How can I stop a currently active DDoS attack?

Question

My VPS is under a DDoS attack. I cannot access RDP, and I cannot take it offline, or access it in any way at all. What can I do?

They are not trying to bruteforce, just trying to stop access to the VPS. I don't know if maybe the datacenter messed up or something, but the VPS is online and denying all requests as is normal when under DDoS.

Is there anything that I or my dedicated hosting provider can look at in the logs? How should I approach forensics after the fact?

I don't know much about DDoS attacks, do they usually stop after a few days?

Is there an existing anti-ddos program or something?

How do you know that it's online if it doesn't answer to anything? — raphink, Dec 26 '09 at 22:03
Windows XP (a workstation OS) being online but frozen when being used as a server doesn't say DDoS to me, it says Windows screwing up because it's not designed for what you're using it for. — Dentrasi, Dec 26 '09 at 22:16

score 12 · Accepted Answer · answered Dec 26 '09 at 20:18

12

There is no easy way to stop DDoS attacks. Get in touch with your provider and ask them for help. No program will help you against a DDoS which is intended to consume your bandwidth, you can only absorb these attacks by having more capacity and working with your upstream providers to dismantle the attack.

answered Dec 26 '09 at 20:18

gekkz

4,219
2
20
19

They stopped the attack. – Cyclone Dec 27 '09 at 02:25

score 8 · Answer 2 · answered Dec 26 '09 at 22:18

Compared to hard- or software failure, DDoS is a rare occurence. Your system just being unreachable is no proof whatsoever.

If your system were under a good solid DDoS, you wouldnt be able to reach it at all. No ping, no nothing, and the dedicated server would be off too, perhaps along with the entire datacenter. Just "RDP not responding" probably is a sign of a DDoS not happening.

Try getting the VPS rebooted. Check if the host is alive and well. Check network, duplicate IPs, gateways, firewalls, updates, etc.

Is a VPS within the EULA of the host? Perhaps the provider interferes with the NAT or bridging?

score 1 · Answer 3 · answered Dec 26 '09 at 20:15

1

Open a ticket with your hosting company. Hopefully, they can put up a block upstream.

answered Dec 26 '09 at 20:15

David Rickman

3,290
17
16

Would even just shutting down the vps work? If there is nothing to ping, itd be like stabbing a sword at empty space. – Cyclone Dec 26 '09 at 20:17
1

Considering that, as the name suggests, DDoS is used to 'Deny Service', shutting down the machine means it has been completely DDoS'd, so you could argue it doesn't help. It depends on the type of the DDoS though.. – Dentrasi Dec 26 '09 at 22:18

score 1 · Answer 4 · answered Dec 26 '09 at 22:00

In my days in the hosting industry, its very rare that the attack happened because of the legitimate content of the site. It usually because the account has been compromised and used to host bots, copyrighted-infringing material or other potentially illegal files/scripts.

Assuming that you do get back in, you'll have to audit the web applications on your server and make sure that the appropriate updates were applied or taken offline Your ISP may be able to assist you in determining what invited the DDOS (likely at a nominal cost). Hopefully, the server is not rooted - if that happens, it may have to be re-imaged.

How can I stop a currently active DDoS attack?

4 Answers4

Linked

Related