Currently being DDossed

pau

Member
Oct 26, 2016
109
1
Hello!
I'm currently being DDossed (the hotel I work on).
I think it's Layer7 as it's surpassing the cloudflare security and making the web die making the cpu go up to 100%.
Any idea of how to prevent this?
Thanks!

Other information:
I'm currently using IIS and the process CGI / FastCGI is the one that makes the cpu go up.
 

Morohara

Member
May 18, 2020
92
55
Why do you think it’s later 7? Are you still able to connect to the server?
Layer 7 attacks don't attack the vps directly but more of the program that is hosting the files eg; IIS/Apache.

You need to filter out the requests that your receiving, you should be able to do this on the iis settings page by only allowing connection requests x amount of times before it automatically blocks it.

To make sure that it is a layer 7 ddos attacks something that works is increasing the connection limit and reloading your /index to see if the page loads. If the page loads but no images(Text boxes etc) then it would probably be a layer 7 and the above mentioned should suffice in being able to stop the attack. If you need further help I can lend a hand via discord or publicly.
 

Joe

Well-Known Member
Jun 10, 2012
4,088
1,915
Tweaking a firewall would help. CF and proxies only withstand so much. There’s a few tutorials on basic pointers to configure IIS in the tutorials section.
 

boz

don daddy
Mar 23, 2021
152
71
Layer 7 attacks don't attack the vps directly but more of the program that is hosting the files eg; IIS/Apache.

You need to filter out the requests that your receiving, you should be able to do this on the iis settings page by only allowing connection requests x amount of times before it automatically blocks it.

To make sure that it is a layer 7 ddos attacks something that works is increasing the connection limit and reloading your /index to see if the page loads. If the page loads but no images(Text boxes etc) then it would probably be a layer 7 and the above mentioned should suffice in being able to stop the attack. If you need further help I can lend a hand via discord or publicly.
I know they don’t attack the vps directly that’s why I was asking for clarification about him being able to connect to the server as if he wasn’t able to do so it’s not L7. Also dynamic ip restrictions hardly work as many people just use a list of proxy ip’s. Ontopic @pau id suggest setting up some cloudflare rules to challenge country’s/ASN’s with a captcha.
 

pau

Member
Oct 26, 2016
109
1
I know they don’t attack the vps directly that’s why I was asking for clarification about him being able to connect to the server as if he wasn’t able to do so it’s not L7. Also dynamic ip restrictions hardly work as many people just use a list of proxy ip’s. Ontopic @pau id suggest setting up some cloudflare rules to challenge country’s/ASN’s with a captcha.
Now they've stopped, but yes, I was able to connect into the VPS but it was in a 100% CPU.
I've already have country challenges and more things.
 

Nigo

New Member
Jun 25, 2020
26
23
IIS is extra vulnerable for L7 attacks because it is hard to configure things like you can in NGINX/Apache.

However try this in your Dynamic IP Restrictions (Put Deny action on Abort)



Also try to configure your max instances, max requests, queue length, request timeout in your FastCGI settings (dont use unlimited but check what your vps specs are etc.).

This will avoid that your VPS will get down however this will not solve the actual attack.
 

Users who are viewing this thread

Top