Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


could anyone explain this ddos attack?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

could anyone explain this ddos attack?

since last month my website consumed 50% more bandwidth than normal [traffic is count]
and this month same phenomena continued[200gb/day||80to100gb=normal]
and now vps is suspended[reason:ddos] : cpu load was normal : site was working but it was consuming more than normal.

Comments

  • SplitIceSplitIce Member, Host Rep

    Probably a small HTTP flood? perhaps employ some basic rate limiting?

    Common causes include general bot traffic, upload (POST) spamming etc.

    Look at your log files (through webalizer or something akin) and see what is out of the ordinary.

    It could be as simple as google taking a renewed interest in your site etc and might not be flood related. Or it could be someone scraping your site etc.

  • even i thought about scrapping : hotlinking disabled
    http flood on regualer basis? vps is suspended and ssh is down even emergency ssh is not allowed to be used . no response from them since yesterday. not provided any log files.

  • SplitIceSplitIce Member, Host Rep

    Well deal with that issue first. Presuming your provider is reasonable (and they arent mitigating an actual ddos in the background) you should be able to get back online for a bit of additional bandwidth. Get 1-2TB extra for investigation time shouldn't cost too much (unless its in Asia, Africa or Oceania etc).

    Although if they don't respond to support tickets then that obviously hints at a larger issue.

  • 17 hours have past since i got any response. i had told them to provide me only ssh even that is not provided to me. bandwidth they can provide easily . its MYRSK

  • BlazeMuisBlazeMuis Member
    edited July 2013

    @rsk

    Last Active July 20

    Hmm...

  • SplitIceSplitIce Member, Host Rep

    I know Ryan Ill drop him a Skype for you.

  • thanks splitlce . got a response from them . got some time to investigate.
    any suggestion to stop that ddos or bot spam?

  • SplitIceSplitIce Member, Host Rep

    Figure out the common element (IP, number of requests p/s, user agent, etc) and block it.

  • cpu load is normal. command to check user agent?

  • Why don't you check the access logs?
    If it's a HTTP flood it would have some logs in there

  • Doesn't sound like anything serious as if it was it would of dropped you. I recommend using Cloudflare as a starting point. Good luck.

  • got new ip and i am using cloudflare now : installed CSF and gonna check access logs now

  • MaouniqueMaounique Host Rep, Veteran

    YOu should still be able to access the VPS over ipv6. WHat most ppl do not understand with our nulling is that we null only the attacked IP, if that is ipv4, then IP6 is still on as well as the emergency console if you disabled ipv6 to put it back on. If the attack was over ipv6, then you still have the IPv4 and so on. I havent seen a case where both IPv6 and IPv4 were attacked.

  • so how to know the ipv6 ip and when your vps is suspended you can still access ssh and emergency console? i think it is more a case of HTTP FLOOD than ddos

  • @rajin90 Sniff the traffic on Your network interface and see.

  • @joodle said:
    rsk

    Last Active July 20

    Hmm...

    Doesnt mean anything @rsk is not very active on LET, but usually responds to tickets under half an hour. I've even received replies in under 5 minutes at times. That was till a couple of months ago.

  • joelgm 11 hours have passed no reply received [webmin not working]
    yesterday got reply after around 17 hours. they usually provide reply earlier but past few days with them [troublesome]

  • rskrsk Member, Patron Provider

    Doesnt mean anything @rsk is not very active on LET, but usually responds to tickets under half an hour. I've even received replies in under 5 minutes at times. That was till a couple of months ago.

    @joelgm I used to be very active, but since sometime I head to another forum.

    @rajin90 webmin not working was due to you installing csf and not unblocking the ports.

    Anyhow, the issue is resolved after we put it behind cloudflare. It was a large attack which the moment we start the VPS it will bring the node back down to its knees.

    Currently on the support team, is Mohammed and I. We try our best to respond to tickets in time. Although it is Ramadan, and I do not take it as an excuse, we pretty much work messed up hours. Some days I stay on till 9 am to help out clients and then get off.

    These virtual servers are at a budget price, and that is due to our low support costs. If you except a 24/7 <5min response, then I can assure you it wont happen if the maximum you can pay is $7/month. [not pointing fingers, but I am just saying].

    Regards,
    R.

    Thanked by 1doughmanes
  • xsetxset Member

    @rsk which forum ? is there a better forum? tell us!

  • rskrsk Member, Patron Provider

    @xset I am active on vpsb

  • rskrsk Member, Patron Provider

    YOu should still be able to access the VPS over ipv6. WHat most ppl do not understand with our nulling is that we null only the attacked IP, if that is ipv4, then IP6 is still on as well as the emergency console if you disabled ipv6 to put it back on. If the attack was over ipv6, then you still have the IPv4 and so on. I havent seen a case where both IPv6 and IPv4 were attacked.

    @Maounique we do not offer ipv6 in NL yet. :P

  • "Put it behind Cloudflare"

    Yeah, now the customer's site runs like crap thanks to Crapflare.

    Thanked by 1perennate
  • rskrsk Member, Patron Provider

    @doughmanes said:
    "Put it behind Cloudflare"

    Yeah, now the customer's site runs like crap thanks to Crapflare.

    @doughmanes this is the client's decision.

  • @doughmanes said:
    "Put it behind Cloudflare"

    Yeah, now the customer's site runs like crap thanks to Crapflare.

    That means it was awfully set-up, cloudflare will not step in for bad set-up :) If your site can't serve to Cloudflare an you have set-up DNS records which reveal backend IP, Malicious users just find that with a cloudflare resolver an ddos it, Thus defeating the purpose of the ddos protection.

    Also you should note NOT all options on CF should be enabled, some work well with some sites some dont with others, An for increased speeds id opt for pro at minimum to get the pre loaded pages an stuff.

    And make sure you whitelist cloudflare ip's An then install Mod_cloudflare if running apache or use ext forwarder tag if using lighttpd.

    I've never seen major degradation in page loads at all infact it caches JS files so sites with heavy JS content an CSS content it being cached by cloudflare normally overall helps load on webservers thus saving bandwidth an protection from layer7 attacks - Note if your a FREE cf user, Then do not expect them to protect anything over 1gbps as it just isn't viable at all; They will terminate the protection if ddos'd CF is a DDOS protection suite but for those who pay for it, Those who get it free have layer7 protection but layer4 attacks are costly to mitigate.

    Adding cloudflare doesn't make a site run bad at all, Thats basically saying adding a Load balanced network = bad loading site; When in fact its just server host not set things up right to allow CF ips to network. an If its passing ddos to your server its due to FREE plan.

  • @doughmanes said:
    Yeah, now the customer's site runs like crap thanks to Crapflare.

    What would you suggest, then, for cheap DDOS protection?

  • SplitIceSplitIce Member, Host Rep

    Honestly the cheapest solution for something this small would just be to throw some more bandwidth at it and introduce a nginx or varnish caching solution at the front. Atleast until it progresses into a sizable attack and DDoS protection is needed.

  • @joelgm said:
    What would you suggest, then, for cheap DDOS protection?

    Don't get DDoS'd and upgrade your budget

  • @doughmanes said:
    Don't get DDoS'd

    Not really an option. :) I dev at XDA, and occasionally someone doesnt like being snapped at, and my sites get DDOSed. I wouldnt want to upgrade my VPS just for a hobby I love doing for free.

Sign In or Register to comment.