It seems that my site has been under heavy DDoS attacks for the last couple of days. Is there any way to prevent this? My server admin has been very busy banning potential attacker's IPs, but what else can be done?
Depends on the nature of the attack, but in many cases not much, really: http://grc.com/dos/grcdos.htm It's a long, but a very good and interesting read about DDoS. J.D.
This is ridiculous, it has been going on for hours and won't stop. How do the big sites like Ebay or Amazon avoid this?
what is the attack doing? is it sending a billion pings to your site of varying sizes? If so, you should be able to make your site not respond to ICMP echos - this is what ebay does.
They are using $20K Cisco firewalls and other expensive gadgets. See what protocols they are using and if it's UDP or ICMP, ask your service provider to drop packets with these protocols, regardless of the source address. Keep in mind that if you are runing your own DNS server, it uses UDP and will not work, unless there's an exception made for it. If the attack is a SYN flood attack or equivalent, you can ask your service provider to enable protection against this form of attack in their firewall for your address range (most good hardware firewalls offer this form of protection). If you provide more details on the attack, I may be able to advise you something else. J.D.
You should tcpdump and see what's hitting the server then start banning IP's. Works for me. Also make sure you have a firewall setup with good ruleset.
Yeah, I had my system admin and had a tech support guy helping me, but even with that things got out of control and they had to take down my server for a couple of hours and wait for the attack to slow down. Just horrible, it lasted several hours... and my admin says that it was a targeted attack and that it is very likely to happen again. Damn, someone out there must be very pissed because I took his spots at Google
Most DDoS attacks these days use HTTP GET requests, the days of ICMP DDoS attacks are long gone. The problem is that if the attackers have enough bandwidth to saturate your upstream's bandwidth, you're screwed. There's really nothing you can do. Simply firewalling the attackers is useless, because they will still saturate the pipe before they hit your firewall. If your upstream bandwidth is getting saturated with the HTTP replies (ie the actual pages themselves), you could put a 301 redirect in place on the page they are requesting, eg http://example.com -> http://example.com/mainsite Returning the 301 is going to use far less bandwidth. It's probably not going to help your Google rankings, but then neither is your site being down. Often you'll find the attackers will just be constantly requesting an image file over and over, which makes things easier for you. The big sites like Amazon and Ebay use Akamai. Akamai have servers in data centres all over the world, so it's massively more difficult to flood them off the net. Unfortunately, I suspect you don't have the sort of cash that Akamai would want for hosting. Hope this helps, let us know how you get on.
In a DDoS that attackers have at their disposal thousands of zombie machines they control - they have, literally, all the bandwidth in the world. Let me put it plain and simple - you can't fight a DDoS attack at the HTTP level. Amazon and the likes suffer less from DDoS (they still do, though) because they use very expensive equipment and because they have different relationships with service providers. Firewalls in their price range will automatically detect many forms of attacks and will block originating networks as soon as the attack begins and immediately notify they staff. These guys, in turn, immediately contact operators of the upstream routers and notify them as well. All these mechanisms combined make it easier for the big guys to cope with DDoS. J.D.
Everyone, but that is besides the point. Hopefully you can get it to stop, I am sure I am not the only one who would want to know what to do in case it happens. It wouldn't suprise me if the DDOS attack was actually random from some virus maker who has no life.
That rather depends on who is attacking you - not all botnets are equal in size. Actually I've had success with exactly the approach I outlined above. A customer was getting hit with thousands of requests to a particular image, which is turn was gobbling up all their bandwidth. By moving the image and responding with a 500 access denied for the old file name (by making it not readable by the apache user) the effect of the DDoS was lowered enough for normal usage of the server. I agree it's not a suitable long-term solution, but for dealing with the immediate problem it can work. As I made clear in my original post, if your bandwidth is getting saturated by the requests, the approach does nothing for you.
Like I said, this type of attacks is better to be dealt with at the network level. If you can't get to the network level - anything will do, even something as simple as what you described. This will still eat up your bandwidth pretty quickly, though - attackers control request size and can send your web server tons of data in the request and simply ignore your redirect responses. The very first thing to do in cases like this is to contact your hosting/colocation company. J.D.
Well, we tightened up the firewall today and it seems the loser tried another attack, but it didn't affect the server any more
I can only agree with J.D with DDos you need to contact your upstream provider, if the packets reach your link you're already screwed.
I hope no one minds that I'm digging up an old thread. I'm hoping Fryman or someone else can share which web hosting company worked with them to end the DOS attacks. I have a site that has been attacked a few times in the past few days (I guess I've arrived) and I need to host it with people who can protect it.
I host with The Planet. They have really expensive Cisco Guard servers that will stop a DDOS. If their techs detect a DDOS, they'll put you behind the Cisco Guard until the attackers stop. Other hosts use Preventia servers. I forget which. I know The Planet can help you with a DDOS though.
Cisco will not save you from a real DDoS There are a number of services which offering DDoS protection like ddosprotection.com +there are a few expensive hosts which will save you from DDoS attacks up to 1 Gbps
God only knows what will save you from a real DDOS by an expert but what is it that ddosprotection will do that a Cisco Guard and a firewall won't do?