Sites under attack... Help?

JMEWLS

Active member
Alright, so basically my site is getting crashes because it's under attack. I'm not 100% sure what it is, but I've been in contact with the hosting because I'm pretty dumb when it comes to this type of stuff. I'll quote the
emails below...

This attack is sending post data to the /forum front page. They aren't actually posting anything, however the constant post connections are causing the load issues. This is the number of post that have been made to the forum front page since 7pm: 25,482.
I spoke with my escalated technician, his thoughts are that you can either disable the index.php file in the forum folder by renaming it whenever you get attacked. Or he can attempt to create a code that would password protect the forum front page from any IP that tries to send post data. Just to clarify, the post data being sent to the front page are not actual posts and blocking them wont interfere with legitimate post from users. Please let me know if you wish for my escalated tech to create this code. Please let me know as soon as possible his shift ends in 3 hours.


Hello

I apologize, but I wasn't able to get a solution working for you. We've seen these kinds of attacks against many of our customers that use Wordpress. I was trying to rewrite a cookie & javascript based fix to work for you. However, due to your site's custom .htaccess rule, everything I tried would merely break your site.

This is one of the main reasons coding is outside our scope of support; we don't want to accidentally break your sites.

The only protection I can think of that I know will work would be to institute an .htpasswd prompt for all 'POST' requests. Considering that your site is a forum, almost all of the users are sending 'POST' requests. The problem is that the attackers are doing the same thing. It's hard to differentiate between the two.

If we make a password prompt, it will provide the credentials on the screen. Your normal users can read the credentials; a bot will not be able to.

To make the password prompt have less of an impact for your site visitors, they will need to select 'remember password' in their browser. Otherwise, they will get the password prompt every time they post.

I know that it's a little intrusive on the user experience, but it's the only thing I can think of that will keep the site up during an attack. My advice would that you only enable it during an active attack. You can add/remove the block code directly in your .htaccess, so you won't even need to contact us to enable/disable it.

If you are interested in this, let me know and I can provide you with an .htaccess code that will work. Otherwise, you'll need to consult a coder that specifically has experience with Apache directives and filtering out requests.

Has anyone else experienced this before? Is there a fix? Go easy on me, I'm pretty new to this type of stuff.

Thanks to whoever has the time to reply.
 
Is it the same IP address or range of IP addresses?

If so, block them at the server level.
 
Consider LiteSpeed WebServer as it has a function that limits the number of connections per IP.
Bad Behavior blocks any connection by blacklisted bots: http://bad-behavior.ioerror.us/
The combination of the above has resolved 99% of my problems with daily DDoS attacks on my big board.
 
Is there any other means to help with DDOS attacks? Is badbehaviour easy to install? Are there any add ons I should consider downloading.
 
Is there any other means to help with DDOS attacks? Is badbehaviour easy to install? Are there any add ons I should consider downloading.
www.ddosdefend.com - they helped me a lot in the past

I've been trying out cloudflare's ddos protection and it's been a lil shoddy, thinking about going back but cf may be able to help you with your stuff. Doubt it is anything like the attacks I get...I've had multiple attacks above 60gbps.
 
I've been told it's a "large layer 3/4 DDoS attack" again, I'm not very smart at this type of stuff. But I've been reading in and it doesn't sound to great.
 
Are there anymore suggestions? I'm a student so paying 200 a month for cloudfare is pretty much out of the picture (as much as I'd like to).

It's apparently 3/4 DDoS Attack.

Sorry again for the lack of knowledge on the issue, it's really just me communicating with the host/you guys. ServInt is doing a really good job in trying to give me some clarity though, big ups to them.
 
Yes, I think so. I once asked a vbulletin coder to create an addon for vb and he did not need much time to create it.
 
Are there anymore suggestions? I'm a student so paying 200 a month for cloudfare is pretty much out of the picture (as much as I'd like to).

No more suggestions really. Real DDoS protection is extremely expensive, and if the attack is that large, you're kinda stuck. You can ask the provider to null route your IP address until the attack just goes away, but that's also going to put your site offline.
 
Do you have a wordpress script running on your server? If so, completely disable it or change the permissions.
 
Last edited:
No wordpress, it's just xenforo. That reply was because servint has similar issues with wordpress with their other clients.

I'm not even sure what the password prompt thing is (read initial post) but if this is a potential fix whilst I ride this out I guess I'm going to have to do it.

I'm thinking of implementing badbehaviour and zbblock and seeing what happens from there.. I can't afford ddos mitigation especially for a site that's really just a hobby and isn't considered a big board.

But I'm not sure if they're really designed to stop ddos attacks even though I've read it brings some protection.
 
I'm thinking of implementing badbehaviour and zbblock and seeing what happens from there.. I can't afford ddos mitigation especially for a site that's really just a hobby and isn't considered a big board.
But I'm not sure if they're really designed to stop ddos attacks even though I've read it brings some protection.
Those may help... also, is this a shared host or a VPS/Dedi? If VPS/Dedi have you installed fail2ban on it. There is a jail.local def that may help with the empty POST being sent to your webserver.
http://www.dedmeet.com/software-pro...l2ban-to-limit-ddos-attacks-on-webserver.html
and
http://kiteplans.info/2013/03/18/centos-virtualminfail2ban-protect-apache-from-ddos-attack/
 
I'm with servint's VPS I'll look into this. Have you had success with this? Will it be able to mitigate 3/4 ddos attacks?

Thankyou for the suggestion.
 
I'm with servint's VPS I'll look into this. Have you had success with this? Will it be able to mitigate 3/4 ddos attacks?

Thankyou for the suggestion.
Only true way is hardware... which is $$$$$$, but this may help. You have to be careful though because it monitors ALL GET/POST requests and depending on your site you could inadvertently lock someone out. The second link goes into some detail about it.
 
The only way to stop a DDoS is with a service, using Nginx or Litespeed won't block anything starting with a medium scale attack. I remember that a while ago, LULZ Security had their site protected by Cloudflare. The guys at Cloudflare were happy with that because they were able to tweak a lot their configurations. They saw a wide range of hacking attacks directed at their site, some of which were remarkably clever.
 
Top Bottom