VPS under DDoS Attacks

Question

Possible Duplicate:
Am I getting DDoSed, and what should I about it?

I'm using a 2 VPS Servers. My domains was unvailable for some time. 1 hour, Somtimes 30 Minutes, and pages loading was realy slow.

I have contacted the hosting company and they say that i'm under the DDoS attack. I tryed to ping my site and the ping result is something like this:

Packets: Sent = 4, Recieved = 0, Lost = 4 <100% loss). Somtimes with 2 loss,3 or less. I'm using a Plesk Panel, Debian and currently have 2G Ram Memory on both servers.

Also i have tryed with some ping flooding tool to spam the ip, and the pages are not avalialbe for anyone. The hosting company let me to solve this problem, they say is not their problem.

How i can stop this?

www.topwebhosts.org/tools/apf-bfd-ddos-rootkit.php

There is a interesting article for this issuse. Anyone can suggest me something?

Answer 1

Before I start with my ramble, I just want to point one thing out. I'm sure mostly everyone else will agree with this, but a hardware DDoS mitigation system will typically be faster than their software counterparts. You can go the hardware route, but then again, DDoS mitigation software will be a bit more cost effective (and even free). I do not know the hardware part as well as I know software, so I won't be rambling on about the best hardware for DDoS protection and all.

One really easy system you can put in place is ConfigServer Security & Firewall (http://configserver.com/cp/csf.html). And with that, you have a little easier control over iptables and you can easily filter SYN/ACK attacks and port flooding.

You might also want to consider some DDoS modules for Apache like mod_evasive (http://www.zdziarski.com/blog/?page_id=442) or even set up Nginx as a reverse proxy (http://www.rackaid.com/resources/using-nginx-to-fight-apache-ddos-/) to help on the DDoS mitigation.

Hope that little bit helps. I've suffered DDoS attacks before and with some of the systems I personally have in place (like HTTP caching, Nginx proxy, CSF), it's much harder to DDoS my sites as it can filter a good portion of the traffic out. Keep in mind though, if a large botnet hits you, you might want to invest in a hardware DDoS system. As for how to get one set up on your VPS, just ask your provider. Most data centers have their systems and tools in place to prevent DDoS attacks; you just need to pay for it.

Answer 2

You need to get more details on the nature of the DDoS attack before you can prevent it. I would ask your hosting provider for more details.

Preventing SYN floods requires different techniques than HTTP or application attacks.

If it is a large network flood, your provider will often have to mitigate the attack upstream. If the inbound request rate is larger than your server's pipe, there is not much you can do.

For HTTP or application attacks, on-server mitigation is possible but can be difficult.

With application/HTTP attacks, I've often used an Nginx reverse proxy setup to filter unwanted traffic and allow the rest to pass through. This can be very effective against certain types of attacks.

Firewall rules can help if the attack is not widely distributed. However, once your rule chains grow large, performance can suffer.

One cheap trick is if the attack is mainly from one region, you can use country specific IP ranges to just drop that region rather than trying to do so on a per IP bases. A heavy hammer for sure but effective.

Also your TCP/IP stack can be tuned by lowering time outs. This is particularly useful for TCP floods that cause half-open connection states and lingering TIME_WAIT states.

Lastly, there are companies you can pay $$$ to filter your traffic. This does not come cheap but ceratainly another option.