Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Massive Layer7 attack, more than 33 hours - Page 5
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Massive Layer7 attack, more than 33 hours

1235710

Comments

  • I have seen 14yo better sysadmins.

    Thanked by 1caii
  • FlorinMarianFlorinMarian Member, Host Rep

    @Boogeyman said:
    I have seen 14yo better sysadmins.

    I'm convinced of that.
    Did you ask your child what he would do if after blocking over 5,000 IP addresses that passed the CloudFlare filters his site was still bombarded with a request - two URIs per minute from a few hundred IP addresses?

  • @FlorinMarian said:

    @Boogeyman said:
    I have seen 14yo better sysadmins.

    I'm convinced of that.
    Did you ask your child what he would do if after blocking over 5,000 IP addresses that passed the CloudFlare filters his site was still bombarded with a request - two URIs per minute from a few hundred IP addresses?

    "When I grow up I want to work in Path.net"

  • @stefeman said: I am not. Literally go check his introduction thread and his first sales thread where he tells about it and his goals.

    Well, if you go around telling people you specialize in anti-ddos then some people will take it as a challenge.

    @FlorinMarian said:

    @Boogeyman said:
    I have seen 14yo better sysadmins.

    I'm convinced of that.
    Did you ask your child what he would do if after blocking over 5,000 IP addresses that passed the CloudFlare filters his site was still bombarded with a request - two URIs per minute from a few hundred IP addresses?

    If it were someone who has been playing with different toys and stressers, then probably he would know what to do regardless of age. The reality is anything can be brought down, but at what expense? You just have to protect yourself sufficiently until it becomes too expensive and no longer worth the effort and your attackers will give up. Didn't the path.net founder or ceo start off at a young age playing with stressers?

    @FlorinMarian said: two URIs per minute from a few hundred IP addresses?

    That's not a lot assuming they are only get requests :|

    Thanked by 2adly bulbasaur
  • YmpkerYmpker Member

    I am by no means an expert when it comes to DDoS, however if it's about bringing the company website back up, couldn't @FlorinMarian just move the site to another host where the server IP is unknown and order a DDoS Filtered IP (e.g. BuyVM/Buyshared) or setup Sucuri in front?

    Sorry, if that doesn't help, but wouldn't it at least allow the site to be up again?

    Thanked by 1xms
  • ezethezeth Member, Patron Provider
    edited June 2022

    @FlorinMarian said: When you access the IP address of the backend you get a blank html page, not the whmcs content.

    why?

    @Ympker said:
    just move the site to another host where the server IP is unknown

    why?

    I don't see the problem.

    1. only allow Cloudflare to access port 80, 443.
    2. who gives a shit if they know your backend IP if your firewall only allows traffic to pass through Cloudflare. AND, pay for Cloudflare pro or business.. Every known provider, AWS, Oracle etc has layer 4 protection

    whatever it is they probably think deserve you it. No one DDoS someone just because..
    what did you do? Say you like child porn? How could you make someone so mad they DDoS you for days?

    Thanked by 1Ympker
  • ralfralf Member
    edited June 2022

    @FlorinMarian said:
    two URIs per minute from a few hundred IP addresses?

    Wait? What? Per minute? :D

    Assume worst case that "few hundred" means 400, that's 800 request in 60 seconds. Your server can't even handle 15 requests per second?

    How can this possibly be Cloudflare's biggest DDoS to date? The DDoSer is clearly wasting their time if you could take down your site with a single computer from a decade ago. (edited from 2 decades ago, because possibly that old of a computer might struggle with SSL)

    Thanked by 2yoursunny bulbasaur
  • FlorinMarianFlorinMarian Member, Host Rep

    Unfortunatelly even path.net cannot manage this situation.
    After 20h being with them by CPU has been many times at 100% (requests accepted only within path.net network) and now..when I've tried to access my website I had this behaviour:

    The people from path.net are very nice and offered me quick answers and a free trial period of one month but the situation is beyond them as well.
    I can't accept leaving everything in the hands of others while I waste money and time doing nothing.
    I appreciate criticism, comments and any common sense, but you have to understand that I'm not trying to deal with this situation on my own because I'm crazy, but because the attack only opens a lot of connections, tiring the processor, physical connections or internet speed have nothing to do not having traffic over 5Mbps.

  • NoCommentNoComment Member
    edited June 2022

    @FlorinMarian said: Unfortunatelly even path.net cannot manage this situation.

