DDoS attack

[mamak24]

My dedicated server is down for two days now, the support said it's a DDoS attack and whenever I Null-routed IP, it works for only short time and againe down. I Null-routed IP 5 times now ...
Can anyone help me configuer the dedicated server to fix the problem ? image for the probem

 

[gibalah]

If it's pure traffic flood, you can only buy a DDoS protected service. However, you can confirm whether it's TCP or UDP traffic. Some data centers can help you block all UDP packets without any charges.

 

[Smith]

I'm not an expert but what you can do is analyze the IP addresses. How many connections, then ban them via iptables.

However, that might not help as it would still hit the line so only way to block them is via Firewall and I doubt LeaseWeb will do that for you.

You could also try Cloudflare paid plan.

 

[gibalah]

If it's simply attacking your services such as httpd, changing your OS to FreeBSD and applying the following pf rules might help you:

table <ddos> persist
 
block in log quick on $ext_if proto tcp from <ddos> to $web_ip port { 80, 443 } label ddos-block
 
pass in quick on $ext_if proto tcp to $web_ip port { 80, 443 } flags S/SA label http keep state \
        (max-src-conn 120, max-src-conn-rate 180/60, overload <ddos> flush global)

It works better than mod_evasive of apache or similar modules of any kinds of http servers, but don't apply these rules if you are running a tracker on your server.

I'm not familiar with Linux so I cannot suggest anything regarding iptables. Maybe you have to use ipt_recent to log the traffic and write some scripts to block them.

However, the image you uploaded indicates it might be a traffic flooding; maybe it's UDP or ICMP -- you have to analyze it yourself. Again, if it's really a kind of traffic flooding, you can only pay for DDoS protection services.

 

[Kruno]

I'm not an expert but what you can do is analyze the IP addresses. How many connections, then ban them via iptables.

However, that might not help as it would still hit the line so only way to block them is via Firewall and I doubt LeaseWeb will do that for you.

You could also try Cloudflare paid plan.

That is correct. The attack is hitting his pipe, that's why LSWS nullroutes IP. He cannot block certain IPs on the server level as traffic would still get to his switch port. The only way is LSWS filtering traffic on a higher instance, before it even reaches the switch, but that's not going to happen as LSWS is not a DDoS protected provider.

 

[l0calh0st]

DDoS protection never works, so don't bother getting services from Staminus, Awknet or Blacklotus all are shit. Tested and researched.

 

[Kruno]

DDoS protection never works, so don't bother getting services from Staminus, Awknet or Blacklotus all are shit. Tested and researched.

awknet is good against UDP as they fully block incoming UDP on L3. Staminus can also block UDP. For SYN you need Staminus' SecurePort which is very costly and not worth it.

CNServers is pretty good, they filter SYN by default(no expensive addons) and can filtter quite a lot of PPS.

EDIT: Those are US providers, it may not be acceptable for the OP. I have yet to find a decent provider that can mitigate heavy attacks in the EU.

 

[l0calh0st]

awknet is good against UDP as they fully block incoming UDP on L3. Staminus can also block UDP. For SYN you need Staminus' SecurePort which is very costly and not worth it.

CNServers is pretty good, they filter SYN by default(no expensive addons) and can filtter quite a lot of PPS.

EDIT: Those are US providers, it may not be acceptable for the OP. I have yet to find a decent provider that can mitigate heavy attacks in the EU.

I have heard good things about CNServers. They are affordable.

I have done a big research regarding DDoS protection providers, we tested them with just one 1Gbit server. UDP and SYN.

Staminus, Awknet, Blacklotus went down immediatly and stayed offline. Never expected that.

 

[Kruno]

I have heard good things about CNServers. They are affordable.

I have done a big research regarding DDoS protection providers, we tested them with just one 1Gbit server. UDP and SYN.

Staminus, Awknet, Blacklotus went down immediatly and stayed offline. Never expected that.

That is correct, those 3 can't mitigate more than 100k PPS on its basic dedicated servers. If you want the real protection they will make you pay 4-5 figures for the real protection.

On the other hand, CNServers is more than decent on its basic packages.

 

[subhy259]

check ddoslayer

http://www.wjunction.com/9-dedicate...dos-protected-servers-98$-mo-eu-new-post.html

 

[mamak24]

thank you all guys .. your replies were disapointing.. but useful

 

[BLuHost]

You could get a DDoS Protected Proxy to protect your server.
There are many good companies that offer that.

 

[ravim]

Well, Awknet is not a problem. [ame="http://www.youtube.com/watch?v=BFYG5Wflfjo"]Youtube Video[/ame] - I didn't upload it I just found it.

But when you ddos a server on port 80 and all other TCP port traffic down. But some times I can browse site! Is browser woks for UDP traffic? but I also hit all the UDP ports but can't be down for all the times.. Why is that? Can you layout the all ports of the server TCP and UDP.

(educational purpose only)

Thanks

 

[911]

use cloud flare

 

[ravim]

use cloud flare

CF is pretty useless.. If you are using CF anybody can make high DDoS on your CF IP and get you banded from CF - no matter what plan you on. TESTED and PROVED.

Anything else?

Thank You

 

[l0calh0st]

CF is pretty useless.. If you are using CF anybody can make high DDoS on your CF IP and get you banded from CF - no matter what plan you on. TESTED and PROVED.

Anything else?

Thank You

It's not if you have the paid plan. Set your DNS properly without showing a road to your real server IP.