I need help. My website is 11 months under DDOs attack

Status
Not open for further replies.

CYCX

Well-Known Member
82
12
8
2016
60
Hello,
I need help. My website is getting hit by big layer 7 DDOs and no and one can mitigate?. I tried many hosting company but they failed to protect my website. The attacker is targeting the DNS so moving to another new server IP is useless. Its been 11 months and until now i'm looking for the solution.
I'm using wordpress and the attacker is using my search function to attack by getting different search terms using multiple IP.
I already tried different method to mitigate like CSF (ConfigServer Security & Firewall)
IPtables
Block countries , Block Ip's
Disabled my search function
Tried other DDOs cloud proxy service but they not really mitigate all the attacks
I'm using cloudflare and activated the under attack but its not helping
Here is the screenshots :

Million of requests but my real visitors is only 1000-5000 :



Many DNS Traffic per seconds :


Too many traffic :


Here is the sample of the attack from cpanel and it look like real visitors :
/?s= there is so many search request per second thats why the CPU usage is high causing the server down.




Please share your solution to mitigate this kind of DDOs attack to help others. I'm sure i'm not the only one getting this kind of problem here.

Thank You
 
16 comments

hostechsuppor

Well-Known Member
133
21
18
2017
0
Hello CYCX,
Can you please mention on which Server your website is hosted? If it is hosted on a dedicated or VPS server, then please change your SSH port number. Also, check your SELinux security status, if it is disabled, then change it to enforcing.
 
Last edited:

24x7technicalsupport

Well-Known Member
77
3
8
2018
125
Hello,

Looking at your issue, you should check a few things.

1. Do you have DNSSEC enabled on your website ? It will help you to mitigate fake or spoofed DNS queries.
2. What kind of webserver do you run ? Have your tried using something like litespeed?
3. Does your website completely go down when the attack happens ?
4. Also, what kind of budget are you looking at for a solution ?

Thanks
Casey K
Skype: [email protected]
www.24x7technicalsupport.net
 

CYCX

Well-Known Member
82
12
8
2016
60
Hello CYCX,
Can you please mention on which Server your website is hosted? If it is hosted on a dedicated or VPS server, then please change your SSH port number. Also, check your SELinux security status, if it is disabled, then change it to enforcing.

I'm using VPS, already changed the ssh port but still no luck. Also i'm using kms-hosting with their layer 7 ddos protection.

Hello,

Looking at your issue, you should check a few things.

1. Do you have DNSSEC enabled on your website ? It will help you to mitigate fake or spoofed DNS queries.
2. What kind of webserver do you run ? Have your tried using something like litespeed?
3. Does your website completely go down when the attack happens ?
4. Also, what kind of budget are you looking at for a solution ?

Thanks
Casey K
Skype: [email protected]
www.24x7technicalsupport.net

The website is not completely down. It will load very slow. Because the attack consume all cpu resources.
 

hostechsuppor

Well-Known Member
133
21
18
2017
0
I'm using VPS, already changed the ssh port but still no luck. Also i'm using kms-hosting with their layer 7 ddos protection.

The website is not completely down. It will load very slow. Because the attack consume all cpu resources.

>> You can block attacking IP addresses range in the Server firewall. There are few more tweaks but, that needs to be checked directly on the Server. The main node where VPS is installed must be properly secured. To suggest further, the server needs to be investigated.
 

Tango

Well-Known Member
3,617
966
113
2009
1,935
Install mod_cloudflare
https://www.cloudflare.com/technical-resources/

CSF Firewall info/config
https://www.digitalocean.com/commun...onfigure-config-server-firewall-csf-on-ubuntu

Make CSF firewall add IP bans to cloudflare so offending ip's don't hit your server
https://www.aetherweb.co.uk/automat...r-firewall-csf-firewall-blocks-to-cloudflare/

Make Cloudflare IP Bans expire
https://www.aetherweb.co.uk/automatically-expiring-cloudflare-ip-blocks-by-age/

This should be a start, you are using cloudflare without the module to reveal IP's, so likely 'whitelisted' the attack.

