Ddos attack

[Heaven]

Hi dear,

I have the latest time problems that my website goes down. I use cloudflare around8 months ago, but now, i don't know how to fix this. I use a windows VPS OVH.
I really tried everything but I can't get it fixed anymore and I am at my wits' end. Does anyone know what I can do? Or someone who can help me for a moment?

Thanks!

 

[Mirreo]

I dont undertstand, are you using cloudflare right now?

 

[Johno]

Have you prevented direct access to your IIS if you have the VPS address in the client ?

 

[Heaven]

Have you prevented direct access to your IIS if you have the VPS address in the client ?

Direct acces? Close port 80 in firewall? And no i have a tcp proxy.

Post automatically merged: May 18, 2020

I dont undertstand, are you using cloudflare right now?

Ye i use cloudflare.

 

[Johno]

Are you seeing traffic spikes on cloudflare ? You do not close port 80 exactly but limit the traffic to port 80 to only allow traffic from Cloudflare based IP addresess using domain and IP restrictions addon for IIS

 

[Heaven]

Are you seeing traffic spikes on cloudflare ? You do not close port 80 exactly but limit the traffic to port 80 to only allow traffic from Cloudflare based IP addresess using domain and IP restrictions addon for IIS

Ye i saw traffic spikes on cloudflare, and i set it up ip domain restrictions and slow loris prevention

 

[Johno]

When the attack happens can you view the attack pattern under worker processes ?

 

[Heaven]

When the attack happens can you view the attack pattern under worker processes ?

No i cant see it

 

[Johno]

next time you are attacked take a look, it can sometimes take a while to load depending on the size of the attack, this will show you the attack pattern and IP addresses, most of the time the IP addresses will belong to the same ASN and you can firewall using CloudFlare

 

[JayC]

next time you are attacked take a look, it can sometimes take a while to load depending on the size of the attack, this will show you the attack pattern and IP addresses, most of the time the IP addresses will belong to the same ASN and you can firewall using CloudFlare

Using IIS how do you block all but cloudflare IP addresses?

 

[Johno]

IP Restrictions, add the CloudFlare ranges and abort all connections not in the allowed list

 

[Morohara]

You could try increasing your connection limit on your apache?
(But only if its a layer 7 ddos) as this directly effects your apache not your vps as a whole, your main give away is "service is unavailable" when trying to load your /index.

Edit; Can you show your apache logs? it should be where your cms is located under a folder called "logs".

 

[yoyok]

Send me a PM with your Discord. Attack patterns can change every single minute, thats why you need to investigate it closely.

 

[Shxrty]

Send me a PM with your Discord. Attack patterns can change every single minute, thats why you need to investigate it closely.

Just solve it here to help other people who get this issue.

on another note, Have you tried @NOC 's Method? another way to prevent a Layer 7 DDOS attack is to buy a HTTP Reverse Proxy (Using cloudflare) and have them ramp it up all the way, they range from 5-20$. But they do sure work, i was getting ddosed daily by a man named Justin owner of Zabbo because we advertised on his hotel and i contacted my hosting company and had them make a special Reverse proxy to limit the connections and it depleted Justins attacks, site loaded and worked fine. Hopefully you get this fixed.

 

[yoyok]

Just solve it here to help other people who get this issue.

on another note, Have you tried @NOC 's Method? another way to prevent a Layer 7 DDOS attack is to buy a HTTP Reverse Proxy (Using cloudflare) and have them ramp it up all the way, they range from 5-20$. But they do sure work, i was getting ddosed daily by a man named Justin owner of Zabbo because we advertised on his hotel and i contacted my hosting company and had them make a special Reverse proxy to limit the connections and it depleted Justins attacks, site loaded and worked fine. Hopefully you get this fixed.

How can i monitor DDoS attacks for him through a thread? Don't tell him just to use Cloudflare and do 100 other Firewall related settings, but if he have as example port 8080 open it bypass all Cloudflare (WAF) protection.

Like i said earlier, attacks have many difference methods, sometimes it's Layer 7, often Layer 4, rarely Slowloris, etc.
Don't underestimate botnet networks these days. Need to be viewed correctly and mitigated.

 

[Shxrty]

How can i monitor DDoS attacks for him through a thread? Don't tell him just to use Cloudflare and do 100 other Firewall related settings, but if he have as example port 8080 open it bypass all Cloudflare (WAF) protection.

Like i said earlier, attacks have many difference methods, sometimes it's Layer 7, often Layer 4, rarely Slowloris, etc.
Don't underestimate botnet networks these days. Need to be viewed correctly and mitigated.

Most "DDoS" attacks are all HTTP Post Flooders thats all it is, like i said i contacted my host, and before making a thread about it why not try doing a quick google search? theres multiple methods on how to prevent these attacks from happening. I see your reasoning tho.

 

[Morohara]

Layer 7 ddos work by overloading your apache connection limit that's why when a user or someone tries to connect you receive the error "service unavailable".

The easiest way to fix a "Layer 7" DDOS attack is just make iptables on your apache server and setup a reject method to reject any ip that is repeatedly asking for the same information. Monitoring the people doing the attack they were using the server hosting company psychz to perform their attacks only using one vps to overload your connection limit. Although the method posted from NOC regarding blocking an ip would work something of a larger scale sadly would not as who would want to sit there and block multiple ips.

Your apache server regarding this method of blocking that i've posted should work as it worked aslong as its a layer 7 attack.

 

[Hypothesis]

If you are using IIS, just download IP Address and Domain Restriction as an addon, then set the max concurrent requests to 5 and the maximum number of requests to 5. Add the security tag to your web.config along with the dynamic IP headers. This will automatically block any IP address that attempts to continuously flood a certain path, which is what most of these attacks appear to do. No one can actually down the server, only use a GET or header method to flood your website, however the above should fix it.

You could try increasing your connection limit on your apache?
(But only if its a layer 7 ddos) as this directly effects your apache not your vps as a whole, your main give away is "service is unavailable" when trying to load your /index.

Edit; Can you show your apache logs? it should be where your cms is located under a folder called "logs".

This would do nothing as the request load could just be increased with a stronger amount of bots. The efficient way would be to block the request if it exceeds a certain amount as seen above.

Layer 7 ddos work by overloading your apache connection limit that's why when a user or someone tries to connect you receive the error "service unavailable".

The easiest way to fix a "Layer 7" DDOS attack is just make iptables on your apache server and setup a reject method to reject any ip that is repeatedly asking for the same information. Monitoring the people doing the attack they were using the server hosting company psychz to perform their attacks only using one vps to overload your connection limit. Although the method posted from NOC regarding blocking an ip would work something of a larger scale sadly would not as who would want to sit there and block multiple ips.

Your apache server regarding this method of blocking that i've posted should work as it worked aslong as its a layer 7 attack.

Pretty sure IPtables is used for Linux based servers, not Windows, which is what most retros use, either IIS or NGINX as the webserver. Also, Psychez Networks is a hosting company that allows spoofed methods, which is what I assume the HTTP flood they are using requires. Also, there would be no reason to sit there and block multiple IPs when IIS has a built-in addon that does it for you. Either use that or switch to NGINX and use a load balancer and also redirect all traffic exceeding the limit to a nulled route.