Sites under attack... Help?

J

JMEWLS

Active member
Alright, so basically my site is getting crashes because it's under attack. I'm not 100% sure what it is, but I've been in contact with the hosting because I'm pretty dumb when it comes to this type of stuff. I'll quote the
emails below...

This attack is sending post data to the /forum front page. They aren't actually posting anything, however the constant post connections are causing the load issues. This is the number of post that have been made to the forum front page since 7pm: 25,482.
I spoke with my escalated technician, his thoughts are that you can either disable the index.php file in the forum folder by renaming it whenever you get attacked. Or he can attempt to create a code that would password protect the forum front page from any IP that tries to send post data. Just to clarify, the post data being sent to the front page are not actual posts and blocking them wont interfere with legitimate post from users. Please let me know if you wish for my escalated tech to create this code. Please let me know as soon as possible his shift ends in 3 hours.
Click to expand...


Hello

I apologize, but I wasn't able to get a solution working for you. We've seen these kinds of attacks against many of our customers that use Wordpress. I was trying to rewrite a cookie & javascript based fix to work for you. However, due to your site's custom .htaccess rule, everything I tried would merely break your site.

This is one of the main reasons coding is outside our scope of support; we don't want to accidentally break your sites.

The only protection I can think of that I know will work would be to institute an .htpasswd prompt for all 'POST' requests. Considering that your site is a forum, almost all of the users are sending 'POST' requests. The problem is that the attackers are doing the same thing. It's hard to differentiate between the two.

If we make a password prompt, it will provide the credentials on the screen. Your normal users can read the credentials; a bot will not be able to.

To make the password prompt have less of an impact for your site visitors, they will need to select 'remember password' in their browser. Otherwise, they will get the password prompt every time they post.

I know that it's a little intrusive on the user experience, but it's the only thing I can think of that will keep the site up during an attack. My advice would that you only enable it during an active attack. You can add/remove the block code directly in your .htaccess, so you won't even need to contact us to enable/disable it.

If you are interested in this, let me know and I can provide you with an .htaccess code that will work. Otherwise, you'll need to consult a coder that specifically has experience with Apache directives and filtering out requests.
Click to expand...

Has anyone else experienced this before? Is there a fix? Go easy on me, I'm pretty new to this type of stuff.

Thanks to whoever has the time to reply.
 
Is it the same IP address or range of IP addresses?

If so, block them at the server level.
 
Consider LiteSpeed WebServer as it has a function that limits the number of connections per IP.
Bad Behavior blocks any connection by blacklisted bots: http://bad-behavior.ioerror.us/
The combination of the above has resolved 99% of my problems with daily DDoS attacks on my big board.
 
Is there any other means to help with DDOS attacks? Is badbehaviour easy to install? Are there any add ons I should consider downloading.
 
JMEWLS said:
Is there any other means to help with DDOS attacks? Is badbehaviour easy to install? Are there any add ons I should consider downloading.
Click to expand...
www.ddosdefend.com - they helped me a lot in the past

I've been trying out cloudflare's ddos protection and it's been a lil shoddy, thinking about going back but cf may be able to help you with your stuff. Doubt it is anything like the attacks I get...I've had multiple attacks above 60gbps.
 
I've been told it's a "large layer 3/4 DDoS attack" again, I'm not very smart at this type of stuff. But I've been reading in and it doesn't sound to great.
 
Are there anymore suggestions? I'm a student so paying 200 a month for cloudfare is pretty much out of the picture (as much as I'd like to).

It's apparently 3/4 DDoS Attack.

Sorry again for the lack of knowledge on the issue, it's really just me communicating with the host/you guys. ServInt is doing a really good job in trying to give me some clarity though, big ups to them.
 
Yes, I think so. I once asked a vbulletin coder to create an addon for vb and he did not need much time to create it.
 
JMEWLS said:
Are there anymore suggestions? I'm a student so paying 200 a month for cloudfare is pretty much out of the picture (as much as I'd like to).
Click to expand...

No more suggestions really. Real DDoS protection is extremely expensive, and if the attack is that large, you're kinda stuck. You can ask the provider to null route your IP address until the attack just goes away, but that's also going to put your site offline.
 
Do you have a wordpress script running on your server? If so, completely disable it or change the permissions.
 
Last edited:
No wordpress, it's just xenforo. That reply was because servint has similar issues with wordpress with their other clients.

I'm not even sure what the password prompt thing is (read initial post) but if this is a potential fix whilst I ride this out I guess I'm going to have to do it.

I'm thinking of implementing badbehaviour and zbblock and seeing what happens from there.. I can't afford ddos mitigation especially for a site that's really just a hobby and isn't considered a big board.

But I'm not sure if they're really designed to stop ddos attacks even though I've read it brings some protection.
 
JMEWLS said:
I'm thinking of implementing badbehaviour and zbblock and seeing what happens from there.. I can't afford ddos mitigation especially for a site that's really just a hobby and isn't considered a big board.
But I'm not sure if they're really designed to stop ddos attacks even though I've read it brings some protection.
Click to expand...
Those may help... also, is this a shared host or a VPS/Dedi? If VPS/Dedi have you installed fail2ban on it. There is a jail.local def that may help with the empty POST being sent to your webserver.
http://www.dedmeet.com/software-pro...l2ban-to-limit-ddos-attacks-on-webserver.html
and
http://kiteplans.info/2013/03/18/centos-virtualminfail2ban-protect-apache-from-ddos-attack/
 
I'm with servint's VPS I'll look into this. Have you had success with this? Will it be able to mitigate 3/4 ddos attacks?

Thankyou for the suggestion.
 
JMEWLS said:
I'm with servint's VPS I'll look into this. Have you had success with this? Will it be able to mitigate 3/4 ddos attacks?

Thankyou for the suggestion.
Click to expand...
Only true way is hardware... which is $$$$$$, but this may help. You have to be careful though because it monitors ALL GET/POST requests and depending on your site you could inadvertently lock someone out. The second link goes into some detail about it.
 
The only way to stop a DDoS is with a service, using Nginx or Litespeed won't block anything starting with a medium scale attack. I remember that a while ago, LULZ Security had their site protected by Cloudflare. The guys at Cloudflare were happy with that because they were able to tweak a lot their configurations. They saw a wide range of hacking attacks directed at their site, some of which were remarkably clever.
 
You must log in or register to reply here.

Similar threads

BuzzK
Not a bug Unable to upload .pptx to resources, even when .pptx is specified as an allowed file type under attachments
Replies
13
Views
91
Andy.N
A
tomwood
  • Solved
XF 2.2 As the Administrator - How to post threads under multiple different user names?
Replies
9
Views
97
tomwood
tomwood
Mark87
  • Question Question
After a DDos attack
Replies
8
Views
858
Jake B.
Jake B.
Sim
Cloudflare IPs not being detected and site under attack
Replies
15
Views
1K
eva2000
eva2000
The Dark Wizard
Fixed Cloudflare Mirage disables the GIF under "Install the App Button"
Replies
4
Views
1K
Jeremy P
Jeremy P
Back
Top Bottom