My sites are under ddos attacks for a couple weeks now. I upgraded the vps account to a dedicated server, still doesn't help that much. Sites are loading very slow, server is frequently offline. The attack seems to be targeted at port 25, email related. That's what the hosting support says (it's on wiretree.com). However they don't provide any ddos attack protection services, so all they can do is turn off the monitoring for that port, so I won't get constant emails notifying of failures of exim and other functions. Any ideas what can be done? How can I know if it really is a targeted attack and not just too much traffic on the server? The sites on the server get some 100k pageviews per day.
Are you sure they are attacking port 25? If they are attacking port 25 why not close the port and tell your iptables to drop packets coming into port 25? Also, how many IP's are apparently attacking? What OS server and cp are you running? What spec is the server?
Hey, it's on the first dedi plan here Hm not sure about ips.. does that matter though? I think if the 25 port is closed it won't be able to send/receive email.
Well if you can ban the IP's that are spamming you, that should help. also if you close port 25 even for awhile. i would request new IP's if thats the problem, but look in your logs and see if you can find the IP attack and block it, even block the whole range? hope that helps a little!
You can install a quick firewall, CSF. I'm assuming you're running linux. If it's so bad that you can see the sites or receive mail anyways, have your host turn off the server at the switch for a half hour or so. I know, it sounds dumb but hear me out. If the packets have nowhere to go they're going to turn around on the ISP where they're coming from and the ISP should turn the person off who's performing it. That should only be done in extreme cases. Try the firewall first. If you need help on installation check here
thanks for your input! Attack is focused on one ip on my server, the main one which hosts most of the sites. Attacks are coming from all kinds of differents ips, cant block them effectively. I guess I could close port 25 for a while, what would this help? I still need it for email etc. thanks for the tip, the server already has CSF installed, but my hosting support say it's not meant for DDOS attacks and won't help prevent the issue
change the mail port from 25 to something else. i am not sure how it is done but i had heard this is possible.
Ok 1. How many IP's are attacking you? 2. What iptables management script are you using currently? 3. If your using cPanel you can change port 25 to port 26. I suggest you close port 25 for half a day, and set your iptables to DROP packets instead of rejecting them. Trust me, I've worked on more servers than the amount of times you have gone to the toilet in your lifetime.
Check the mail logs, make sure that your mail server configurations are not allowing open relay. Might be a good idea to scan the server with some security scanners like Nessus.
thanks, did that for now. Dropping packets. Looks like it's quiet for now, but will see after opening port 25 again soon.
- Is your mail queue normal? (i.e. the queue is not filled with tens of thousand emails) - Check the default boxes. Sometimes a wrongly configured default email account can cause this huge server load problem. Example: instead of ":fail:", only "fail:" was entered Just a couple of checks I could come up with (maybe you already checked ). I hope things will return to normal for you soon!