2

I've been totally unable to use my server for the last couple of days. I've been contacting the owners of the IP's who are attacking me but its an uphill battle. Since I don't know who is doing the attack, what can I do to stop the attack?

I've already talked to the colocation center and they told me that they don't do any ddos mitigation(although I have a list of IP's from before my server went down.)

I've considered bouncing the packets to some of the smaller hosts which are attacking in hopes that they go down but I really don't like the idea of shooting the messenger. I don't understand why the companies which host the IP's aren't doing anything to stop this. Help!

devnill
  • 307

2 Answers2

3

This is a difficult problem to solve. There are companies (like http://www.prolexic.com/) out there which can help you with this, but it won't be cheap. Given that you said 'my server' in your question tells me that your site is on the smaller side and you might not have the resources to engage a company like them.

Do you know how they are attacking you? Can you get to the console of your server and setup iptables (assuming Linux) to drop traffic from the offending IPs? If Linux, have you enabled TCP syncookies? echo 1 > /proc/sys/net/ipv4/tcp_syncookies.

Are you sure this isn't a server misconfiguration? If you have your MaxClients set too high in Apache this can cause the machine to swap which would effectively be a DDOS given enough connections. (Combine that with a memory leak and disaster will be the result.)

It is pretty common for major DDOSes to saturate incoming network links. Given your provider isn't really concerned about this, it's not really that large of an attack. Does your site come back online after a reboot only to get overwhelmed shortly thereafter? That might just be a config issue with your MaxClients.

toppledwagon
  • 4,275
0

Partial solution: Does your colo offer an additional hardware firewall service? If they do it might be a good idea to spend the $ and have them set it up and block the IPs.

You might be interested in http://www.dshield.org/howto.html

Good luck.

jqa
  • 451
  • 2
  • 7