New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
simple solution, don't use wordpress
Simple and effective solution
And i guess that attacking kick is back WTH not able to connect to my VPS to see whats going on. Reboot isn't helping and ping timeout no matter how quickly i try to connect to VPS after the reboot.
So i tried to connect to my VPS through the VNS in panel and all i am seeing is this i don't know whats going on looks like flood?
Screenshot
Looks like a SYN flood. Maybe it's a good idea to pick up a DDoS protected host and GRE tunnel your site traffic. Maybe try https://athenalayer.com/pricing.html free tier? I hear some people use them and they've been good but I haven't tried it myself. You should also ask your VPS host for an IP change once you put your website behind a reverse proxy / GRE tunnel.
OVH don't stop syn flood? Is it possible to add extra filter for this through CSF? I will look at athenalayer thanks for providing the link.
OVH should but if it's still able to take down your services then you need to seek other solutions.
Wait... those source IPs are directly from cloudflare. You shouldn't block those SYN packets.
Yea i am using cloudflare+ovh+csf+cache but attackers are still having a regular fun day
If you block SYN packets from CF then legit users will not be able to use your service.
It's better to see what real IP addresses are attacking your website and use CF's firewall to drop those IPs. You might have to contact CF directly or use CF_CONNECTING_IP in the HTTP headers to get that information.
@black
AthenaLayer?
Ehhh, it's run by Nick Lim and he wasn't exactly the greatest person when it came to flashing his signature wherever he could.
Ah ok. I never used his services so I'm not sure.
You need to block these requests at the firewall level. Have a look at your logs or just google the IP ranges that you should be blocking. If you are on CentOS, install csf. If you aren't on CentOS, you'll just need some iptables scripts in place to start blocking. It's less resource intensive to block at the iptables level. Also, when the script kiddies start seeing 5xx errors from their scripts, they'll stop hitting you. Good luck!
ok guys i finally found one of his trick and fixed it!
I installed a real time access log viewer to monitor traffic every second instead of opening big access log file every time and there i found these user agents attacking my site from hundred and thousands of different ip addresses.
All those usera gents had one thing in common they were some kind of fake wordpress pingbacks from different ips so what i did is that i created a simple condition in my nginx conf file to detect these useragents and return them 403. My VPS load was touching 20-50 during the attack and as soon as i applied the condition and restarted nginx load came down to normal and now those bots are still attacking but getting 403 in return and no more load on the VPS.
Now waiting for his next move!
Using a php script to read access log for this attacks i came to know that in last 30 minutes i received around 10,000 ping requests to my site.
What i don't understand is that i already blocked access to my xmlrpc file so how come the load was still creating when the page wasn't even accessible? The load only came down once i returned 403 for those requests.
is a little synflood, install synproxy and you will be safe http://www.seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood
Which log viewer ?
Pimp My Log
pimpmylog.com
It's really cool with features to read nginx access log, error log and php error log with features like every x seconds refresh.
Is it going to work fine with Cloudflare? because cloudflare hides real ip of users.
cloudflare should protect you if you have business plan. If you have free plans cloudflare is useless on tcp attacks, so you need to switch to a ddos protected provider or upgrade cf to business plan.
I am using a ddos protected VPS and free cf protection in front of it. i have noticed cf don't work when you use medium or high security but when you select under attack mode than it works for some type of http attacks. So what you recommend should i stop using cf or is there any way to get user's real ip with free cf plan?
have you tried contacting your provider? They can analyze your attack and put custom filters for your needs. If they will not help you search elsewhere someone that can support you better
Yea changed many providers and different ddos protections including Voxility, OVH and other in house based but not success. My current VPS provider have me on some permanent under attack mode because of the regular attacks so under that mode services like ping to my ip are blocked.
@matteob I found the way to get real ip from CF. Is it possible to use synproxy on centos 6.8 with kernal 2.6 or the only way is installing centos 7?
Here's another cool website log viewer/stats tool: https://goaccess.io/releases#v1.0
I used pimp my log it's cool i hope they add the country name/flag feature in next update to make it even more easy to detect.
hi,
no synproxy was included from 3.12 kernel and backported to centos 7.
first check if you get layer 7 attack. use tcpdump during high load. good command is
tcpdump -nn -vvv -XX
you will see if is an attack and the pattern and you can block away. Or maybe best is choose a provider that offer layer 7 attack and technical support to identify de patterns. Provider like ovh and voxility are not l7.
thanks i will try it out and will also confirm with my provider if they have layer 7 enabled.
The reason is simple, each new connection generates a syn packet which must get processed. If you have a few hundreds or thousand connections, you will have a situation which may look like a synflood, but it isnt - it's simply a layer7 flood which generates these warnings which where generated by your software firewall
But these warning also appear on my putty screen when i leave my ssh open for a while?