Does your script use a lot of file_get_contents ? It may be worth adding your site domain/IP to /etc/hosts/ so file_get_contents doesn't get proxied through cloudflare, maybe this is your doss?
 

hhxx

Well-Known Member
231
88
28
2016
55
LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

btw what is your website domain?
 

Firecooler

Well-Known Member
2,528
880
113
2012
750
You should consider memcached for Wordpress where the site will get cached in the server RAM and saves tons of mysql querys.
 

Hyperz

Well-Known Member
2,282
276
83
2009
630
LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

btw what is your website domain?

If the attack consists of search query spam and the person doing the attack knows how to code or is using a halfway decent bot CF's under attack mode will do nothing. You don't even need to run Javascript to solve the "checking your browser" challenge. At best it will delay every search query by 4 seconds. I don't know what "maximum security" does, but under attack mode will not stop a bot if it's designed to handle it.
 

hhxx

Well-Known Member
231
88
28
2016
55
If the attack consists of search query spam and the person doing the attack knows how to code or is using a halfway decent bot CF's under attack mode will do nothing. You don't even need to run Javascript to solve the "checking your browser" challenge. At best it will delay every search query by 4 seconds. I don't know what "maximum security" does, but under attack mode will not stop a bot if it's designed to handle it.

I don't know really my website was never under attack. but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.
11 months under attack with no down time at all ? lol it does not make any sense. what kind of attack is this?
maximum security is requesting captcha in order to access website for visitors who use proxy or vpn or any shared IP
 

CYCX

Well-Known Member
82
12
8
2016
60
@Gavo Thank You for the suggestion.

LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

btw what is your website domain?

I'm under attack is already enabled and it will not help at all. plus I created page rules and set the security to high on worpress ?s= search.

You should consider memcached for Wordpress where the site will get cached in the server RAM and saves tons of mysql querys.
Thank You I will search about memcached for wordpress. I'm newbie thats why its hard for me to setup and fix the server side issues.

I don't know really my website was never under attack. but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.
11 months under attack with no down time at all ? lol it does not make any sense. what kind of attack is this?
maximum security is requesting captcha in order to access website for visitors who use proxy or vpn or any shared IP


I already changed IP. As I've said the attacker is targeting the domain so even I change the IP or hosting the attack still ongoing.
my website is down for 11 months . Its an http flood attack with thousands of different IP is connecting to my wordpress search function every second and searching different keywords thats why the CPU load is very High.
 

Hyperz

Well-Known Member
2,282
276
83
2009
630
but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.

What? There are some forms of DDoS attacks no sane person would try to a site behind CF. Intensive HTTP request (like search queries) spam is not one of those. CF gets the IP the request came from which means little to nothing in the case of proxies or botnets.

In addition to @Gavo and @RapidVideo's suggestions additional options are:

  • temporarily disable search completely.
  • temporarily switch to Google search.
  • temporarily put search behind a captcha (this wont stop bots but it'll greatly reduce effectiveness and cost the attacker money to keep the attack going).
  • modify WordPress' search such that it uses non-default query parameters and/or pages (this will nullify pre-built bots and script kiddies).
 

CYCX

Well-Known Member
82
12
8
2016
60
Thanks for all your help :)

Here is the solution that works for me.
First I created a cloudflare rules that redirect all search from bot to blank html page.
Then I install Dave's WordPress Live Search plugin and disabled enter key on search.
Now my website is up with live search bonus :D



Edit : Now the attacker is targeting the main domain and the cloudflare "under attack" mitigated it instantly.
 
Last edited:

pxn

Well-Known Member
88
22
8
2017
410
Can you share what do you install to solve this? I would like to implement to my server too.

If you read the thread carefully that OP was shared the solutions.

Thanks for all your help :)

Here is the solution that works for me.
First I created a cloudflare rules that redirect all search from bot to blank html page.
Then I install Dave's WordPress Live Search plugin and disabled enter key on search.
Now my website is up with live search bonus :D



Edit : Now the attacker is targeting the main domain and the cloudflare "under attack" mitigated it instantly.
 
Status
Not open for further replies.
Top Bottom