    Path.net is your first line of defense. You need to build up your own defense behind them so it's not on them. The problem, as many people have said in the previous few pages, is the fact that you cannot handle 8000 requests/sec to your site index. The problem is how your webserver interacts with your WHMCS stack.

    Scrubbing bad IPs can only go so far...

    Thanked by 3yoursunny SinV Peppery9
  • solarisolari Member
    edited June 2022

    @FlorinMarian said:

    @Boogeyman said:
    I have seen 14yo better sysadmins.

    I'm convinced of that.
    Did you ask your child what he would do if after blocking over 5,000 IP addresses that passed the CloudFlare filters his site was still bombarded with a request - two URIs per minute from a few hundred IP addresses?

    Sigh, this stuff is junior-level UNIX sysadmin stuff, but here we go:
    1. Switch out this HTTPd for nginx. Nginx uses event-based polling (where possible), and doesn't spawn up a thread per every request. I don't give a fuck about your htaccess rules, rewrite them in nginx's configuration format. Make sure to set the Keep-Alive values to low values as well.
    2. Those SMURF rules are completely pointless, I suspect Voxility already filters that ancient attack method.
    3. Don't blacklist per IP address, but add it to an ipset (hash type), and match if said IP address is in the ipset table. Some will say that nftables is better, but I disagree.
    4. Setup HTTP ratelimiting (nginx) + varnish (caching; take your time with this part!). Tune psql/mysql, too, and tune the php-fpm config (sorry, I'm not a PHP codemonkey nowadays).

    Have you considered getting good at UNIX system administration, instead of copy and pasting commands off random websites? Also, don't use network/broadcast addresses when assigning IP addresses to VMs ;^)

    P.S @Abd using a Chinese webpanel to serve up the client area isn't a good look, either, but I have noticed something in common with these providers. They're either Indian, Romanian, or come from some sort of shit nationality. It is for this reason, why I only go with Aryan-white ran providers.

    Thanked by 1FlorinMarian
  • ezethezeth Member, Patron Provider
    edited June 2022

    @FlorinMarian said:
    Unfortunatelly even path.net cannot manage this situation.
    After 20h being with them by CPU has been many times at 100% (requests accepted only within path.net network) and now..when I've tried to access my website I had this behaviour:

    You fucked up your webserver config lol

  • yoursunnyyoursunny Member, IPv6 Advocate
    edited June 2022

    @FlorinMarian said:
    the attack only opens a lot of connections, tiring the processor, physical connections or internet speed have nothing to do not having traffic over 5Mbps.

    TCP connection or TLS connection?
    CDN or remote protection service would catch incoming connections, and only open connection to the origin when there are actual requests.
    Moreover, multiple requests can be sent over the same HTTP/2 connection, so that there shouldn't be many many connections to the origin.

    Thanked by 1bulbasaur
  • FlorinMarianFlorinMarian Member, Host Rep

    @ezeth said:

    @FlorinMarian said:
    Unfortunatelly even path.net cannot manage this situation.
    After 20h being with them by CPU has been many times at 100% (requests accepted only within path.net network) and now..when I've tried to access my website I had this behaviour:

    You fucked up your webserver config lol

    That's path.net IP address accessed directly, not mine.

  • solarisolari Member

    @NoComment said:

    @FlorinMarian said: Unfortunatelly even path.net cannot manage this situation.

    Path.net is your first line of defense. You need to build up your own defense behind them so it's not on them. The problem, as many people have said in the previous few pages, is the fact that you cannot handle 8000 requests/sec to your site index. The problem is how your webserver interacts with your WHMCS stack.

    Scrubbing bad IPs can only go so far...

    "Path.net" is utter trash, I'm not even surprised. BuyVM, with all of its fanboys, continue to prop it up, but oh, boy, the ship is sinking faster than you can imagine. At the end of the day, let this incompetent provider rot in hell, and go and fight to protect Mariupol.

  • dosaidosai Member

    @solari said:

    @FlorinMarian said:

    @Boogeyman said:
    I have seen 14yo better sysadmins.

    I'm convinced of that.
    Did you ask your child what he would do if after blocking over 5,000 IP addresses that passed the CloudFlare filters his site was still bombarded with a request - two URIs per minute from a few hundred IP addresses?

