• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

My site got DDOS

KozmoK

Active member
#4
Elly,

If you have ssh access, do a netstat -na|more and if you see a lot of SYNC_SENT or soemthing like that let me know. I can give you a script you can start blocking them with firewall/iptables.
 

mjp

Well-known member
#5
Blocking IPs? Good luck. I haven't seen a single IP source DDoS in many years. Or even one coming from a manageable number of IPs. It's more likely these days that you're getting hit by a botnet, and there isn't much you can do in that case but wait it out (or absorb it - see Staminus below).

Your host should have some kind of mitigation in place. They were probably aware that it was happening before you were.

We use Staminus DDoS mitigation, but it's not really an option for individuals on dedicated servers, unless you can afford to spend a considerable amount of money protecting your site/server.
 

Rigel Kentaurus

Well-known member
#6
Blocking IPs? Good luck. I haven't seen a single IP source DDoS in many years. Or even one coming from a manageable number of IPs. It's more likely these days that you're getting hit by a botnet, and there isn't much you can do in that case but wait it out (or absorb it - see Staminus below).

Your host should have some kind of mitigation in place. They were probably aware that it was happening before you were.

We use Staminus DDoS mitigation, but it's not really an option for individuals on dedicated servers, unless you can afford to spend a considerable amount of money protecting your site/server.
Sometimes the DDoS comes from a single country, though, and you can reject the complete IP block. It is not possible to know without further information.
 

mjp

Well-known member
#7
I suppose it could, yes. It wouldn't be typical, but you're right.

Either way, the host should be able to deal with it. Unless the DDoS is really big or the host is really small.
 

KozmoK

Active member
#8
When I used to get hit with bot nets, I would have anywhere from 100-150 different IP's hitting me. I was able to get all the ip's in list, then I wrote batch import to block.

For my business, its work importing them 1 by 1 if I have to.
 

mjp

Well-known member
#9
If it's a manageable number, of course blocking can be effective. Unfortunately, 150 IPs is a very small DDoS where I come from. We regularly get DDoS attacks that use 2 - 3 gigabits of bandwidth. Per second.

To put that in perspective, you would need roughly 2,000 T1 lines to get 3 gigabits of throughput. That kind of attack comes from tens of thousands of IPs all over the world. If you could block them all (which you can't) you would effectively be removing yourself from the Internet anyway, so there's no point in trying.

What happens in those sorts of attacks - if you have a typical 1 gigabit (or smaller) backbone connection - is the connection gets saturated and it doesn't matter what you do at your network level, because the traffic can't even get to your network. It's like an overflowing funnel and your routers are at the bottom of that funnel.

So when you use a service like Staminus (this is turning into an infomercial), that 2 or 3 gigabit attack doesn't overflow your funnel, because it's a really big funnel. In the 10 gigabit range, in our case. The botnet can throw everything it has at you, but they cannot bring you down. What happens when they see they can't bring you down is they stop and move on to a target they can bring down.