2

I've been totally unable to use my server for the last couple of days. I've been contacting the owners of the IP's who are attacking me but its an uphill battle. Since I don't know who is doing the attack, what can I do to stop the attack?

I've already talked to the colocation center and they told me that they don't do any ddos mitigation(although I have a list of IP's from before my server went down.)

I've considered bouncing the packets to some of the smaller hosts which are attacking in hopes that they go down but I really don't like the idea of shooting the messenger. I don't understand why the companies which host the IP's aren't doing anything to stop this. Help!

devnill
  • 307
  • 1
  • 2
  • 17
  • I ended up resolving the issue by setting up cloudflare's free CDN. It won't work for everyone but it suited my needs just fine. – devnill Jan 14 '12 at 02:33

2 Answers2

3

This is a difficult problem to solve. There are companies (like http://www.prolexic.com/) out there which can help you with this, but it won't be cheap. Given that you said 'my server' in your question tells me that your site is on the smaller side and you might not have the resources to engage a company like them.

Do you know how they are attacking you? Can you get to the console of your server and setup iptables (assuming Linux) to drop traffic from the offending IPs? If Linux, have you enabled TCP syncookies? echo 1 > /proc/sys/net/ipv4/tcp_syncookies.

Are you sure this isn't a server misconfiguration? If you have your MaxClients set too high in Apache this can cause the machine to swap which would effectively be a DDOS given enough connections. (Combine that with a memory leak and disaster will be the result.)

It is pretty common for major DDOSes to saturate incoming network links. Given your provider isn't really concerned about this, it's not really that large of an attack. Does your site come back online after a reboot only to get overwhelmed shortly thereafter? That might just be a config issue with your MaxClients.

toppledwagon
  • 4,215
  • 24
  • 15
  • If it's not saturating your bandwidth, you can probably deal with this on your machine. From the console, set your firewall to drop everything except your home/office and then start working on identifying how many IP addresses are attacking you using `tcpdump`. – Ladadadada Dec 20 '11 at 07:57
  • The server is in colocation on a 10 megabit line. I pointed the domain to my home connection and tcp dumped a list of about 30 hosts, but it was only a couple of minutes. I really can't afford anything more than I pay now and even tried to contact the list of IP's which are attacking me but only two shut off the connection. – devnill Dec 20 '11 at 10:59
0

Partial solution: Does your colo offer an additional hardware firewall service? If they do it might be a good idea to spend the $ and have them set it up and block the IPs.

You might be interested in http://www.dshield.org/howto.html

Good luck.

jqa
  • 451
  • 2
  • 7
  • My data center doesn't even offer prorated bandwidth. I'm looking for other ones locally but I don't think I can get anything else in my price range. For now I've changed the dns records to point to 127.0.0.1, but I'm not sure if that will even change anything. – devnill Dec 20 '11 at 11:03