Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


CPanel Direct IP getting ddosed
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

CPanel Direct IP getting ddosed

I have two Cpanel servers setup for our shared hosting and a whole slue of clients. Some have dedicated IPs and some have shared IPs, however, Today the main IP for the cpanel server got hit and disrupted everyones services.

I am currently with Combahton and I have tried things like enabling permanent mitigation, etc.

Is there a way to configure cpanel so my clients don't get disrupted? Any way to change the main cpanel1 IP address?

Comments

  • Nullroute the IP, at least then clients services should become accessible. Nothing to stop the attackers going for your other IPs though...

    If you have DDoS protection that isnt working, contact your datacenters support team to see if any changes can be made to block the attack traffic.

  • Changing the IP will likely shift the attack to the new IP. Just enable your permanent mitigation or terminate the client who is attracting the attacks.

  • NeoonNeoon Community Contributor, Veteran
    edited September 2018

    Well, if its application layer, ask them, he said they have system for that in place.
    Application layer will mostly not trigger AntiDDOS, since your traffic goes encrypted over TLS.

  • jarjar Patron Provider, Top Host, Veteran

    What's worse when this happens, DNS lookups go out of the primary interface causing apache reverse lookups to slow down (if they're enabled), and exim to fail to send email because it can't lookup recipient DNS.

  • deankdeank Member, Troll

    In before someone posts a complaint thread on LET that his account got terminated for no reason.

  • MikeAMikeA Member, Patron Provider

    It could be a 30 second fix or it could be something you'd need specific protection for. Do you have any logs, assuming it's a L7 attack, from the web server, fpm, etc? What port is getting the traffic?

  • @MikeA said:
    It could be a 30 second fix or it could be something you'd need specific protection for. Do you have any logs, assuming it's a L7 attack, from the web server, fpm, etc? What port is getting the traffic?

    Its Layer 4. They are hitting the direct IP of the machine, it causes everything to go down.

  • EasedEased Member, Host Rep

    @Jack said:
    Offer dedicated IPs for all customers.

  • mfsmfs Banned, Member

    sharedport said:

    Its Layer 4. They are hitting the direct IP

    Unless they're actually filling up your (already DDoS protected) pipes, have you considered routing/sending all the traffic to something as simple as a dedicated NGINX instance returning a 444 for all direct IP connections + fail2ban for the offending IPs? Or, enable the SYNPROXY target.

  • jh_aurologicjh_aurologic Member, Patron Provider

    @sharedport I assume that affects some of your additional ip-addresses, right? - I kindly suggest getting in touch with our customer care, we have extensive capabilities beside the regular ddos protection.

Sign In or Register to comment.