• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Ddos attack

occinodo

Basic Pleskian
Hi,

I was wondering if anyone could advise me on mitigating an Ddos attack, I installed (D)dos deflate and it surely does help,websites are now responsive again and even thoughCPU is running at 90% almost all the time, everything seems to run somewhat Ok.

Given that the attack is already running for over 12 hours, I do want to look into what I can do to stop being affected by the attack. Could anyone advise me on what I can do?
I already considered putting the website that I expect to be the target behind cloudflare, but I would expect that they will continue to attack the webserver anyway given that they now already have the IP.
 
I already considered putting the website that I expect to be the target

did you take a look at the log on the website whether the accesses come from thousands of different ip addresses or whether you can possibly restrict this to an ip range ?
you could then block various ip areas.

In addition, I would test whether the usage regarding the website is correct by interrupting access to the domain. Set folder to 0000. If the suspicion is correct, the CPU should have a normal load again.
 
I looked at the nginx log, but only some entries were added.
I now blocked all countries for the whole server except US, UK and NL with Ddos deflate.

For the domain, I disabled the subscription, that changes the situation from constant outage to high constant load without significant impact for the users.
 
The domain is now behind cloudflare, but unfortunatly the attack is still continuing, anyone who could provide advise on how to resolve the issue?
 
denying access to all countries or enable cloudflare is a useless move since first one means nothing and second one can be bypassed. YES attackers can bypass cloudflare's browser authorization.

Who is your provider? Does he offer any kind of ddos protection? i mean if his firewall can't handle bans that you do just shut down your server by yourself till those attackers go away.

Let me know if your provider can handle and what kind of attack is this i may be able to help you with next steps
 
Provider is Transip, does not offer any kind of DDOS protection, turning off the server is not an option, with country blocking enabled and the subscription disabled everything works fine, although load remains high.
 
i don't know what your site who's getting attacked is but the reason why i told you country ban is useless is because what attacker is trying is to make your website go offline so your visitors wont be able to access it and you're denying your site to your visitors while you should've filter your traffic parse and ban only ips used to attack i'm somewhat pretty sure even if they're multiple ips on a L7 attack they'll have similar requests that you can setup a custom fail2ban filter for them and collect all these and then ban by router level. But since your provider has no anti-ddos or good firewall to handle bans there's not much you can do...

sorry we can't help much
 
I turned off the country blocklist as suggested, but for fail2ban I wouldn't know which filter woud be useful to tackle the attacks. In DDoS deflate I already set up that 20 connections in less than 1 minute results in a ban.
 
you need to monitor logs maybe you know which sites is being attacked? check logs for that site if you don't have much idea try post logs here (ofcourse cut out any important thing/your server ip)
 
Back
Top