ddos attacked on my forum any solution?

Sim

Well-known member
I was using the default Xenforo email transport setup in admin panel, I had to change it to SMTP. Will it also prevent the IP being leaked?

Alternatively, you could use a ESP which does not require you to send via SMTP, but via API instead.

For example, I use SparkPost (via API, not SMTP) and there is no IP leakage
 

eva2000

Well-known member
Please help me with the step by step process to get it setup, am lost here.
Pretty involved steps - you can google search for setting up Amazon SES plenty of guides
Alternatively, you could use a ESP which does not require you to send via SMTP, but via API instead.

For example, I use SparkPost (via API, not SMTP) and there is no IP leakage

That sounds like an easier method for beginners!
 

Mr. Jinx

Well-known member
I'm using mxroute.com for email. Don't know if you are looking for a paid option, but they also filter the origin IP and it works great so far. Easy to setup as it is normal smtp.

ps: Would Argo tunnel solve DDOS directy on your IP, or would it be the same effect as a 'deny all traffic and allow cloudflare' firewall rule?
 

Kirby

Well-known member
Hmm, how would that prevent a UDP flood to the target IP if the IP is known?
As far as I understood that article the firewall on the target server would only accept traffic from whitelisted IPs.
At the point those firewall rules are being checked, traffic has already reached the target.
So what would happen if the target is connected via a single 1 GBit link and an attacker is able to send 1 GBit UDP packets to the target IP, wouldn't that use all the bandwith available to the server even though the firewall does block those packets?
 

eva2000

Well-known member
to the target IP if the IP is known?
Yeah, it ain't perfect as it's a sliding scale as to what your server firewall/network can handle once it reaches the server. If your web host has their own firewall in front of your server as an option, that could take some of the load off and/or if your server itself had DDOS protection. So ideally, you don't want to leak your server IP!
 

Mr. Jinx

Well-known member
Ok thanks! I understand that hiding the IP is important, but just in case it leaks (which is currently the case):
  • My provider has an L3 firewall. I have blocked all non-cloudflare IP's over there
  • Additionally running CSF on the server. Also blocking all non-cloudflare IP's
 

eva2000

Well-known member
Ok thanks! I understand that hiding the IP is important, but just in case it leaks (which is currently the case):
  • My provider has an L3 firewall. I have blocked all non-cloudflare IP's over there
  • Additionally running CSF on the server. Also blocking all non-cloudflare IP's
Once you've plugged all IP leaks and done all those steps to make it less impactful for direct IP attacks, then you'd need to change your IP address with your web host.
 

questlot

Active member
Since my ip is leaked i guess preventing the ddos attack will be difficult with cloudflare.

These are the forum part targeted by the DDos attack:
/service_worker.js
/favicon.ico
/
/members/luckypig.37478/
 

Lucandi

Active member
May I ask one thing on this if it's ok? How do you see if your site is under attack and if it is an intrusion attempt?
 

questlot

Active member
May I ask one thing on this if it's ok? How do you see if your site is under attack and if it is an intrusion attempt?
Site refusing to load and there is a spike of traffic from on usual source or user agent. For like mine the DDOS attack has been going on for the past 12 hours and site refuse to open. Even turning on clouflare I Am Under Attack and Firewall couldn’t help to stop the attack.

I used vbulletin for more than 4 years I never experienced DDOS. I have migrated to two different VPS Hosting company just to stop the attack and I never new IP address are leaked on Xenforo mail sent out and image proxy.

This is a crazy a experience. I think the person attacking my forum may get tired. For the past 3 weeks the site has been on attack.
 

fionix

Active member
Block all firewall ports and only allow your own IP + cloudflare IP's.
That's the start.. I have just been through the same **** as you.. got hundred of endless falls replies to my questions from people simply don't know what the hell they are talking about.

First of all you need the paid Cloudflare subscription, costs $200 / month, you may get rid of it later, we keep it. So you need someone very experience to BLOCK all IP's except cloudflares, of course you need to use cloudflares nameserver for this to work. If you don't know how to do it, then the guys from https://emergencysupport.us/ are the guys that can help you set this up. You need a VPS or Dedicated server with root access in order to get this done.

Once they have done the magic, you simply enable the firewall on cloudflare and you will see the DDOS will go away. It is important to know that you need to WHITELIST SEARCH engines as a firewall rule, if you don't do that your site will lose ranking. Cloudflare will tell you stories about that they let SEO BOTS go through but that's so wrong as it could be.

Be prepared for a bill around 900 euro to get rid of this - which include cloudflare costs, assistance from the guys above and some other things you may need. If this isn't in your budget, live with it or take a job at McDonalds.

Now a days you need to protect yourself which cost money and with all the retards around on the Internet you have no chance to avoid such attacks.

Good luck.
 

questlot

Active member
That's the start.. I have just been through the same **** as you.. got hundred of endless falls replies to my questions from people simply don't know what the hell they are talking about.

First of all you need the paid Cloudflare subscription, costs $200 / month, you may get rid of it later, we keep it. So you need someone very experience to BLOCK all IP's except cloudflares, of course you need to use cloudflares nameserver for this to work. If you don't know how to do it, then the guys from https://emergencysupport.us/ are the guys that can help you set this up. You need a VPS or Dedicated server with root access in order to get this done.

Once they have done the magic, you simply enable the firewall on cloudflare and you will see the DDOS will go away. It is important to know that you need to WHITELIST SEARCH engines as a firewall rule, if you don't do that your site will lose ranking. Cloudflare will tell you stories about that they let SEO BOTS go through but that's so wrong as it could be.

Be prepared for a bill around 900 euro to get rid of this - which include cloudflare costs, assistance from the guys above and some other things you may need. If this isn't in your budget, live with it or take a job at McDonalds.

Now a days you need to protect yourself which cost money and with all the retards around on the Internet you have no chance to avoid such attacks.

Good luck.
Thats expensive to maintain, am considering migrating my forum back to Vbulletin and also change my VPS hosting to enable me get new IP address. The DDOS attack have caused me a lot of pain. I wonder the motive of the hacker.
 

fionix

Active member
The mentioned price of 900 EUR is not per month and is an estimate, moving your forum to VBulletin, another host, new IP's will not help you.. you will be back here in a few days to realize that.

But good luck.
 

questlot

Active member
The mentioned price of 900 EUR is not per month and is an estimate, moving your forum to VBulletin, another host, new IP's will not help you.. you will be back here in a few days to realize that.

But good luck.
It’s not a decision taken yet.
 

Sim

Well-known member
First of all you need the paid Cloudflare subscription, costs $200 / month

The $20 Cloudflare Pro plan will do the job perfectly well - worked for me when I was under attack.

I set up Cloudflare, had my host change the IP address of my server and I was back up and running in a few hours.
 

Sim

Well-known member
I never new IP address are leaked on Xenforo mail sent out

Every forum software will leak IP addresses if you just use SMTP to send mail - this is not something unique to XenForo, it's a fundamental part of how SMTP works.
 

fionix

Active member
If it is a real attack you need BOT protection it is not in the $20 plan and that's why you have to upgrade. The $20 plan works well for the small attacks normally activated by script kiddies.

I just suggest what helped us, we were down 4 weeks and lost ranking in Google. Your decision to what you do and who you lesson to.

To avoid the mail leaking the IP use service like mailjet, they don't make sure to encrypt your emails which you send to users from your mail client not Xenforo, protonmail is one of such services.
 
Top