New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Use this:
http://deflate.medialayer.com/
Nothing you run on your LEB will mitigate a DDoS attack... EVER. You need to purchase something that will stand between you and the attack such as a hardware firewall, dedicated server running squid, or a third party DDoS mitigation service.
There are actually quite a few different types of denial of service attacks. There are some working on the application protocol level. For example constantly hitting the heavy pages of your website. Not a lot of bandwidth is required to attach your website, and your site would probably die from overloaded CPU or IO subsystem.
LowEndBox.com got attacked that way a few times, and it's possible to block them with Nginx. Shut down the browser and you'll regain the control of the server. Analyse the logs to work out the attack vectors, and then block them explicitly in your config. Restart the server and you are good to go (until the attacker changes the strategy again).
However for massive flood of TCP/UDP or ICMP packets, there's probably nothing you can on from your VPS and requires the upstream to block some of these packets explicitly.
I was able to kill many DDoS attack/abuse, using htaccess IP block, another method I use software-based wasn't able to mitigate it most of the time, but htaccess almost always did! Apache sometimes makes me love it even though it eats RAM a lot, sometimes it does sorts of magic I guess with htaccess IP block.. At once I had an abuse type opening URLs tens of times each second, to the extent the whole VPS wasn't accessible for me, I didn't bother since I have HyperVM control panel and used its file editor, once I opened the log and figured which IP, added it to htaccess as blocked, everything went back just normal at the same second I saved the htaccess, without needing to even restart my server!
I dont know what type, when i run:
netstat -an |grep :80 |wc -l
It shows ~ 8k connections. When i see access_log, all of them were faked as Google bot, they load all my site tag, ex: http://domain.com/tag
Block requests to /tag if that's what they are hitting with their GET flood attack.
@dmmcintyre3: How to block request to /tag? I'm running LNMP on 512 MB Ram VPS
Add this to your config file for the site being attacked.
location /tag { deny all; }@sonix I use return 444; to block requests with nginx.
@dmmcintyre3: it's really helpful to me
@Keith: how to do, please give me more details cos i'm noob at this
@sonic blocking either by location or user agent if you can uniquely identify the bot from a sub-string of the user agent.
location / { location /tag { return 444; } if ($http_user_agent ~* "(Morfeus|larbin|ZmEu|Toata|DDOSbotname-changeme)" ) { return 444; } }4 other user agents worth blocking also included.
All user agent is Mozilla
@sonix You will have to block just by location then.
Access by numeric ip can be blocked with nginx if that's how it's been done
Only allowing access by host name.
Having a kick ass legal department is as big plus as well. Last time we had a DDoS, the idiot who set it up used all Comcast and RR IP addresses. (Which is why I use the word idiot in there. One of the first things you learn about setting up a correct DDoS attack is never use the same network.) While I'm not a fan of either of those companies, they do listen to C&Ds.
edit: That's one of the pluses of analyzing the attack as mentioned up above.