I'm Under DDoS attack, Need A Helping Hand

Portal Home > Knowledgebase > Articles Database > I'm Under DDoS attack, Need A Helping Hand

Posted by egm1947, 04-08-2011, 08:26 AM
Hi to All, I've been under a DDoS attack for the last 3 days. I have a server with 100TB.com and they have had the IP of the domain being hammered "Null Routed" and it still continues. I put the domain on a different IP to see if it was the domain name or just the IP that was being hammered. It is the Ip, but my traffic to the new IP dropped by 90%, so it really didn't help. I have CSF, Mod Security, & ClamAV. I "CANNOT" afford any of the DDoS Company's charging $100 to multi $1000's. I have a friend who helped setup my server with the basics. I have read that there are some help out there, programs installed in server root, but the last thing I want to do is get in there a screw up the server, as I have a few paid clients who share the server prices. So If there is any suggestions, or a hands-on helper (preferred) Please reply. Thanks
Posted by Squidix - SamBarrow, 04-08-2011, 08:30 AM
There's really not much you can do about a DDoS attack without expensive protective equipment. How many servers are the attacks coming from? Have you contacted the abuse depts at the DCs hosting them?
Posted by egm1947, 04-08-2011, 08:32 AM
I have no idea, How do I find out that information?
Posted by Squidix - SamBarrow, 04-08-2011, 08:37 AM
If you can get into your server install iptraf, that can help you track down the incoming traffic. These things aren't easy to trace though without server admin experience, so you might want to get an expert to help you. Rack911 is pretty well known on WHT for this kind of stuff.
Posted by egm1947, 04-08-2011, 08:53 AM
Thank you, That's why I posted here. At 64, I'm that old dog that forgot what a bone is, let alone how to chase it. Figured This would be a good place to find a willing expert. Found out that "iptraf" is installed, my friend doesn't know how to use it in conjunction with DDoS. Last edited by egm1947; 04-08-2011 at 08:58 AM.
Posted by FayaMan, 04-08-2011, 09:26 AM
I dont know what type of DDOS attack you have but maybe you could try cloudflare . Im not sure its going to work but it would be a nice way to filter to trafic in a easy way
Posted by Squidix - SamBarrow, 04-08-2011, 09:29 AM
You can try a DDoS mitigation service, but usually it's just not worth the cost unless you're in a high risk industry where this type of thing is commonplace.
Posted by viGeek, 04-08-2011, 10:41 AM
You can give something like ddos-deflate a shot or alternatively: https://github.com/vigeek/ddoSutil Can block countries, certain requests, limit connections etc.
Posted by damoncloudflare, 04-08-2011, 07:56 PM
Hi, I just wanted to advise that CloudFlare is not a full DDoS solution at all. While we can help mitigate the effects of some attacks, we will go direct for sites that are getting hit with too much attack traffic. You definitely want to look at other solutions with your hosting provider for coping with DDoS.
Posted by egm1947, 04-08-2011, 08:10 PM
I'm in good shape now, thanks to the super effort of a great person. I can't thank "viGeek" enough for the work on my server! A Big Thank You "viGeek"
Posted by ddosguru, 04-09-2011, 03:08 AM
What did viGeek do to your server that has any chance of preventing your hosting provider from implementing a null route? If your provider null routes you due to an attack of any significant size, there is nothing that can be done at the system level to prevent it.
Posted by adamnp, 04-09-2011, 08:50 AM
I see that you got it rectified, however in the future seeing how you are on 100TB, I'm imaging your machines are at SoftLayer, why not ask your provider to ask that your affected IP's be placed behind the Cisco Guard? It works well
Posted by viGeek, 04-09-2011, 03:20 PM
The attack itself was relatively minor in regards to bandwidth/scope, was able to handle it locally on the box due to the amount of available resources.