All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to counter/mitigate DDos attack
Hi all,
One of my very old clients called up today and told me that his 11 year old website (renewed periodically) was a victim of a DDos Attack. Innocent of any counter measures, their IT division couldn't do anything and the HOSTING provider also shut them down.
They've asked me if I can provide them some good solution, so I turn up to you guyz and want to ask:
Are their any real effective ways to mitigate such an Attack (without using the shitty cloudfare) ?
Which good yet low cost provider is recommended for a DDos protected VPS. And in an (likely) event of a repeated DDos Attack, will their network be able to control it/mitigate it effectively. Some real life testimonials will help.
Can I make a High Availability load balancing server for it? like make this site replicate on 2-3 different VPS providers. But don't know if such a setup would still help in a DDos attack situation.
Unfortunately I don't have any stats or intrinsic details on what kind of attack was it, just that their site is down from a week.
Please give me some pointers on how I can mitigate and counter these attacks. I don't mind reading and learning some good tactics.!
Comments
For DDoS mitigation you could use OVH (for a VPS you may want to consider MyCustomHosting), RamNode or BuyVM which are pretty cheap.
I think you need some more details of the attack first, such as what kind of attack this is to see if it can be mitigated with configuration changes (unlikely, but possible if the attack is being carried out by clueless idiots), and what sort of traffic is being thrown at the site, so people can give you recommendations based on how much your client needs to tank.
Edit: Sorry, re-read and saw the hosting company shut the site down, so this isn't something a config change will help. How much traffic needs to be tanked?
I too was in a similar situtation until a few hours ago. cloudflare only works if the attackers do not know your IP.
my hosting provider @prometeus said scaling a server is not the solution.
they asked me to limit number of connections per IP.
I just installed CSF firewall and set max connection per IP as 20, it worked wonders.
CSF/LFD blocked more than 20 IPs in an hour.
make sure enable email alerts so that you can unblock false positives if any.
You can do HA with our managed anycast solution. Drop me PM for details
OVH for heavy cases (online net is also ok) or Ramnode (never got attack on protected ip or do not know for one when i use them) + (CSF + LiteSpeed or pure Nginx) for Layer 7 attacks
eva2000 centminmod got everything in place ready for layer 7 protection just need a bit tweeking and enabling options...
Buy DDOS protection and lose to a Layer 7 attack
Thanks guyz for helping with immediate concern! Can't appreciate more.!
@nekki... Yes I do understand some stats/log analysis is required, I've asked the same from them. For now it was more of a panic call wanting to know "can you help" sort of a thing you know...
@Evnix, I will note this down, however it is a high traffic site and may not be feasible.
can you explain please ?? what you mean "lose to a Layer 7 attack" ? pardon my innocence!
@mehargags
A option you can use is: use a ovh ipv6 vps (i-83.net for example) let this be the "front facing server" and use cloudflare(yea i know they are not great) and then a ramnode, vultr or whatever vps to tunnel to the ipv6 server(so the ramnode/vultr server will be hidden and the ipv6 ovh vps eats the attack) and you should be pretty protected.
Look up Layer 4 DDOS and Layer 7 DDOS
OVH is now terrible for DDoS Protection
Ramnode offers cost effective and great DDoS protection. Stick CloudFlare in front of it and some good software tools on the server you should be good to go.
Layer 4 in the OSI model consists of transport layer protocols such as TCP and UDP; so layer 4 attacks include TCP SYN floods and general UDP floods (which includes DNS/NTP amplification attacks). Layer 7 is the application layer, with all the application protocols you can think: HTTP, SMTP, SSH, BitTorrent, etc. Since we're talking about a website, really this would only mean HTTP flood attacks, like large number of GET requests or more complex floods.
The OSI model comes from networking people and standardizes network models in an abstract way. Other people use the layer names because they think it makes themselves sound smart, even though "layer 7 DDOS" is much more vague than "HTTP flood attacks".
At any rate, everyone is of course right that the first step you should take is determining what kind of denial of service attack you are getting. Mitigation for packet floods is very different from hardening your web server against HTTP request floods. Although based on what @Nekki said, you're only getting packet floods for now, which means you should find a provider that offers network-level DDoS protection such as OVH, RamNode. CloudFlare provides some protection against both kinds of denial of service attacks.
@doughmanes Thats why lite speed got most refined tools for mitigate layer 7 with almost no false positive while keep serving pages
I like different limits for static / dynamic request, connections, grace period and auto banning of suspected ips
I can tell you from experience that MCH's DDoS protection works. Ask Phil to have your IP ddos protection enabled at all times.
