I need help. My website is 11 months under DDOs attack

[CYCX]

Hello,
I need help. My website is getting hit by big layer 7 DDOs and no and one can mitigate?. I tried many hosting company but they failed to protect my website. The attacker is targeting the DNS so moving to another new server IP is useless. Its been 11 months and until now i'm looking for the solution.
I'm using wordpress and the attacker is using my search function to attack by getting different search terms using multiple IP.
I already tried different method to mitigate like CSF (ConfigServer Security & Firewall)
IPtables
Block countries , Block Ip's
Disabled my search function
Tried other DDOs cloud proxy service but they not really mitigate all the attacks
I'm using cloudflare and activated the under attack but its not helping
Here is the screenshots :

Million of requests but my real visitors is only 1000-5000 :

Many DNS Traffic per seconds :

Too many traffic :

Here is the sample of the attack from cpanel and it look like real visitors :
/?s= there is so many search request per second thats why the CPU usage is high causing the server down.

Please share your solution to mitigate this kind of DDOs attack to help others. I'm sure i'm not the only one getting this kind of problem here.

Thank You

 

[hostechsuppor]

Hello CYCX,
Can you please mention on which Server your website is hosted? If it is hosted on a dedicated or VPS server, then please change your SSH port number. Also, check your SELinux security status, if it is disabled, then change it to enforcing.

 

[24x7technicalsupport]

Hello,

Looking at your issue, you should check a few things.

1. Do you have DNSSEC enabled on your website ? It will help you to mitigate fake or spoofed DNS queries.
2. What kind of webserver do you run ? Have your tried using something like litespeed?
3. Does your website completely go down when the attack happens ?
4. Also, what kind of budget are you looking at for a solution ?

Thanks
Casey K
Skype: [email protected]
www.24x7technicalsupport.net

 

[CYCX]

Hello CYCX,
Can you please mention on which Server your website is hosted? If it is hosted on a dedicated or VPS server, then please change your SSH port number. Also, check your SELinux security status, if it is disabled, then change it to enforcing.

I'm using VPS, already changed the ssh port but still no luck. Also i'm using kms-hosting with their layer 7 ddos protection.

Hello,

Looking at your issue, you should check a few things.

1. Do you have DNSSEC enabled on your website ? It will help you to mitigate fake or spoofed DNS queries.
2. What kind of webserver do you run ? Have your tried using something like litespeed?
3. Does your website completely go down when the attack happens ?
4. Also, what kind of budget are you looking at for a solution ?

Thanks
Casey K
Skype: [email protected]
www.24x7technicalsupport.net

The website is not completely down. It will load very slow. Because the attack consume all cpu resources.

 

[hostechsuppor]

I'm using VPS, already changed the ssh port but still no luck. Also i'm using kms-hosting with their layer 7 ddos protection.

The website is not completely down. It will load very slow. Because the attack consume all cpu resources.

>> You can block attacking IP addresses range in the Server firewall. There are few more tweaks but, that needs to be checked directly on the Server. The main node where VPS is installed must be properly secured. To suggest further, the server needs to be investigated.

 

[Tango]

Install mod_cloudflare
https://www.cloudflare.com/technical-resources/

CSF Firewall info/config
https://www.digitalocean.com/commun...onfigure-config-server-firewall-csf-on-ubuntu

Make CSF firewall add IP bans to cloudflare so offending ip's don't hit your server
https://www.aetherweb.co.uk/automat...r-firewall-csf-firewall-blocks-to-cloudflare/

Make Cloudflare IP Bans expire
https://www.aetherweb.co.uk/automatically-expiring-cloudflare-ip-blocks-by-age/

This should be a start, you are using cloudflare without the module to reveal IP's, so likely 'whitelisted' the attack.

Does your script use a lot of file_get_contents ? It may be worth adding your site domain/IP to /etc/hosts/ so file_get_contents doesn't get proxied through cloudflare, maybe this is your doss?

 

[hhxx]

LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

btw what is your website domain?

 

[Firecooler]

You should consider memcached for Wordpress where the site will get cached in the server RAM and saves tons of mysql querys.

 

[Hyperz]

LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

btw what is your website domain?

If the attack consists of search query spam and the person doing the attack knows how to code or is using a halfway decent bot CF's under attack mode will do nothing. You don't even need to run Javascript to solve the "checking your browser" challenge. At best it will delay every search query by 4 seconds. I don't know what "maximum security" does, but under attack mode will not stop a bot if it's designed to handle it.

 

[hhxx]

If the attack consists of search query spam and the person doing the attack knows how to code or is using a halfway decent bot CF's under attack mode will do nothing. You don't even need to run Javascript to solve the "checking your browser" challenge. At best it will delay every search query by 4 seconds. I don't know what "maximum security" does, but under attack mode will not stop a bot if it's designed to handle it.

I don't know really my website was never under attack. but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.
11 months under attack with no down time at all ? lol it does not make any sense. what kind of attack is this?
maximum security is requesting captcha in order to access website for visitors who use proxy or vpn or any shared IP

 

[CYCX]

@Gavo Thank You for the suggestion.

LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

btw what is your website domain?

I'm under attack is already enabled and it will not help at all. plus I created page rules and set the security to high on worpress ?s= search.

You should consider memcached for Wordpress where the site will get cached in the server RAM and saves tons of mysql querys.

Thank You I will search about memcached for wordpress. I'm newbie thats why its hard for me to setup and fix the server side issues.

I don't know really my website was never under attack. but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.
11 months under attack with no down time at all ? lol it does not make any sense. what kind of attack is this?
maximum security is requesting captcha in order to access website for visitors who use proxy or vpn or any shared IP

I already changed IP. As I've said the attacker is targeting the domain so even I change the IP or hosting the attack still ongoing.
my website is down for 11 months . Its an http flood attack with thousands of different IP is connecting to my wordpress search function every second and searching different keywords thats why the CPU load is very High.

 

[Hyperz]

but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.

What? There are some forms of DDoS attacks no sane person would try to a site behind CF. Intensive HTTP request (like search queries) spam is not one of those. CF gets the IP the request came from which means little to nothing in the case of proxies or botnets.

In addition to @Gavo and @RapidVideo's suggestions additional options are:

• temporarily disable search completely.
• temporarily switch to Google search.
• temporarily put search behind a captcha (this wont stop bots but it'll greatly reduce effectiveness and cost the attacker money to keep the attack going).
• modify WordPress' search such that it uses non-default query parameters and/or pages (this will nullify pre-built bots and script kiddies).

 

[CYCX]

Thanks for all your help

Here is the solution that works for me.
First I created a cloudflare rules that redirect all search from bot to blank html page.
Then I install Dave's WordPress Live Search plugin and disabled enter key on search.
Now my website is up with live search bonus :D



Edit : Now the attacker is targeting the main domain and the cloudflare "under attack" mitigated it instantly.

 

[pankaj shukla]

send site link

 

[CYCX]

everything is ok now. thanks for the help

 

[M. Graham]

everything is ok now. thanks for the help

Can you share what do you install to solve this? I would like to implement to my server too.

 

[pxn]

Can you share what do you install to solve this? I would like to implement to my server too.

If you read the thread carefully that OP was shared the solutions.

Thanks for all your help

Here is the solution that works for me.
First I created a cloudflare rules that redirect all search from bot to blank html page.
Then I install Dave's WordPress Live Search plugin and disabled enter key on search.
Now my website is up with live search bonus :D



Edit : Now the attacker is targeting the main domain and the cloudflare "under attack" mitigated it instantly.