Currently being DDossed

pau · Oct 24, 2021

Hello!
I'm currently being DDossed (the hotel I work on).
I think it's Layer7 as it's surpassing the cloudflare security and making the web die making the cpu go up to 100%.
Any idea of how to prevent this?
Thanks!

Other information:
I'm currently using IIS and the process CGI / FastCGI is the one that makes the cpu go up.

boz · Oct 24, 2021

Why do you think it’s later 7? Are you still able to connect to the server?

Morohara · Oct 24, 2021

boz said:
Why do you think it’s later 7? Are you still able to connect to the server?

Layer 7 attacks don't attack the vps directly but more of the program that is hosting the files eg; IIS/Apache.

You need to filter out the requests that your receiving, you should be able to do this on the iis settings page by only allowing connection requests x amount of times before it automatically blocks it.

To make sure that it is a layer 7 ddos attacks something that works is increasing the connection limit and reloading your /index to see if the page loads. If the page loads but no images(Text boxes etc) then it would probably be a layer 7 and the above mentioned should suffice in being able to stop the attack. If you need further help I can lend a hand via discord or publicly.

Joe · Oct 25, 2021

Tweaking a firewall would help. CF and proxies only withstand so much. There’s a few tutorials on basic pointers to configure IIS in the tutorials section.

boz · Oct 25, 2021

Morohara said:
Layer 7 attacks don't attack the vps directly but more of the program that is hosting the files eg; IIS/Apache.

You need to filter out the requests that your receiving, you should be able to do this on the iis settings page by only allowing connection requests x amount of times before it automatically blocks it.

To make sure that it is a layer 7 ddos attacks something that works is increasing the connection limit and reloading your /index to see if the page loads. If the page loads but no images(Text boxes etc) then it would probably be a layer 7 and the above mentioned should suffice in being able to stop the attack. If you need further help I can lend a hand via discord or publicly.

I know they don’t attack the vps directly that’s why I was asking for clarification about him being able to connect to the server as if he wasn’t able to do so it’s not L7. Also dynamic ip restrictions hardly work as many people just use a list of proxy ip’s. Ontopic @pau id suggest setting up some cloudflare rules to challenge country’s/ASN’s with a captcha.

pau · Oct 28, 2021

boz said:
I know they don’t attack the vps directly that’s why I was asking for clarification about him being able to connect to the server as if he wasn’t able to do so it’s not L7. Also dynamic ip restrictions hardly work as many people just use a list of proxy ip’s. Ontopic @pau id suggest setting up some cloudflare rules to challenge country’s/ASN’s with a captcha.

Now they've stopped, but yes, I was able to connect into the VPS but it was in a 100% CPU.
I've already have country challenges and more things.

boz · Oct 28, 2021

pau said:
Now they've stopped, but yes, I was able to connect into the VPS but it was in a 100% CPU.
I've already have country challenges and more things.

Any cloudflare logs of blocked requests?

Currently being DDossed

pau

Member

boz

don daddy

Morohara

Member

Joe

Well-Known Member

boz

don daddy

pau

Member

boz

don daddy

Users who are viewing this thread

Latest posts

Connect with us

Newest members