1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Mitigating DDOS Attack

Discussion in 'Plesk for Linux - 8.x and Older' started by Matt Sonnentag, Feb 2, 2010.

  1. Matt Sonnentag

    Matt Sonnentag Basic Pleskian

    23
    23%
    Joined:
    Mar 3, 2009
    Messages:
    29
    Likes Received:
    0
    One of my servers is currently under a DDOS attack. Basically we have 1000's of syn_recv packets queued for apache on port 80. We are looking for ways to mitigate this attack, so if anyone has some experience or some suggestions that would be great. The attack has been ongoing for approximately 24 hours.

    Here is what we know:
    Most of the attacking IPs are spoofed.
    The "bot", I believe is illusion.
    We know the user-agent signatures, they appear over an over from varying IPs
    We have tried to block with BrowserMatch - no joy for some reason not catching it
    We have tried mod_security - again no joy
    mod_evasive sucks
    Some joy with flood mon and blocking the various IPs with iptables
    (so far we are up to about 4000 Class C's blocked)
    With floodmon blocking we run about 1000-1800 queued syn-recv's from about 500 different Ips
    We host at the planet and they moved us behind Cisco guard, does not seem to have even affected it.
    Yes, tcp_syn cookies is on. This is not doing much good.

    Any help would be appreciated!!!!!!
     
  2. Matt Sonnentag

    Matt Sonnentag Basic Pleskian

    23
    23%
    Joined:
    Mar 3, 2009
    Messages:
    29
    Likes Received:
    0
    Working with the folks at the planet we installed apf and ddos-denial, still no luck
     
  3. clinton4

    clinton4 Regular Pleskian

    27
     
    Joined:
    Oct 23, 2008
    Messages:
    101
    Likes Received:
    0
    Did you ever find a solution? Sure would like to hear about it :)
     
  4. Matt Sonnentag

    Matt Sonnentag Basic Pleskian

    23
    23%
    Joined:
    Mar 3, 2009
    Messages:
    29
    Likes Received:
    0
    We had a few extra IP's laying around, so the ultimate goal was to figure out what site was being ddosed.

    Step 1) move each to a new "staging IP", see if the attack moves
    Step 2) move each site to a final "New IP"
    Once we figured out the site(s), we took them offline for a week and just blocked access to the IP from the Internet.

    Eventually you discover the domain being DDOSed.

    You have to change ip's for your shared sites because that old IP will continue to be ddosed.
     
  5. Matt Sonnentag

    Matt Sonnentag Basic Pleskian

    23
    23%
    Joined:
    Mar 3, 2009
    Messages:
    29
    Likes Received:
    0
    So basically,

    Hide
     
Loading...