First signs of a DDOS attack.

Dixie McCall

Well-known member
Hello Friends,
I'm not really fully understanding DDOS attacks. What are the first signs of an attack? I thought I knew what to look for but I need some easy bullet point guidance.

Thank you

Dixie
 
If all requests are coming from a single address, it's not a Distributed Denial of Service (DDoS) attack and is easily mitigated by blocking the IP - preferably at the server level (firewall or web server).

Distributed attacks come from many different locations at once - so impossible to block by IP.

Best protection against a DDoS attack is to use a service like Cloudflare.

I had my sites hosted on Linode and got contacted by their support one day informing me that my site was under distributed attack and they had disabled my server until I implemented a front-end proxy solution like Cloudflare. Changed the IP address of my XF server, implemented Cloudflare, and the attacks were no longer an issue.
 
Thank you @Sim. I really appreciate your input! I'm getting many coming from 77.111 xxx. at the same time. Is this a DDOS attack or something different?
 
Thank you @Sim. I really appreciate your input! I'm getting many coming from 77.111 xxx. at the same time. Is this a DDOS attack or something different?

I dunno what the strict technical definition is - but from multiple sources (even if in the same subnet) is probably a good definition. Fortunately - still easy to block using a firewall or web server rule - just block the whole subnet.
 
Just so you know, the Opera Mini browser uses it's own proxy and cache system for it's browser. So, you could be blocking legitimate users by blocking the Opera proxies.

I'm not saying it's not an attack, just saying it's a legit proxy system.
 
I had big problems with attacks on my sites, not sure I’d DDOS or other. Constantly causing database crashes. The host at the time kept suggesting higher spec VPS but that was obviously costing me a lot (too much)
Tried other hosts but it was finally all sorted when I switched to host @MattW who has absolute top security and monitoring.
 
Just so you know, the Opera Mini browser uses it's own proxy and cache system for it's browser. So, you could be blocking legitimate users by blocking the Opera proxies.

I'm not saying it's not an attack, just saying it's a legit proxy system.

Thanks for the info @Snog. So what is the solution to this? If we can't ban suspicious IP addresses using Opera Mini then what is the ultimate solution? Look at each one day after day? I did a Member IP check and no one is using this IP address so I guess I will leave it banned but un-ban this particular subnet?
 
If the attacks are high volume and distributed - use Cloudflare.

If the attacks are from a smallish number of IP addresses, try blocking them directly rather than the entire subnet. You can always try unblocking them later.

When I add IP block rules to my nginx config, I always document and date them - so I can go back later and remove them if I think it's worth doing.

I wouldn't get too concerned about accidentally blocking a legit user - if they are using a VPN, they are likely to come from a different IP address in the future anyway. Blocking the attack is more important in the short term than the potential for blocking users IMO.
 
Thanks for the info @Snog. So what is the solution to this? If we can't ban suspicious IP addresses using Opera Mini then what is the ultimate solution? Look at each one day after day? I did a Member IP check and no one is using this IP address so I guess I will leave it banned but un-ban this particular subnet?
Anything you do when it comes to banning an IP address, or a group of addresses is a judgement call. You need to take how often the addresses are accessing the site into consideration. If they are 1 to 2 minutes apart, they could be a robot of some sort or in this case the Opera Mini proxy rotating a single person through different addresses. If they all hit at once, they are most likely something less benign. Looking at the actual server logs would be a good start to see if the address (in this case the Opera addresses) are all proxies for the same physical IP.

Opera did use HTTP_X_FORWARDED_FOR to give the actual IP of the user. I don't know if that's still the case or not.

What you do is entirely up to you. Just don't misinterpret what you see as an attack when it may not be that.
 
On my server I have Fail2Ban which blocks ips and for dns I use Cloudflare. This has very well mitigated any ddos attacks.
 
Top Bottom