Latest Announcemnent
New thread
Status
Not open for further replies.
A

ACiD_CORE

Active Member
185
2012
51
60
So recently one of my vps got ddos and i was told that ip was nullrouted.

The log is like this one:
2013.09.05 03:35:04 TCP: 222.4.172.2:59116 -> VPS_SERVER_IP:80 flags: 0x02 size: 62

So i want to ask is there a way i can lock vps to allow only connections from my ip?

Or it wont stop ddos?

The vps ip will be unblocked every 4-6hr after ddos check, but after unblock i only get 2-3 min. then ddos starts again.
 
40 comments
Hi,
You need to have some sort of DDOS protection.
DDOS Protection can be quite expensive. May I know what are you using the VPS for ? Uploading or hosting a site on it ?
 
Switch off ur vps for now. Wait for sometime and re on it. Check from which ip/ips ur getting max connections and ban it. Change ur ns and use cloud flare for now. :)
 
#The below line will DROP all incoming connections.
iptables -P INPUT DROP

#Allow specific IPs to specific ports for example port 22 for IP 1.1.1.1
iptables -A INPUT -p tcp -s 1.1.1.1 --d-port 22 -j ACCEPT

In this fashion you can add your IPs in the allow list.

To know the IP's connecting to your server you can run.


netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


If your running cPanel Just close off all UDP/TCP ports in csf.conf, then add the IP's you want to allow access to csf.allow and csf.ignore.
 
So:

Server main ip nullrouted
VPS is off
Domain ns are the cloudflare

I tried to log once to my console and did who doing max connections, but all i got was cloudflare ips (even i have installed for apache mod_cloudflare) so wont help, also its ddos so there wont be only one ip that doing max connections, there can be 1000 ips with 1 conn. at the same time :(
 
Are you on a cPanel VPS or ?


As i said above, Have your host un-nullroute your VPS IP and give them the directions i posted above, It makes enough sense to where unless your web host is ran by a bunch of kids. They will understand what to do.



Then agian depending on the type of DDoS attack it may not work, If there actually flooding ie spoofing the port on the server your host will keep you null-routed. But if there just using a bot or proxies to attack the above as i posted will work just fine.
 
Seems like hosting found a way to fight with it or ddos stops.

The ip is accessable, but i hope no more incoming ddos.

//I also sent the replies posted here to the host staff so much thx goes to all.

///Hope my next reply will not be about another ddos :(

////IP nullrouted, another ddos god :(
 
Seems like change the ip will be only resolution.

The server is hidden already behind cloudflare but it seems it wont help much.
 
We have seen CloudFlare not performing when there are DDoS (Free Accounts)

So it's not a biggy if you are getting DDoS'd behind CloudFlare

Also an attacker can easily find out IP behind CloudFlare so it's not much of a protection to forums/blogs especially.
 
There is a question if a attacker know my server ip... From the log that host posted is only my server ip and attackers ddos to port 80 so i dont know if it was domain, because it can still be hidden for ddoser due to cloudflare, i hope they dont know that ip.

I tried to change the ip of nameservers so we will see after vps ip unblock.

Maybe its domain attack as i was told by another person, if not then they directly attack my server ip.
 
Last edited:
Status
Not open for further replies.
Back
Top