First signs of a DDOS attack.

Dixie McCall

Dixie McCall

Well-known member
Hello Friends,
I'm not really fully understanding DDOS attacks. What are the first signs of an attack? I thought I knew what to look for but I need some easy bullet point guidance.

Thank you

Dixie
 
If all requests are coming from a single address, it's not a Distributed Denial of Service (DDoS) attack and is easily mitigated by blocking the IP - preferably at the server level (firewall or web server).

Distributed attacks come from many different locations at once - so impossible to block by IP.

Best protection against a DDoS attack is to use a service like Cloudflare.

I had my sites hosted on Linode and got contacted by their support one day informing me that my site was under distributed attack and they had disabled my server until I implemented a front-end proxy solution like Cloudflare. Changed the IP address of my XF server, implemented Cloudflare, and the attacks were no longer an issue.
 
Thank you @Sim. I really appreciate your input! I'm getting many coming from 77.111 xxx. at the same time. Is this a DDOS attack or something different?
 
Dixie McCall said:
Thank you @Sim. I really appreciate your input! I'm getting many coming from 77.111 xxx. at the same time. Is this a DDOS attack or something different?
Click to expand...

I dunno what the strict technical definition is - but from multiple sources (even if in the same subnet) is probably a good definition. Fortunately - still easy to block using a firewall or web server rule - just block the whole subnet.
 
Just so you know, the Opera Mini browser uses it's own proxy and cache system for it's browser. So, you could be blocking legitimate users by blocking the Opera proxies.

I'm not saying it's not an attack, just saying it's a legit proxy system.
 
I had big problems with attacks on my sites, not sure I’d DDOS or other. Constantly causing database crashes. The host at the time kept suggesting higher spec VPS but that was obviously costing me a lot (too much)
Tried other hosts but it was finally all sorted when I switched to host @MattW who has absolute top security and monitoring.
 
Snog said:
Just so you know, the Opera Mini browser uses it's own proxy and cache system for it's browser. So, you could be blocking legitimate users by blocking the Opera proxies.

I'm not saying it's not an attack, just saying it's a legit proxy system.
Click to expand...

Thanks for the info @Snog. So what is the solution to this? If we can't ban suspicious IP addresses using Opera Mini then what is the ultimate solution? Look at each one day after day? I did a Member IP check and no one is using this IP address so I guess I will leave it banned but un-ban this particular subnet?
 
If the attacks are high volume and distributed - use Cloudflare.

If the attacks are from a smallish number of IP addresses, try blocking them directly rather than the entire subnet. You can always try unblocking them later.

When I add IP block rules to my nginx config, I always document and date them - so I can go back later and remove them if I think it's worth doing.

I wouldn't get too concerned about accidentally blocking a legit user - if they are using a VPN, they are likely to come from a different IP address in the future anyway. Blocking the attack is more important in the short term than the potential for blocking users IMO.
 
Dixie McCall said:
Thanks for the info @Snog. So what is the solution to this? If we can't ban suspicious IP addresses using Opera Mini then what is the ultimate solution? Look at each one day after day? I did a Member IP check and no one is using this IP address so I guess I will leave it banned but un-ban this particular subnet?
Click to expand...
Anything you do when it comes to banning an IP address, or a group of addresses is a judgement call. You need to take how often the addresses are accessing the site into consideration. If they are 1 to 2 minutes apart, they could be a robot of some sort or in this case the Opera Mini proxy rotating a single person through different addresses. If they all hit at once, they are most likely something less benign. Looking at the actual server logs would be a good start to see if the address (in this case the Opera addresses) are all proxies for the same physical IP.

Opera did use HTTP_X_FORWARDED_FOR to give the actual IP of the user. I don't know if that's still the case or not.

What you do is entirely up to you. Just don't misinterpret what you see as an attack when it may not be that.
 
On my server I have Fail2Ban which blocks ips and for dns I use Cloudflare. This has very well mitigated any ddos attacks.
 
You must log in or register to reply here.

Similar threads

Mark87
  • Question Question
After a DDos attack
Replies
8
Views
858
Jake B.
Jake B.
Jean-Baptiste
  • Question Question
XF 2.0 xf_css_cache database table corrupted after a L7 DDOS attack
Replies
4
Views
1K
Jean-Baptiste
Jean-Baptiste
Donny
DDOS Attacks over a period of months off and on - what can I do?
Replies
14
Views
956
rdn
R
akia
I think I'm under a DDOS attack but not too sure, what do you think?
Replies
1
Views
1K
Floris
F
Back
Top Bottom