1. CYCX

    CYCX Well-Known Member

    Oct 20, 2016
    80
    Hello,
    I need help. My website is getting hit by big layer 7 DDOs and no and one can mitigate?. I tried many hosting company but they failed to protect my website. The attacker is targeting the DNS so moving to another new server IP is useless. Its been 11 months and until now i'm looking for the solution.
    I'm using wordpress and the attacker is using my search function to attack by getting different search terms using multiple IP.
    I already tried different method to mitigate like CSF (ConfigServer Security & Firewall)
    IPtables
    Block countries , Block Ip's
    Disabled my search function
    Tried other DDOs cloud proxy service but they not really mitigate all the attacks
    I'm using cloudflare and activated the under attack but its not helping
    Here is the screenshots :

    Million of requests but my real visitors is only 1000-5000 :
    [​IMG]


    Many DNS Traffic per seconds :
    [​IMG]

    Too many traffic :
    [​IMG]

    Here is the sample of the attack from cpanel and it look like real visitors :
    /?s= there is so many search request per second thats why the CPU usage is high causing the server down.
    [​IMG]



    Please share your solution to mitigate this kind of DDOs attack to help others. I'm sure i'm not the only one getting this kind of problem here.

    Thank You
     
  2. hostechsuppor

    hostechsuppor Well-Known Member

    Feb 22, 2017
    55
    Hello CYCX,
    Can you please mention on which Server your website is hosted? If it is hosted on a dedicated or VPS server, then please change your SSH port number. Also, check your SELinux security status, if it is disabled, then change it to enforcing.
     
    Last edited: Feb 26, 2018
  3. 24x7technicalsupport

    24x7technicalsupport Member

    Feb 19, 2018
    11
    Hello,

    Looking at your issue, you should check a few things.

    1. Do you have DNSSEC enabled on your website ? It will help you to mitigate fake or spoofed DNS queries.
    2. What kind of webserver do you run ? Have your tried using something like litespeed?
    3. Does your website completely go down when the attack happens ?
    4. Also, what kind of budget are you looking at for a solution ?

    Thanks
    Casey K
    Skype: [email protected]
    www.24x7technicalsupport.net
     
  4. CYCX

    CYCX Well-Known Member

    Oct 20, 2016
    80
    I'm using VPS, already changed the ssh port but still no luck. Also i'm using kms-hosting with their layer 7 ddos protection.

    The website is not completely down. It will load very slow. Because the attack consume all cpu resources.
     
  5. hostechsuppor

    hostechsuppor Well-Known Member

    Feb 22, 2017
    55
    >> You can block attacking IP addresses range in the Server firewall. There are few more tweaks but, that needs to be checked directly on the Server. The main node where VPS is installed must be properly secured. To suggest further, the server needs to be investigated.
     
  6. Gavo

    Gavo Super Moderator Staff Member

    Jul 9, 2009
    3,177
    Install mod_cloudflare
    https://www.cloudflare.com/technical-resources/

    CSF Firewall info/config
    https://www.digitalocean.com/commun...onfigure-config-server-firewall-csf-on-ubuntu

    Make CSF firewall add IP bans to cloudflare so offending ip's don't hit your server
    https://www.aetherweb.co.uk/automat...r-firewall-csf-firewall-blocks-to-cloudflare/

    Make Cloudflare IP Bans expire
    https://www.aetherweb.co.uk/automatically-expiring-cloudflare-ip-blocks-by-age/

    This should be a start, you are using cloudflare without the module to reveal IP's, so likely 'whitelisted' the attack.

    Does your script use a lot of file_get_contents ? It may be worth adding your site domain/IP to /etc/hosts/ so file_get_contents doesn't get proxied through cloudflare, maybe this is your doss?
     
  7. hhxx

    hhxx Well-Known Member

    Jun 4, 2016
    85
    LOL if its a bot, then why you simple don't enbale "i'm under attack" option on cloudflare ?

    edit: i'm under attack + maximum security on cloudflare will fix your problem unless they are real visitors

    btw what is your website domain?
     
  8. RapidVideo

    RapidVideo Well-Known Member Affiliate Rep.

    Feb 12, 2012
    1,636
    You should consider memcached for Wordpress where the site will get cached in the server RAM and saves tons of mysql querys.
     
  9. Hyperz

    Hyperz Well-Known Member Respected

    Feb 8, 2009
    2,229
    If the attack consists of search query spam and the person doing the attack knows how to code or is using a halfway decent bot CF's under attack mode will do nothing. You don't even need to run Javascript to solve the "checking your browser" challenge. At best it will delay every search query by 4 seconds. I don't know what "maximum security" does, but under attack mode will not stop a bot if it's designed to handle it.
     
  10. hhxx

    hhxx Well-Known Member

    Jun 4, 2016
    85
    I don't know really my website was never under attack. but a real attacker will never attack through cloudflare LOL. they always use your real ip for attack.
    11 months under attack with no down time at all ? lol it does not make any sense. what kind of attack is this?
    maximum security is requesting captcha in order to access website for visitors who use proxy or vpn or any shared IP
     
  11. CYCX

    CYCX Well-Known Member

    Oct 20, 2016
    80
    @Gavo Thank You for the suggestion.

    I'm under attack is already enabled and it will not help at all. plus I created page rules and set the security to high on worpress ?s= search.

    Thank You I will search about memcached for wordpress. I'm newbie thats why its hard for me to setup and fix the server side issues.


    I already changed IP. As I've said the attacker is targeting the domain so even I change the IP or hosting the attack still ongoing.
    my website is down for 11 months . Its an http flood attack with thousands of different IP is connecting to my wordpress search function every second and searching different keywords thats why the CPU load is very High.
     
  12. Hyperz

    Hyperz Well-Known Member Respected

    Feb 8, 2009
    2,229
    What? There are some forms of DDoS attacks no sane person would try to a site behind CF. Intensive HTTP request (like search queries) spam is not one of those. CF gets the IP the request came from which means little to nothing in the case of proxies or botnets.

    In addition to @Gavo and @RapidVideo's suggestions additional options are:

    • temporarily disable search completely.
    • temporarily switch to Google search.
    • temporarily put search behind a captcha (this wont stop bots but it'll greatly reduce effectiveness and cost the attacker money to keep the attack going).
    • modify WordPress' search such that it uses non-default query parameters and/or pages (this will nullify pre-built bots and script kiddies).
     
  13. CYCX

    CYCX Well-Known Member

    Oct 20, 2016
    80
    Thanks for all your help :)

    Here is the solution that works for me.
    First I created a cloudflare rules that redirect all search from bot to blank html page.
    Then I install Dave's WordPress Live Search plugin and disabled enter key on search.
    Now my website is up with live search bonus :D



    Edit : Now the attacker is targeting the main domain and the cloudflare "under attack" mitigated it instantly.
     
    Last edited: Mar 7, 2018
  14. BoltS

    BoltS Active Member

    May 2, 2018
    30
    Install CSF and use cloudflare for your website
     
  15. pankaj shukla

    pankaj shukla Member

    Apr 10, 2018
    12
    send site link
     
  16. CYCX

    CYCX Well-Known Member

    Oct 20, 2016
    80
    everything is ok now. thanks for the help :)
     
  17. M. Graham

    M. Graham Active Member

    Feb 4, 2016
    41
    Can you share what do you install to solve this? I would like to implement to my server too.
     
  18. pxn

    pxn Member

    Oct 21, 2017
    17
    If you read the thread carefully that OP was shared the solutions.

     

Share This Page