Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Huge DDOS Attack, how to stop?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Huge DDOS Attack, how to stop?

suyadi92suyadi92 Member

My server has been DDOS'ed sporadically for almost 2 days
Seem's to be intended attack since it's happens shortly after we say "It's fixed now" to this (single) customer.

Cloudflare's protection has ben less-useful to me,
Server's CPU has been upgraded to 20 cores, no improvement either
Any advice to stop this DDOS guys?
Thanks

Comments

  • Who did you piss off? Is it China?

  • @suyadi92 said: Cloudflare's protection has ben less-useful to me,

    Personally, I'm less than satisfied with Cloudflare's mitigation techniques.

    I believe these are L7 attacks, in which case you should look at ratelimiting the requests, and maybe also setting request body size limits. Logging all headers and inspecting the reason for why your application goes down would help.

    Thanked by 1risharde
  • @dahartigan said:
    Who did you piss off? Is it China?

    No, we have nothing to do with china

  • NekkiNekki Veteran

    Don't ever tell the specific customer it's fixed. Problem solved.

    My rate £10,00.00/hour if you wish to engage my service further.

  • suyadi92suyadi92 Member
    edited May 2022

    @stevewatson301 said:
    Personally, I'm less than satisfied with Cloudflare's mitigation techniques.

    I believe these are L7 attacks, in which case you should look at ratelimiting the requests, and maybe also setting request body size limits. Logging all headers and inspecting the reason for why your application goes down would help.

    Do you have any recomendation of 3rd-party DDOS protection service?

  • @Nekki said:
    Don't ever tell the specific customer it's fixed. Problem solved.

    My rate £10,00.00/hour if you wish to engage my service further.

    Thank you, i'll rephrase my sentence from now on

  • MikeAMikeA Member, Patron Provider

    Maybe see if X4B can mitigate it.

  • Stackpath is pretty great at l7 mitigation.

  • I've found that most people who say that cloudflare L7 protection doesn't work have either

    1- Improperly configured it so the backend service can have its IP discovered.

    2- Application level DoS exploits such that small amounts of requests can trigger a DoS condition.

    Cloudflare L7 protection isn't perfect, but from what I've seen it can mitigate most volumetric attacks.

    Thanked by 3yoursunny taizi Erisa
  • @MikeA said:
    Maybe see if X4B can mitigate it.

    Noted. thanks!

  • @itzaname said:
    Stackpath is pretty great at l7 mitigation.

    Noted. thanks guys!

  • GravelyGravely Member

    Null route your server, no more DDoS man

  • suyadi92suyadi92 Member
    edited May 2022

    @ehhthing said:

    • Improperly configured it so the backend service can have its IP discovered.

    Yes, we have this problem before, bit it's proxied by CF's ip now. But, our customer already know our real ip, can it be the case?

    2- Application level DoS exploits such that small amounts of requests can trigger a DoS condition.

    Can you elaborate more on this? I mean, how to scan this app-level exploit?

  • I found the command ip r a bla 0.0.0.0/0 to be quite useful in dealing with this situation.

    Thanked by 2yoursunny bulbasaur
  • @suyadi92 said:
    @ehhthing said:

    • Improperly configured it so the backend service can have its IP discovered.

    Yes, we have this problem before, bit it's proxied by CF's ip now. But, our customer already know our real ip, can it be the case?

    You can configure your firewall so that only Cloudflare's IP is allowed.
    Here is the list of IP
    https://www.cloudflare.com/en-gb/ips/

  • @quanhua92 said:
    You can configure your firewall so that only Cloudflare's IP is allowed.
    Here is the list of IP
    https://www.cloudflare.com/en-gb/ips/

    Thank you!

  • suyadi92suyadi92 Member
    edited May 2022

    @CheepCluck said:
    I found the command ip r a bla 0.0.0.0/0 to be quite useful in dealing with this situation.

    Can you elaborate please?

  • Are you from the racknerd, by any chance?
    their France shared node down for two days

  • VoidVoid Member

    @suyadi92 said:

    @dahartigan said:
    Who did you piss off? Is it China?

    No, we have nothing to do with china

    Real question is what do they have against you

    Thanked by 1dahartigan
  • @SashkaPro said:
    Are you from the racknerd, by any chance?
    their France shared node down for two days

    Have you opened a ticket about that? @dustinc

  • @suyadi92 said:

    @CheepCluck said:
    I found the command ip r a bla 0.0.0.0/0 to be quite useful in dealing with this situation.

    Can you elaborate please?

    Get them before they get you

  • ThundasThundas Member

    After moving my entire production stack behind Cloudflare utilizing their tunnel system, DDoS attacks have been completely gone. If the attackers do not know your IP, all attacks are instead directed directly at Cloudflare.

    Thanked by 2Erisa suyadi92
  • @SashkaPro said:
    Are you from the racknerd, by any chance?
    their France shared node down for two days

    No, its upCloud SG vps

  • dustincdustinc Member, Patron Provider, Top Host

    @dahartigan said:

    @SashkaPro said:
    Are you from the racknerd, by any chance?
    their France shared node down for two days

    Have you opened a ticket about that? @dustinc

    We are aware of a sophisticated DDoS attack affecting one of our shared hosting servers in France, which upstream network engineers are working on. We’re keeping in communication with affected customers every step of the way, between frequent status page updates as well as communication via ticket.

    This incident has been spanning over the course of a day (not two full days yet), and it’s not a situation where it was entirely down during that time either - but more so, just intermittent connectivity as we continue to mitigate the evolving attack targeted towards this specific server. As one can imagine, attacks and patterns are different (as intended by a motivated attacker), so that’s when we step in and adjust, and do our best to mitigate.

    I can count on one hand (one hand might actually be a generous overstatement) the number of times an attack has impacted a server of ours for such an extended duration. On the contrary, countless amounts of times we have successfully mitigated various types of attacks without our customers even noticing a blip. These types of sophisticated and pattern-changing attacks are rare, but it can and does unfortunately happen in this industry. When it does happen (like it is in this scenario), we do our very best to step in, analyze the patterns and mitigate accordingly -- which also helps towards future mitigation efforts.

    Thanked by 2dahartigan suyadi92
  • Here's last 24hrs log in case you guys curious

  • @Ahfaiahkid said:
    After moving my entire production stack behind Cloudflare utilizing their tunnel system, DDoS attacks have been completely gone. If the attackers do not know your IP, all attacks are instead directed directly at Cloudflare.

    Dunno what happen, but some of them still passes CF's firewall :'(

  • I know a way to stop a DDoS attack...

    Thanked by 1suyadi92
  • ThundasThundas Member
    edited May 2022

    @suyadi92 said:

    @Ahfaiahkid said:
    After moving my entire production stack behind Cloudflare utilizing their tunnel system, DDoS attacks have been completely gone. If the attackers do not know your IP, all attacks are instead directed directly at Cloudflare.

    Dunno what happen, but some of them still passes CF's firewall :'(

    If you are hosting clients on your own server & this is really a layer 7 attack, check which offending site it is and null route the customers if its affecting others. One way is helping the customer prevent his/her web app from leaking ip or boot the customer from your platform & change your ip. You are going to lose money from accommodating a single customer because of this.

    Edit - CloudFlare is not a magical tool where ddos will automatically stop when you try to use it after you get attacked.

    Thanked by 2szymonp suyadi92
Sign In or Register to comment.