• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Question Ddos attack

O

occinodo

Basic Pleskian
Hi,

I was wondering if anyone could advise me on mitigating an Ddos attack, I installed (D)dos deflate and it surely does help,websites are now responsive again and even thoughCPU is running at 90% almost all the time, everything seems to run somewhat Ok.

Given that the attack is already running for over 12 hours, I do want to look into what I can do to stop being affected by the attack. Could anyone advise me on what I can do?
I already considered putting the website that I expect to be the target behind cloudflare, but I would expect that they will continue to attack the webserver anyway given that they now already have the IP.
 
I already considered putting the website that I expect to be the target
Click to expand...

did you take a look at the log on the website whether the accesses come from thousands of different ip addresses or whether you can possibly restrict this to an ip range ?
you could then block various ip areas.

In addition, I would test whether the usage regarding the website is correct by interrupting access to the domain. Set folder to 0000. If the suspicion is correct, the CPU should have a normal load again.
 
I looked at the nginx log, but only some entries were added.
I now blocked all countries for the whole server except US, UK and NL with Ddos deflate.

For the domain, I disabled the subscription, that changes the situation from constant outage to high constant load without significant impact for the users.
 
The domain is now behind cloudflare, but unfortunatly the attack is still continuing, anyone who could provide advise on how to resolve the issue?
 
denying access to all countries or enable cloudflare is a useless move since first one means nothing and second one can be bypassed. YES attackers can bypass cloudflare's browser authorization.

Who is your provider? Does he offer any kind of ddos protection? i mean if his firewall can't handle bans that you do just shut down your server by yourself till those attackers go away.

Let me know if your provider can handle and what kind of attack is this i may be able to help you with next steps
 
Provider is Transip, does not offer any kind of DDOS protection, turning off the server is not an option, with country blocking enabled and the subscription disabled everything works fine, although load remains high.
 
i don't know what your site who's getting attacked is but the reason why i told you country ban is useless is because what attacker is trying is to make your website go offline so your visitors wont be able to access it and you're denying your site to your visitors while you should've filter your traffic parse and ban only ips used to attack i'm somewhat pretty sure even if they're multiple ips on a L7 attack they'll have similar requests that you can setup a custom fail2ban filter for them and collect all these and then ban by router level. But since your provider has no anti-ddos or good firewall to handle bans there's not much you can do...

sorry we can't help much
 
I turned off the country blocklist as suggested, but for fail2ban I wouldn't know which filter woud be useful to tackle the attacks. In DDoS deflate I already set up that 20 connections in less than 1 minute results in a ban.
 
you need to monitor logs maybe you know which sites is being attacked? check logs for that site if you don't have much idea try post logs here (ofcourse cut out any important thing/your server ip)
 
You must log in or register to reply here.

Similar threads

B
Question How to deny all IPs in Plesk Firewall except certain IPs (e.g. Cloudflare IPs)?
Replies
0
Views
1K
BernieG
B
L
Resolved 413 Request Entity Too Large - after changing Domainname
Replies
3
Views
886
Lychnobius87
L
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
2K
The 8th
The 8th
M
Issue Lost server connection after around 30 mins and then shows unknown website
Replies
0
Views
663
mario95
M
C
Issue Issue with NGINX and Apache Crashing
Replies
4
Views
863
Quinten
Quinten
Back
Top