    Sigh, this stuff is junior-level UNIX sysadmin stuff, but here we go:
    1. Switch out this HTTPd for nginx. Nginx uses event-based polling (where possible), and doesn't spawn up a thread per every request. I don't give a fuck about your htaccess rules, rewrite them in nginx's configuration format. Make sure to set the Keep-Alive values to low values as well.
    2. Those SMURF rules are completely pointless, I suspect Voxility already filters that ancient attack method.
    3. Don't blacklist per IP address, but add it to an ipset (hash type), and match if said IP address is in the ipset table. Some will say that nftables is better, but I disagree.
    4. Setup HTTP ratelimiting (nginx) + varnish (caching; take your time with this part!). Tune psql/mysql, too, and tune the php-fpm config (sorry, I'm not a PHP codemonkey nowadays).

    Have you considered getting good at UNIX system administration, instead of copy and pasting commands off random websites? Also, don't use network/broadcast addresses when assigning IP addresses to VMs ;^)

    P.S @Abd using a Chinese webpanel to serve up the client area isn't a good look, either, but I have noticed something in common with these providers. They're either Indian, Romanian, or come from some sort of shit nationality. It is for this reason, why I only go with Aryan-white ran providers.

    Welcome back, can't wait to see red avatar soon.

  • @FlorinMarian said: I can't accept leaving everything in the hands of others while I waste money and time doing nothing.

    This is common problem. Here a lot of guys like me suggested you earlier to not follow our past mistakes.

    Just follow next:

    1. Purchase any L4 ddos protected VPS from any company with decent AntiDDoS on network level (not app DDoS protection). For example OVH Game from extraVM for example. ~6-12 usd / mo more than enough.

    2. Purchase x4b.net https://www.x4b.net/protection/prices any plan. Like 15 usd / mo.

    Alternative: https://sucuri.net/website-firewall/ - basic firewall (9 or 19 usd / mo depends on what you like more).

    1. Install NOT litespeed bullshit, but any classic LEMP setup for your panel.
      Or even hestiaCP without apache. (nginx / php8, mariadb)

    2. Test, that your web-server just works fine without any proxy (but not point domain to your hosting yet). Just make sure that everything is properly configured.

    3. Now and only now depends on what you pick above:

    or using x4b.net
    or using sucuri

    If x4b.net - setup tunnel to your server and block all other connections with firewall.
    If suciri - block all connections, except:

    192.88.134.0/23 
    185.93.228.0/22 
    66.248.200.0/22 
    2a02:fe80::/29 
    208.109.0.0/22 
    

    (this is sucuri network). Plus your own one

    1. Make sure that you do not have on your web-hosting and upload feature for images downloaded from somewhere.

    2. Make sure that you do not have mail server hosted near to your webhosting. They must be separate - this is key hole what "hackers" looking for to find out real IPs behind CDN other things.

    For that just need to send any email from your host to any temp mails and checking headers of mail for your webhosting IPs. This is more than enough.

    1. Now enable sucuri or x4b.net for your IP - and have fun.

    Summary:

    • nobody knows your IP behind the securied firewall
    • all connections except ddos protection service - blocked (leave 22 port room for yourself)
    • let the 3rd party company filter everything for you, these guys usually do their job extremely good (used many providers, and these 2 too).
    • this is cost effective, i do not know any cheaper solution that just works like these combos.

    Total costs with x4b.net / sucuri ~30 usd / mo. Or like that.

    Alternative method 2:
    https://fastpipe.io/ssdcloudserver

    In their CP they has L7 ddos protection that can be manually enabled.
    They filter pretty well too.

    Costs 7-10 euro / mo

    Alternative method 3:
    blazingfast.io - these guys hosting tons of magnets of ddos attacks, and deal with them every single day since 2016 or 2017 for sure without huge problems.
    But need ask their support for enabling L7 manually for you. Also, their IP reputation - awful.

    Costs: 10 euro / mo or like that

    Alternative method 4:
    https://nitrous-networks.com/virtual-dedicated-servers - this is reseller of zare.
    Zare ddos protection recommend itself pretty damn solid in game-servers sector (one of the most dangerous and toxic sectors in the internet). Hard to beat, but 25 usd / mo.

    You can keep walking and facing obstacles by purchasing here and there path.net, ddos-guard, other bullshit protections, and in result find your own working solution. Or try someone else experience who on weekly basis faced dozens if not hundreds of DDoS attacks over many years.

  • solarisolari Member
    edited June 2022

    @desperand said:
    Too long to quote

    You're a consumer, not a producer, remember that.

