All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to deal with a DDoS attack on WHM [Tutorial]
Hello everybody, almost a year ago, my website just started to being attacked by some people; they were using UDP protocol to send requests to HTTP, HTTPS, and SSH ports (80, 443, 22). My server was completely out of service as it was complaining to handle this huge amount of massive requests. I’ve been searching for any solution to stop the attack and get back online especially as my customers were all mad about the incident. For sure, I was using Cloudflare WAF but attackers were sending requests directly to the IP, so cloudflare wasn’t able to filter their requests. I tried to establish a DDoS protection from the providing company, actually it worked but not completely; my server went sometimes up, another times down, it was unstable at all. Their protection wasn’t the perfect choice for me.
After a long time of searching, I just remembered that I previously had an experience with CSF firewall (ConfigServer Firewall); I started installing it immediately and started to explore all of its functionalities. I tried to stop attackers by blacklisting their ASNs, but there were two challenges; first one was that I can’t determine their ASNs accurately & I can’t even guarantee that they won’t change them as they were using proxies, and the second one was Cloudflare, Cloudflare has proxy tunnel so all requests are seen by the server as requests from Cloudflare, so I decided to search for another option. I noticed an option called “CONNLIMIT” and “Port Flood”. In port flood option, I’ve limited new connections to 50 per second; I know it’s not a small number but DDoS is much greater than that, I used this syntax in port flood field: 80;tcp;50;1,443;tcp;50;1 and in CONNLIMIT option I’ve limited new connections per IP to 10 per second and all new connections will be ignored; I used this syntax in CONNLIMIT field: 80;10,443;10,21;10
The second option “CONNLIMIT” is responsible for limiting new connections made by each IP; but, there was a problem, guess what? It’s Cloudflare again; CONNLIMIT will limit requests that made by Cloudflare IPs because Cloudflare IPs are static. I fixed the obstacle by editing ignore.csf file and adding all Cloudflare IP ranges, this helped in ignoring all connections made by Cloudflare, but what about the DDoS from a Cloudflare-synced domain? It will NOT affect because Cloudflare is doing the job perfectly.
At concluding, I was able to handle the DDoS completely by just installing the CSF and enabling Port Flood and CONNLIMIT options and setting them to the proper settings. I’m typing this post for anyone who may face the same issue in the future because it’s quite tough and stressful. I wish it helps anyone at anytime.
~P.S. That's how Ekire.net tutor their customers
Thank you for arriving here!
Comments
If whatever you're running doesnt have to receive any UDP requests, for example you're just serving a website, you should block all ports for incoming UDP, and TCP open on only on 80/443/SSH, and then rate limit those to an acceptable number.
The issue was it was receiving some UDP requests for another software. Also it was a WHM server and I need to protect all hosted sites not only a single site.
Here we go again, a low-end provider asking for DDoS attacks.
This is a tutorial and not a question.
Could've removed those ports from UDP_* in csf, would've denied UDP traffic.
^^ Denying this would disable QUIC/Http3
CSF is quite rock solid when configured perfectly, but it takes time and config changes per server per use case per scenario.