New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Huge DDOS Attack, how to stop?
My server has been DDOS'ed sporadically for almost 2 days
Seem's to be intended attack since it's happens shortly after we say "It's fixed now" to this (single) customer.
Cloudflare's protection has ben less-useful to me,
Server's CPU has been upgraded to 20 cores, no improvement either
Any advice to stop this DDOS guys?
Thanks
Comments
Who did you piss off? Is it China?
Personally, I'm less than satisfied with Cloudflare's mitigation techniques.
I believe these are L7 attacks, in which case you should look at ratelimiting the requests, and maybe also setting request body size limits. Logging all headers and inspecting the reason for why your application goes down would help.
No, we have nothing to do with china
Don't ever tell the specific customer it's fixed. Problem solved.
My rate £10,00.00/hour if you wish to engage my service further.
Do you have any recomendation of 3rd-party DDOS protection service?
Thank you, i'll rephrase my sentence from now on
Maybe see if X4B can mitigate it.
Stackpath is pretty great at l7 mitigation.
I've found that most people who say that cloudflare L7 protection doesn't work have either
1- Improperly configured it so the backend service can have its IP discovered.
2- Application level DoS exploits such that small amounts of requests can trigger a DoS condition.
Cloudflare L7 protection isn't perfect, but from what I've seen it can mitigate most volumetric attacks.
Noted. thanks!
Noted. thanks guys!
Null route your server, no more DDoS man
@ehhthing said:
Yes, we have this problem before, bit it's proxied by CF's ip now. But, our customer already know our real ip, can it be the case?
Can you elaborate more on this? I mean, how to scan this app-level exploit?
I found the command
ip r a bla 0.0.0.0/0
to be quite useful in dealing with this situation.You can configure your firewall so that only Cloudflare's IP is allowed.
Here is the list of IP
https://www.cloudflare.com/en-gb/ips/
Thank you!
Can you elaborate please?
Are you from the racknerd, by any chance?
their France shared node down for two days
Real question is what do they have against you
Have you opened a ticket about that? @dustinc
Get them before they get you
After moving my entire production stack behind Cloudflare utilizing their tunnel system, DDoS attacks have been completely gone. If the attackers do not know your IP, all attacks are instead directed directly at Cloudflare.
No, its upCloud SG vps
We are aware of a sophisticated DDoS attack affecting one of our shared hosting servers in France, which upstream network engineers are working on. We’re keeping in communication with affected customers every step of the way, between frequent status page updates as well as communication via ticket.
This incident has been spanning over the course of a day (not two full days yet), and it’s not a situation where it was entirely down during that time either - but more so, just intermittent connectivity as we continue to mitigate the evolving attack targeted towards this specific server. As one can imagine, attacks and patterns are different (as intended by a motivated attacker), so that’s when we step in and adjust, and do our best to mitigate.
I can count on one hand (one hand might actually be a generous overstatement) the number of times an attack has impacted a server of ours for such an extended duration. On the contrary, countless amounts of times we have successfully mitigated various types of attacks without our customers even noticing a blip. These types of sophisticated and pattern-changing attacks are rare, but it can and does unfortunately happen in this industry. When it does happen (like it is in this scenario), we do our very best to step in, analyze the patterns and mitigate accordingly -- which also helps towards future mitigation efforts.
Here's last 24hrs log in case you guys curious
Dunno what happen, but some of them still passes CF's firewall
I know a way to stop a DDoS attack...
If you are hosting clients on your own server & this is really a layer 7 attack, check which offending site it is and null route the customers if its affecting others. One way is helping the customer prevent his/her web app from leaking ip or boot the customer from your platform & change your ip. You are going to lose money from accommodating a single customer because of this.
Edit - CloudFlare is not a magical tool where ddos will automatically stop when you try to use it after you get attacked.