DDoS attacks are stressing me, how about you?

[ManagerJosh]

Don't have such issues... ServInt.

Same here,

The most important factor in mitigating a DDoS is proxying your IP address. Services like Cloudflare and Google Pagespeed Service can do the heavy lifting for you, but if the attacker knows your server's IP, you're on your own. Cloudflare recently posted about this here: http://blog.cloudflare.com/ddos-prevention-protecting-the-origin.

You also can't beat a good host. It takes some expensive hardware, but with a good host you shouldn't even know about a small, <1GPS DDoS. They'll mitigate it before it ever hits your server.

I personally have my doubts people don't have these issues, especially since the kind of traffic LPH is talking about is normal HTTP traffic. It is considered well within the boundaries of acceptable traffic by any firewall or security appliance because what is being passed through is basically login information.

What makes this traffic malicious is that the submission rate and frequency it is hitting LPH's box.

I would argue you are having such issues; but you don't have the detection capabilities.

 

[TPerry]

I'll cross my fingers for you. Once they've latched on to thinking they can get to the /wp-login then it's been pretty rough. Luckily XS is installed and the WP accounts are not used. Too bad for the wanna-be hackers

I have fail2ban working for my WordPress sites... I have it set so that after 3 attempts it drops the IP requesting it for 7 days via iptables.

apache-wp-login.conf

# Fail2Ban configuration file
[Definition]
failregex = <HOST>.*] "POST /wp-login.php
ignoreregex =

Definition in jail.local

[tracy-wp-login]
enabled = true
port    = http,https
action  = iptables[name=WP, port=http, protocol=tcp]
filter  = apache-wp-login
logpath = /var/logs/nginx/tdp-wpress-access.log
maxretry = 3
bantime = 604800

 

[Mike Edge]

I have fail2ban working

http://deflate.medialayer.com/ works great too

 

[Adam Howard]

Software is never the solution for a true DDOS attack. It may help on a minor attack, but it too will use up resources (just as any program or script does).

Hardware is the only true solution. Be it firewall, routing, or any other form of network management.

A brute force attack can be helped some by software. The vast majority of brute force attacks are done by single individual or bots (sometimes a small manageable group).

But again, if enough connections and sources attempt to hit your site.... Hardware is the solution.

 

[TPerry]

Software is never the solution for a true DDOS attack. It may help on a minor attack, but it too will use up resources (just as any program or script does).
Hardware is the old true solution. Be it firewall, routing, or any other form of network management.
A brute force attack can be helped some by software. The vast majority of brute force attacks are done by single individual or bots (sometimes a small manageable group).
But again, if enough connections and sources attempt to hit your site.... Hardware is the solution.

Incapsula (you have to have the Business+ plan) = $299 (per site) a month
CloudFlare = $200 (per site) per month - their advanced DDOS service located at the network edge (layer 3,4 and 7)
Hardware costs will vary and will take someone to maintain. For hardware based solutions your best bet is to find a hosting provider that is already set up for it.

 

[Adam Howard]

Incapsula (you have to have the Business+ plan) = $299 (per site) a month
CloudFlare = $200 (per site) per month - their advanced DDOS service located at the network edge (layer 3,4 and 7)
Hardware costs will vary and will take someone to maintain. For hardware based solutions your best bet is to find a hosting provider that is already set up for it.

Blah !.... Friends don't let friends use CloudFlare. Far to "buggy" (slow, many false positives).

Incapsula was a lot better, but not perfect.

COST is the biggest issue with such attacks for most people.

 

[TPerry]

Blah !.... Friends don't let friends use CloudFlare. Far to "buggy" (slow, many false positives).

Incapsula was a lot better, but not perfect.

COST is the biggest issue with such attacks for most people.

That's why I detailed the costs of the two against each other. For most hobby sites DDOS protection is WAY to expensive. The best you can do is get with a hosting provider that already incorporates DDOS at the edge or just use script methods and hope for the best. Normally bots will be coming from set IP's, so dropping that connection for a week will help.

 

[Alpha1]

LiteSpeed WebServer has very nice settings to block all IPs that do more than X connections per Y seconds. Its golden.
Bad Behavior complements this, as it blocks millions of problematic users per month on my big board.
A good responsive host that never sleeps helps a lot.

 

[Digital Doctor]

I have fail2ban working

I have fail2ban working on my Asterisk box. Anything connected to the internet should have it !

 

[Napalm165]

I feel bad for you, man! Hope fully you'll find some filters, two way firewalls, etc to defend against those pesky hackers.

 

[Mike Edge]

Blah !.... Friends don't let friends use CloudFlare. Far to "buggy" (slow, many false positives).

Cloud Flare works just fine. If you find Cloud Flare as buggy, your doing something wrong. It out performs Incapsula hands down.

 

[x3sphere]

I used to use Cloud Flare but switched to Google PageSpeed... it's much better. Invite only right now though.

 

[Moshe1010]

I'm renting some RadWare services from my Host. It would be nice to pay $100K though, but I'm ok with $10/month

 

[LPH]

Yes, it continues ....

I've been dropping and blocking IPs for weeks now. The bots simply change to a new IP about every 1-2 seconds. The resources are used fairly quickly - usually while I'm sleeping. This crashes the MySQL when CPU usage jumps to 100%.....

The pattern seems to be a 1/2 hour acceleration. Cloudflare is used to block China and Russian Federation - which slowed things down tremendously. Failed Login attempts are set to 1 and only my IP is allowed on /wp-login. I have not tried http://deflate.medialayer.com/ but will look into installing it.

 

[LPH]

This is just too much fun. I have simply no idea what I'm doing but it's been great reading about things. The stress level went way down when it was painfully obvious that the stress wasn't helping.

My new motto: "Got Threats? Me too."

Down to 489 unique threats... LOL.

 

[Napalm165]

Question: Do you know why you're being attacked?
Usually you have to tick someone of before they target you specifically...

 

[Adam Howard]

Question: Do you know why you're being attacked?
Usually you have to tick someone of before they target you specifically...

Not necessarily....

I had a competitor attack me once simply because I exist and he wanted people to think my site was unstable or unsafe in the hopes that they would go to him.

I guess you can "argue" that what ticked him off was I was online & he thought it would be an opportunity if I wasn't.

 

[LPH]

@Napalm165 - I think there are bots just scraping and looking for vulnerabilities. I think it is funny that CloudFlare is still letting through traffic labeled by WordFence as from China or Russian Federation (blocked by CF). They also let "threats" through ... strange concept.

Here is the latest graph. I installed fail2ban and ufw. Can you tell when?

There is still the 1/2 hour spikes happening. There is a cron job running every hour to do reports. I commented them out but still get the disk and CPU spikes. At least the brute force attack seems over ... knock on wood.

 

[TPerry]

@Napalm165
Here is the latest graph. I installed fail2ban and ufw. Can you tell when?

I really like fail2ban - it's amazing what you can do with it once you wrap your head around regex (something I've never really done before - nearest I came until setting up my servers was REXX (and only by alphabetics) when I played with OS/2).
I'm going to have to give ufw a look also.

 

[DRaver]

What your fail2ban settings for your server an xenforo?