I use uptimerobot with web hooks + cloudflare uptimeFlare (or if you use statuscake + cloudflare ) for all downtimes including ddos. Make sure the backup server has ddos protection. Cloudflare is only used as a DNS service in my case, but you can use these scripts to enable cloudflare protection.
Well I would suggest you to try this and see how it works out for you.
https://github.com/FastVPSEestiOu/fastnetmon.
That is an open source solution for detecting DoS/DDoS attacks.
It might eat quite a bit of the machine resources, anyway let us know if that did helped you.
The installation manual is located here:
https://github.com/FastVPSEestiOu/fastnetmon/blob/master/INSTALL.md
try http://www.incapsula.com/
Prometeus does nothing to help if you are DDoS'd. They simply tell you to wait 24 hours or try to upsell you on a DDoS filtered IP. Quite disappointing.
I would suggest RamNode which has the best anti-DDoS system I've seen (RamNull). You can also get a filtered IP from them for very cheap which is your best bet.
Why? they never offered free DDoS protection
It depends, if your attack is < 10 Gbps then ramnode is fine. If you get attacks bigger than that, then you need to look for another solution.
I ordered that Black Friday special from Hudson Valley Host. Their auto-nullroute feature which you can null your own IP for a certain amount of time is interesting as you could null an attacked IP and use another one from your /29
@doughmanes said:
Generally speaking most people dont consider auto-null mitigation.
Mitigation usually refers to the detection and separation of attack traffic from the normal traffic stream, where the normal traffic stream continues un-interrupted. For this you need either specialized hardware and software (+ network) or a mitigation provider.
Actually, for iwstack there is free DDoS protection, but only up to 2 Mil pps and 14 Gbps.
However, as with any network of this type, if you opt for the protection, latency will increase and at times you will suffer from large attacks on your neighbours leading to packet loss or unavailability of the service from time to time (I would say, about once a month for a few hours).
If you are whom I think you are, in your case there was not DDoS, just spammers launching automated tools and creating tons of http connections which were bringing the load to insane levels, somewhat similar to a Layer 7 attack, but not really an attack. I suggested you to limit the connections per IP so the spammers will need lots of IPs simultaneously to really create load issues. It does not solve the spam problem, but will solve the load one.
About the false positives, that should not happen with your limits, you set 20 connections per IP which should be way more than any legit surfing of the site will need.
Thank you everyone... learning alot!
should prepare me well incase the client decides on giving this site's control to me.
Interesting to know Ramnode offers DDos protection, I'm already their customer !
Thanks again...everyone! still reading.... so keep pouring!
Depending on location RN goes up to 20Gbps.
Didn't expect it. However, the way they handle servers that get ddos'd (first warning btw. not repeat offenses) is to try upselling their protection instead of even considering working something out. They also make you wait a minimum of 24 hours before removing a nullroute (compared to other providers like RamNode who do it in 15 minutes). (they wouldn't allow me to have a temporary ip or to remove the nullroute on my old ip long after the ddos had stopped. they insisted I use ipv6 because "any real host" would support it)
Essentially had my business called fake by a support team member, didn't have my issue resolved, and didn't get a partial/full refund upon request because I was apparently abusing my node by receiving ONE ddos attack that was unforeseen. But they sure did let me know that they also offered ddos protection if i wanted to pay extra!
Terrible time dealing with support. It's just not worth it to me. I'd rather stick with a dependable provider who I know will provide support when needed, and doesn't stick to ridiculous rules and can't make exceptions/use common sense.
As I said, you can use the iwstack free DDoS protected network. The said "upsell" is for regular VPSes already targeted by attacks.
We do not play in the DDoS arena, even if we offer an alternative, that is only for our core business low-latency network protection, a way to keep the networks separated, one for the DDoS magnets and another for the serious business hosting, if someone cannot afford DDoS protection, then they should not host DDoS magnets or move to a provider which offers it for free. Plenty of those even at low end prices. As I said, we even offer it for free for a particular product.
Cool.
Or not, its DoS protection not DDoS protection.
Online.net can eat some big attacks, BuyVM is also good for smaller stuff.
We provide 640Gbps Anycast DDoS protect for free on all our cloud and dedicated servers.
Cloud starting from £2.50 per month
Dedicated starting from £25.00 per month.
Our protection is by Voxility, we have a direct 10Gbps clean-traffic uplink with them at Telehouse North, London, allowing us to provide the lowest latency DDoS protection in the UK.