Well atm MF is experiencing a random massive DDOS attack. I made a thread about a month or two ago about DDOS prevention after we were getting like 30 second downtimes from little booters, and I got some really good replies but most of the suggestions I couldn't carry out on shared hosting. Well this one is different, this attack is the real deal.
Currently I'm working with my host provider and 475 Attacking IP addresses has been blocked till now, they started manually blocking those yesterday, and it's already at that number and it just keeps increasing. The attack has been going on for about 32 hours now I guess. I'm just assuming someone has paid someone to perform such a large attack, that's the only logical explanation. Anyway, back to the topic in hand.
With the IP blocks there was a few things we tried. We have tried installing Mod_evasive Apache module, but that hasn't helped much. We changed our site IP address, which hasn't helped much apart from when we are online we're online for larger periods (around 4-6 minutes). Hard to tell what affect the IP change has had, as we only performed that today so propagation comes into play. But is there anything else we could do? I'm new to preventing DDOS attacks, but news from my host provider is that this is a (and I quote) "massive one".
Appreciate all replies.
473 IPs is a small attack. But what's the size of the bandwidth?
mod_evasive is only mildly helpful.
Your host should be able to see the pattern of the attack and firewall it. Usually takes me 5 minutes to spot a small attack pattern and block it.
Look for how the attack is formed, grab the IPs, and firewall. End of ddos.
Well support just told me the attack was "from a range of IP addresses". I can actually PM you a log of all the blocked IP's to see if you can spot a pattern. The IP count keeps going up, currently it's at 491 now. Yesterday it was at 10.
I suppose this is all good experience
, but I doubt I'll be able to just stop the attack like you suggest
. You could probably, but I doubt I can. Though it has decreased massively with all these blocked, we're up for longer and currently up *touches wood*.
What kind of budget do you have? Are you sure you are the target at not another site on the server?
Yeah it's definitely us who is the target. But the attack seems to have stopped now, it had to be some sort of paid service. 550 IP's are now blocked. Just relieved that we're up. Lol.
I've read a lot of reviews lately and it seems that the best (and surpisingly cheapest) DDOS protection is
DDoS Defend. I would consider looking into them for when you are attacked in the future.
And keep in mind 550 IPs is not a lot. Either the person who attacked you is using their own botnet or they are really cheap.
Nice find KuJoe. I don't need it but compared to most other ddos protection it's great pricing.
Already checked DDOSdefend, they were out of stock on the package I wanted. Also, MF doesn't undertake often DDOS attacks at all, so it's not the best investment really.
And yeah, there was probably a lot more Kujoe. It was going up around 50 IP's found every hour or so getting blocked. But the attack has just stopped, which makes me think it was a paid attack. The range of IP's was big aswell, so there wasn't really anything we could do, well there probably was but I didn't know how to do it.
I don't remember the details, but I remember the admin taking the IP addresses and using them to send messages to the owners of the computers from which the attacks were coming. They were all servers. Some how he got his message to show up on their consoles. The message explained what was happening and offered a link to a web site that explained more. This helped, because the server owners didn't know this was happening. Their servers had been compromised by hackers who used them to initiate the attacks. So what the server owners did is secured their computers better.
This was many years ago. I don't even know if it applies today.
[Site] was attacked last week with a DDOS attack - we believe we know who did it and believe that it was targeted for a specific reason but I won't go into details. I don't do much with MyBB but was brought in to help the attack. I noticed that the bots did not follow 301 redirects and that the bots were built to just keep going to
http://sitename.com. What you'll notice is that there is no specific document that it is requesting, and by default Apache will request index.html instead of index.php. After install mod_evasive as well as psad and a few other tools on [Site]'s server, I put up an index.html page because the bots hitting a static page had very little impact on the server. The load on the server went from 11.00+ to around ~0.08. I then put a 301 redirect in (from index.html to index.php) so that browsers could follow the 301 redirect while the bots were stuck hitting a static page with very little on it - the botnet won't follow it because then you could just as easily offload the botnet wherever you wanted. It was a fairly simple thing to do and proved to be extremely useful. If the person who attacks your site with a DDOS attack is an amateur (they usually are) and attack you as ridiculously as the person that attacked us, then you can try something clever like that and get your site back up with little difficulty.
The best thing I think you can do is study what the botnet is doing and its capabilities, and then strike back using methods that the botnet doesn't know how to handle. It can take some knowledge to know exactly what to look for, but that knowledge comes after studying it and looking for answers. In my experience most botnets cannot run javascript, for example, because they aren't running real browsers. Look at your logs, look at their capabilities, and figure out how to get around how the botnet is attacking you. Otherwise stick up some different tools on your server or put a load balancer up. Cloud instances are excellent for protecting yourself under a heavy load.