my server is getting attacked, it seems to be a syn flood, and he is spoofing IP's.
sudo netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
returns this.
...
4 94.144.63.102
5 91.100.45.134
6 62.199.203.97
7 5.175.207.98
7 77.68.246.5
121 87.60.164.123
1920 127.0.0.1
2428 77.66.108.158
Now, i have attempted everything, i can't seem to stop it, it seems to be coming from datacenters.
I have attempted to individually IP ban, to no use, it keeps going. I installed fail2ban, and mod_security, i tried a lot of configurations to no luck, if i can lower the amounts pr ip to about 30, but then i have 200 ip's with 30 requests each.
Now, i signed up at cloud flare, and moved my DNS, but i wonder about this.
My site can be accessed via its IP, now, i know cloudflare just routes the traffic via their DNS, but can't he just flood my servers IP? Can i deny all direct IP traffic in Apache or what am i supposed to do to stop this attack?
I am a software developer, not a server admin.
I am running Debian Jessie, on a amazon EC2 instance, with Apache2 to handle requests.
EDIT I am 100% sure it was a DDOS, it was a SYN flood, i checked and i had a massive amount of connections pending on SYN. I moved the server behind cloudflare and changed the IP, it worked.**
