lot of banned members and scammers feel the need to attack the site in some way because they have been caught out. Unfortunately I have not had much experience with DDoS attacks within the last few years (in which time I have actually come to understand a lot) so I cannot give you current and relevant advice. The only thing I can mention is that I have had good experiences with blocking entire continents, using professional firewalls and implementing a simple username/password scheme. Of course, each is useful at different stages and the time when I used the username and password trick I was only being attacked by a few little script kiddies using a little program.

I'd have to agree with Snakes1100 though, if your host cannot mitigate the attack at all or at least offer some sort of protection, a new host may be in order. I know that with some of my previous hosts, they were experienced and smart enough to block the attack at the hardware level preventing almost all of the negative affects altogether. You'd be best off going with a provider that has been through the ordeal many times, because it seems like these URL Jet guys don't really have that experience.

well having server from softlayer.com a friend of mine purchased a firewall that cost 100 usd per month and sucessfully blocked all kind of ddos attacks. Can try with softlayer

There are plenty of nice & free firewalls that would suffice in stopping the attack, no need to buy anything.

His main issue is a host that can't stop a ddos attack at the router lvl, by no means should a true ddos be attempted to be stopped at the server lvl.

Most likely it is a simple flooding of ports anyways by a bunch of kiddie hackers with to much free time & port flooding programs they dl'd from the net.

Exactly. If the host is unwilling or unable to modify the router tables, it's definitely time for a new host.

The only exception to this would be if the host is running a dedicated firewall. At that point, you modify the firewall rules to block the offending IP blocks.

Theres a program out there (for the server level) that will automatically forward IP's that hammer you to any other url you want. Kind of like an automatic deflector shield. I'll try looking for it for you on google.

The host should not be running any type of firewall on a production server. In a data center environment, dedicated boxes are needed for firewall applications. If a host is attempting to have a production server do anything other than what it's to be used for, it's DEFINITELY time to find a new host.

So, seeing as the flooder is requesting responses on port 80 or whatever port, which right now the server is being flooded and now not responding, it would be wise to answer his requests and then forward his requests to a new address?

So how exactly would that solve the flood issue coming from the ip?

I didn't setup this thread to bash my host, as they have been nothing but great to me and I believe have done a ton to help me. So, everyone please do not turn it into that. Thanks everyone for their help so far! Still down though :(.

It doesn't work like that. If you have no networking experience don't post stuff you've heard from a friend of a friend.

We suffer from DDoS every 2 or 3 months, dont ask me why because I dont know.

The best solution for me was to deploy IPTables, a good firewall and just in case, have a load balancer with mirrored data on diff servers.

U're on a VPS, so there isn't much u can do, just ask your hosting provider, since you cant "touch" hardware nor software.

Can't touch "software" on a VPS, since when? VPS's come with root access, you can touch anything you want software wise.

Read your PM

Checked.