    >haha buy this stupid "anti-ddos" package
    >nooo, don't bother figuring out how to DIY it

  • edited June 2022

    @HyperFilter_Official - worth discussing regarding HWP option.

  • @FlorinMarian @yoursunny @Abd be careful of thanking solari's posts, they're editing their posts on later on to include racist comments which I'm sure will be used to justify doxing or attacks against you.

    Also, @solari we can already tell you're tinyweasel. It's hilarious how you always talk about the same things - nginx is great, BuyVM is trash, and something about Ukraine/Russia.

    Thanked by 2Abd risharde
  • @solari said: P.S @Abd using a Chinese webpanel to serve up the client area isn't a good look, either, but I have noticed something in common with these providers. They're either Indian, Romanian, or come from some sort of shit nationality. It is for this reason, why I only go with Aryan-white ran providers.

    Bruh, you had to add this in after @Abd liked your comment. I don't agree with these racist sentiments, but there's a good reason why people from generally poorer countries are starting up new businesses on LET and they could potentially last longer than those from wealthier countries because eventually they will realize relying solely on LET traffic is a bad idea.

  • @solari said: You're free to go and visit the pig farm, @stevewatson301, lots of Ukrainian farmers would be glad to let you roll around in mud, like the filthy russian that you are. I'm sure your viking ancestors would be ashamed of what you have become.

    It would be great if you can make up your mind about who I am, finally. Meanwhile, since @dane_doherty and you have had a great relationship so far, would you mind saying what happened to him? He doesn't seem to be as active here.

  • solarisolari Member
    edited June 2022

    @stevewatson301 said:

    @solari said: You're free to go and visit the pig farm, @stevewatson301, lots of Ukrainian farmers would be glad to let you roll around in mud, like the filthy russian that you are. I'm sure your viking ancestors would be ashamed of what you have become.

    It would be great if you can make up your mind about who I am, finally. Meanwhile, since @dane_doherty and you have had a great relationship so far, would you mind saying what happened to him? He doesn't seem to be as active here.

    Oh, he cannot login, permission denied. Probably a "shadow" ban.

  • fynixfynix Member

    @solari said:

    @stevewatson301 said:

    @solari said: You're free to go and visit the pig farm, @stevewatson301, lots of Ukrainian farmers would be glad to let you roll around in mud, like the filthy russian that you are. I'm sure your viking ancestors would be ashamed of what you have become.

    It would be great if you can make up your mind about who I am, finally. Meanwhile, since @dane_doherty and you have had a great relationship so far, would you mind saying what happened to him? He doesn't seem to be as active here.

    Oh, he cannot login, permission denied. Probably a "shadow" ban.

    Hi TinyNoob. Where are you not banned? Nvm, of course Rizon.

  • solarisolari Member
    edited June 2022

    I'm more amazed that @dosai and @stevewatson301 both lack basic cognitive skills, and are unable to determine the difference between me and this other user. Should I even be surprised? Glad to see that if I continue to "deny" it, they will think I'm him, even more!

    Waiting on the reply that says my typing style matches to that of a faggot's, too.

  • fynixfynix Member

    Say what you want anytime. You're still a tinyweasel.

  • dosaidosai Member

    @solari said:
    I'm more amazed that @dosai and @stevewatson301 both lack basic cognitive skills, and are unable to determine the difference between me and this other user. Should I even be surprised? Glad to see that if I continue to "deny" it, they will think I'm him, even more!

    Waiting on the reply that says my typing style matches to that of a faggot's, too.

    Enjoy your little attention while you can.

  • fynixfynix Member

    tinysrv and shellhost cloud best and successful providers!

  • ralfralf Member
    edited June 2022

    I wonder if this person is related to the person doing the DDoS. While they have been spamming their vitriol in other threads, he's been particularly prolific here. But at least he's banned now.

    Thanked by 1risharde
  • Will a mod clean up the thread please? Though given tinyweasel's posts this time around, he might just be well accepted in the weeb club thread sans the provocations and racist stuff.

  • HostSlickHostSlick Member, Patron Provider
    edited June 2022

    The Problem is that OP is giving the Attacker attention with the thread.

    Usually they stop if you are successful at mitigating and/or they dont get attention. Longest (BIG) layer7 attack here took 1 week non-stop.

    Attacker always knows his next step watching this here and is probably amusing himself

    And since he knows the next step he can prepare himself as well.

    Thanked by 2bulbasaur ralf
This discussion has been closed.